Privacy Policy for DOCA (Agent Reporting Layer)

Last updated: April 2026. DOCA processes data you or your AI agents submit to generate documents (PDF, PPTX, DOCX, XLSX).

1. Data collection

We collect information necessary to provide reporting and document-generation services:

• Account data: Email and billing details when you subscribe to a paid plan (processed by payment providers such as Stripe).
• Input data: Text prompts and files (e.g. CSV, XLSX, PDF, Office documents) sent by you or your agents via the API or web UI.
• Branding data: URLs and assets retrieved when you use browser or brand-related tools, as permitted by your configuration.
• Technical data: Request metadata needed to operate the service (e.g. timestamps, correlation IDs for support and security).

2. How we use your data

• To generate, style, validate, and deliver your requested outputs.
• To operate phased progress (e.g. SSE), retries, and quality checks.
• To improve reliability using non-sensitive operational logs (we do not use your confidential business content to train our core models unless you separately opt in to a program that explicitly allows it).

Default position: We do not use your uploaded business data to train public foundation models unless we tell you otherwise in writing for a specific product feature.

3. Data retention

Retention depends on your plan and deployment settings (examples for a typical SaaS rollout):

• Free tier: Uploads and generated files may be deleted after a short window (e.g. 24 hours) unless configured otherwise.
• Paid tiers: Longer retention for convenience (e.g. 30 days) or persistent storage until you delete content, per plan.

Self-hosted or enterprise deployments may follow different retention rules defined in your contract.

4. Security

We use industry-standard protections in transit and at rest where applicable. Sensitive execution paths may run in sandboxed environments (e.g. isolated processes) to reduce risk when executing generated code or tooling.

5. Third-party sub-processors

To generate content, data may be sent to LLM or infrastructure providers (e.g. OpenAI, Google Gemini, or other APIs you configure). You are responsible for choosing providers and regions that meet your compliance needs. We recommend reviewing each provider’s data processing terms.

6. Your rights

Depending on your jurisdiction, you may have rights to access, correct, export, or delete personal data. Contact us using the channel published on your deployment or invoice.

7. Contact

For privacy questions, contact the operator of your DOCA deployment. This document is a template; adapt retention, subprocessors, and contact details before production use.