DocuExprt Privacy Policy
Effective Date: February 1, 2026
Last Updated: March 24, 2026
Version: 1.5
1. Introduction
Splashgain Technology Solutions Pvt. Ltd. ("Splashgain", "we", "us", or "our") operates DocuExprt, an AI-powered document verification, extraction, and automation platform accessible at docuexprt.com ("Platform").
We are committed to protecting the privacy and security of data processed through our Platform. This Privacy Policy explains:
- What information we collect and why
- How we use, store, and protect that information
- The roles and responsibilities of all parties involved
- Your rights under applicable law
This Policy applies to all users of docuexprt.com, including enterprise clients, workspace users, API consumers, and visitors to our website.
Registered Office:
Splashgain Technology Solutions Pvt. Ltd.
Survey Number 101, 1, Office No. C2-501/502, Saudamini Complex,
Kothrud, Pune, Maharashtra 411038, India
Email: privacy@docuexprt.com
Website: https://docuexprt.com
2. Key Definitions
| Term | Meaning |
|---|---|
| Platform | The DocuExprt web application, APIs, and associated services at docuexprt.com |
| Client | An enterprise or organization that has subscribed to DocuExprt |
| End User | An employee or authorized user of a Client who accesses the Platform |
| Document Subject | An individual whose documents or identity data are processed through the Platform on behalf of a Client |
| Personal Data | Any information relating to an identified or identifiable natural person |
| Sensitive Personal Data | Personal data including financial information, health data, official identifiers (PAN, Aadhaar, Passport number), and biometric references |
| Processing | Any operation performed on Personal Data (collection, storage, use, disclosure, deletion) |
| Data Controller | The party that determines the purpose and means of processing Personal Data |
| Data Processor | The party that processes Personal Data on behalf of the Data Controller |
| Tokens | Pre-purchased processing credits used to consume DocuExprt verification and extraction services |
3. Data Processing Roles
DocuExprt operates under a dual-role model depending on the nature of the data:
3.1 DocuExprt as Data Controller
Splashgain acts as a Data Controller for:
- Account registration and management data of Client contacts and End Users
- Platform usage analytics and performance metrics
- Marketing communications (with consent)
- Customer support communications
3.2 DocuExprt as Data Processor
Splashgain acts as a Data Processor for:
- All documents uploaded by Clients for verification, extraction, or processing
- Identity data of Document Subjects processed on behalf of Clients (PAN, Aadhaar, Passport, GSTIN, etc.)
- Results and outputs generated from document processing workflows
In the Data Processor role: The Client is the Data Controller. Clients are responsible for ensuring they have obtained all necessary consents and legal bases for processing the personal data of their customers, employees, or other Document Subjects before submitting it to DocuExprt.
4. Information We Collect
4.1 Account and Organization Data (Data Controller)
When a Client creates an account, we collect:
- Organization name, industry, and size
- Billing contact name, designation, and email address
- Registered business address
- GSTIN or equivalent tax identifier (for invoicing)
- Login credentials (hashed passwords — we never store plaintext passwords)
- IP addresses and device information at login (for security)
4.2 Document and Identity Data (Data Processor)
When Clients use the Platform to process documents, the following may be submitted:
- Scanned or digital copies of identity documents (PAN card, Aadhaar card, passport, driving license, voter ID, etc.)
- Extracted data fields (name, date of birth, address, document numbers)
- Government verification query parameters (document numbers submitted to third-party licensed verification APIs)
- Financial documents (bank statements, invoices, certificates)
- Academic credentials, employment records, and corporate compliance documents
Critical Privacy Commitment: DocuExprt does not retain document images or extracted personal data after processing is complete. All document data and extracted fields are deleted from our servers immediately upon completion of the processing request. We do not store, archive, or index the personal data of Document Subjects.
4.3 Usage and Analytics Data (Data Controller)
We collect Platform usage data including:
- Workflow executions, template usage, and API call logs (without document content)
- Token consumption and billing activity
- Feature usage patterns (for product improvement)
- Error logs and system performance data
- Session duration and navigation within the Platform
4.4 Technical and Device Data
- IP address, browser type, operating system
- Cookie data (session cookies only — see Section 12)
- API authentication tokens and request metadata
4.5 Communications Data
- Support tickets, chat logs, and email correspondence with our team
- Feedback and survey responses (when voluntarily submitted)
5. Legal Bases for Processing
We process data under the following legal bases:
| Data Type | Legal Basis |
|---|---|
| Account registration data | Performance of contract (subscription agreement) |
| Document processing (as processor) | Instructions of the Client (Data Controller) |
| Usage analytics | Legitimate interest in improving platform performance |
| Security logs | Legitimate interest in fraud prevention and security |
| Marketing emails | Consent (opt-in); you may withdraw at any time |
| Invoicing and financial records | Legal obligation (Indian tax and accounting laws) |
For Sensitive Personal Data (identity documents, financial records), we process only under explicit Client authorization and on a strictly transactional basis — we do not store this data after processing.
