DocGen

Legal

Privacy Policy

How DocGen handles your personal data.

Version 1.0.0 · Last updated 2026-04-22

DocGen ("DocGen", "we", "us") respects your privacy. This Policy explains what personal data we collect, why we collect it, and your rights under the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology Act, 2000.

TL;DR. We store only your name, email and a hashed password. Your document drafts live in your browser's local storage on your own device — we never receive them. Payments are handled directly by Razorpay; we never see your card or UPI details.

1. Data Controller

The "Data Fiduciary" (as defined under the DPDP Act) for your personal data is DocGen, contactable at docgensupport@gmail.com.

2. Personal Data We Collect

  • Account data — name, email address, mobile number (used for account recovery today, and for OTP login in a future release), bcrypt-hashed password, the date you accepted these terms and the version accepted.
  • Subscription data — trial end date, subscription active-until date, Razorpay order and payment identifiers (not card data).
  • Technical data — request logs containing IP address, user-agent and timestamps, kept for security and abuse-prevention purposes.
  • Document drafts — the field values you fill into our forms. These are stored on your device only, in browser local storage under the key docuwriter:draft:v1. They are not transmitted to our servers in the current version of the product.

3. How We Use Your Data

  • to create and secure your account and authenticate you;
  • to manage your free trial and subscription status;
  • to process payments through Razorpay and reconcile orders;
  • to provide customer support and respond to your requests;
  • to detect, prevent and respond to fraud, abuse and security incidents;
  • to comply with applicable legal and tax obligations.

4. Legal Basis for Processing

We process your personal data on the basis of your consent (which you give by creating an account and accepting these terms), to perform our contract with you (running the service and processing payment), and for our legitimate interests in keeping the service secure and preventing abuse.

5. Sharing with Third Parties

We share personal data only with the following categories of recipients:

  • Razorpay Software Pvt. Ltd. — to process payments. Razorpay handles the card / UPI data directly and is an independent controller for that data. See razorpay.com/privacy.
  • Hosting and infrastructure providers (database hosting via Supabase; origin server via a reputable cloud provider) — acting as processors under written agreements.
  • Regulators, courts and law-enforcement — where we are legally required to disclose information.

We do not sell your personal data, and we do not use it for third-party advertising or profiling.

6. Data Retention

  • Account data is kept while your account is active, and up to 180 days after deletion for security and legal-compliance purposes.
  • Transaction records are retained for at least 8 years from the end of the financial year, as required by Indian tax and accounting law.
  • Technical logs are kept for up to 90 days.

7. Security

  • Passwords are stored hashed with bcrypt; plaintext passwords are never written to disk or logs.
  • Refresh tokens are hashed before storage and rotated on each use.
  • API traffic is encrypted in transit over HTTPS.
  • Access to production systems is limited to authorised personnel.

No online service is 100% secure; we promptly investigate and notify you of any incident as required by the DPDP Act.

8. Cookies & Local Storage

We do not use tracking cookies. The service uses browser local storage for:

  • docuwriter:tokens:v1 — access and refresh tokens so you stay signed in;
  • docuwriter:draft:v1 — your current form draft, saved on your own device.

You can clear both at any time via your browser's site-data controls or by signing out.

9. Your Rights under the DPDP Act

Subject to applicable law, you have the right to:

  • access the personal data we hold about you;
  • correct or update inaccurate or incomplete data;
  • erase your personal data (subject to lawful retention obligations);
  • nominate another person to exercise your rights in the event of death or incapacity;
  • withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

To exercise any right, write to docgensupport@gmail.com. We will respond within the timelines prescribed by the DPDP Act.

10. Minors

DocGen is not intended for persons under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us and we will delete it.

11. Data Transfers

Our primary servers and databases are hosted in Asia-Pacific (India / Singapore / Tokyo) regions of reputable cloud providers. We do not transfer your personal data to any country in respect of which such transfer is restricted by notification of the Central Government under the DPDP Act.

12. Grievance Officer

In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, any grievance or complaint regarding the processing of your personal data can be addressed to our Grievance Officer at docgensupport@gmail.com. We aim to acknowledge within 48 hours and resolve within 15 days.

13. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified in-product or by email before they take effect. Your continued use of the service after the effective date constitutes acceptance of the revised Policy.

DocGen

Templates are starter drafts. Have a professional review before official use, stamping or registration.

© 2026 DocGen. All rights reserved. DocGen is a software tool and not a law firm; nothing here constitutes legal advice.