6. How We Use Your Data
Account and Organization Data
- To provision, manage, and maintain your DocuExprt subscription
- To process invoices and token purchases
- To authenticate and secure Platform access
- To send transactional notifications (billing, token expiry alerts, service updates)
- To provide technical support
- To comply with legal obligations under Indian law
Document Data (Processed on Client Instructions)
- To execute document verification workflows as configured by the Client
- To extract structured data fields from submitted documents
- To query government verification APIs via licensed third-party providers
- To run fraud detection and anomaly analysis as requested
- To return results to the Client's workspace and configured outputs
We do not:
- Use document data or personal data of Document Subjects for any purpose beyond the Client's workflow instructions
- Train AI or machine learning models on Client document data or Document Subject personal data
- Share document data with any third party except licensed verification API providers required to complete the verification
- Sell, license, or monetize document data in any form
Usage Analytics Data
- To monitor Platform performance and uptime
- To identify and resolve technical issues
- To analyse feature adoption and improve product design
- To generate anonymized aggregate statistics
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Document images and extracted personal data | Deleted immediately after processing |
| Government API query results (verification outputs) | Returned to Client; deleted from our servers immediately |
| Account and organization data | Duration of active subscription + 3 years after termination (for legal and audit purposes) |
| Usage logs (without document content) | 12 months rolling |
| Security and access logs | 24 months |
| Billing and invoice records | 7 years (as required by Indian accounting and tax law) |
| Support correspondence | 3 years from last interaction |
| Marketing consent records | Until consent is withdrawn, plus 3 years |
Upon account termination, all Client workspace data (configurations, templates, workflow history) is deleted within 30 days of the termination date, unless a longer retention is required by law.
8. Subprocessors and Third-Party Services
DocuExprt uses trusted third-party subprocessors to deliver its services. By using DocuExprt, Clients consent to the use of these subprocessors.
8.1 Government Verification API Providers
DocuExprt integrates with licensed third-party API providers (Authentication User Agencies, AUAs, and sub-AUAs licensed by UIDAI and other government bodies) to perform real-time verification against government databases. These providers:
- Hold the required UIDAI / NeSL / NSDL licenses for Aadhaar and PAN verification
- Are contractually bound to process queries only for verification purposes
- Do not receive or retain document images — only structured query parameters (document numbers)
- Are compliant with applicable Indian data protection regulations
DocuExprt does not hold an independent AUA license; all government database verification is performed through these licensed intermediary providers.
8.2 Cloud Infrastructure
The Platform is hosted on cloud infrastructure. Client workspace data, workflow configurations, and account data are stored on servers located in India or within regions selected by the Client (where applicable). Available cloud regions include:
- Amazon Web Services (AWS)
- Microsoft Azure
- Google Cloud Platform (GCP)
8.3 Client-Configured Integrations
Clients may optionally connect their own cloud storage accounts (Amazon S3, Azure Blob, GCP, Digital Ocean, iDrive) for output delivery. In these cases, Splashgain acts as a conduit only — data in Client-owned storage is governed by the Client's own relationship with their cloud provider.
8.4 No Third-Party Advertising or Data Brokers
We do not share any data with advertising networks, data brokers, or social media platforms for marketing or profiling purposes.
9. International Data Transfers
DocuExprt is primarily designed for the Indian market. If Client data is processed or stored outside India, we ensure appropriate safeguards are in place:
- Standard contractual clauses with subprocessors
- Processing within jurisdictions that provide adequate data protection (as recognised by applicable Indian law or GDPR, as applicable)
- Client notification of the countries where their data may be processed
For Clients based in the European Union or European Economic Area, Splashgain commits to GDPR-equivalent data transfer safeguards including Standard Contractual Clauses (SCCs).
10. Data Security
We implement enterprise-grade technical and organizational security measures:
Technical Measures:
- AES-256 encryption for data at rest
- TLS 1.2/1.3 encryption for all data in transit
- API key authentication with rate limiting and IP allowlisting options
- Role-based access control with five permission levels
- Audit trails for all user actions within the Platform
- Automatic session timeout
- Multi-factor authentication (available for Enterprise plans)
Organizational Measures:
- Access to Client data is restricted to authorized engineering and support personnel only
- All staff with data access are bound by confidentiality obligations
- Security incident response procedures are maintained and tested regularly
- Regular security reviews and vulnerability assessments
No system is 100% secure. In the event of a data breach affecting your data, we will notify you in accordance with applicable law and within the timelines prescribed by DPDPA 2023.
11. Your Rights Under Applicable Law
11.1 Rights Under India's Digital Personal Data Protection Act 2023 (DPDPA)
As a Data Principal (individual whose data is processed), you have the right to:
| Right | Description |
|---|---|
| Right to Information | Know what personal data is being processed about you and the basis for processing |
| Right of Access | Request a summary of personal data held about you |
| Right to Correction | Request correction of inaccurate or incomplete personal data |
| Right to Erasure | Request deletion of personal data that is no longer necessary |
| Right to Grievance Redressal | File a complaint with our Grievance Officer (see Section 14) |
| Right to Nominate | Nominate another individual to exercise rights on your behalf in case of death or incapacity |
Note for Document Subjects: If your documents have been processed through DocuExprt by an enterprise Client (e.g., your employer or a financial institution), please contact that Client directly to exercise your DPDPA rights, as the Client is the Data Controller for that processing. We will cooperate with Client requests to fulfill Data Subject rights obligations.
11.2 Rights Under GDPR (for EU/EEA Clients and Users)
If you are based in the EU/EEA, you additionally have the right to:
- Data portability (receive your data in a structured, machine-readable format)
- Object to processing based on legitimate interests
- Withdraw consent at any time
- Lodge a complaint with your local Data Protection Authority (DPA)
To exercise any of these rights, contact us at: privacy@docuexprt.com
We will respond within 30 days of receiving a verified request.
12. Cookies and Tracking
DocuExprt uses strictly necessary session cookies only. We do not use advertising cookies, third-party tracking pixels, or behavioural analytics cookies.
| Cookie Type | Purpose | Duration |
|---|---|---|
| Session authentication cookie | Maintains your logged-in session | Session (expires on browser close or logout) |
| CSRF protection token | Protects against cross-site request forgery | Session |
| User preference cookie | Stores UI preferences (e.g., workspace selection) | 30 days |
We do not use Google Analytics, Facebook Pixel, or any third-party advertising tracker on the authenticated Platform.
The docuexprt.com marketing website may use minimal analytics (e.g., anonymised page view tracking) to measure content performance. No personally identifiable data is collected through these analytics.
13. Children's Data
DocuExprt is a B2B enterprise platform intended for use by organizations and business professionals. We do not knowingly collect or process personal data of individuals under the age of 18. If you believe that personal data of a minor has been submitted to our Platform, please contact us immediately at privacy@docuexprt.com.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in law, our business practices, or Platform features. When we make material changes, we will:
- Update the "Last Updated" date at the top of this Policy
- Notify account holders via email at least 14 days before material changes take effect
- Post a notice on the Platform dashboard
Your continued use of DocuExprt after the effective date of any changes constitutes acceptance of the updated Policy.
15. Grievance Officer
In accordance with the Information Technology Act 2000, the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, and the Digital Personal Data Protection Act 2023, we have appointed a Grievance Officer:
Grievance Officer:
Swapnil Dharmadhikari
Splashgain Technology Solutions Pvt. Ltd.
Email: grievance@docuexprt.com
Phone: +91 95525 86428
Response Timeline:
- Acknowledgement of complaint: Within 24 hours
- Resolution of complaint: Within 30 days of receipt
If you are not satisfied with our response, you may escalate to the Data Protection Board of India (once constituted under DPDPA 2023) or approach the appropriate court of jurisdiction.
16. Contact Us
For all privacy-related queries, data subject requests, or to report a concern:
Email: privacy@docuexprt.com
Postal Address:
Splashgain Technology Solutions Pvt. Ltd.
Survey Number 101, 1, Office No. C2-501/502, Saudamini Complex,
Kothrud, Pune, Maharashtra 411038, India
Governing Law: This Privacy Policy is governed by the laws of India. Any disputes arising out of this Policy shall be subject to the exclusive jurisdiction of the courts in Pune, Maharashtra, India.
This document constitutes the complete Privacy Policy of DocuExprt (operated by Splashgain Technology Solutions Pvt. Ltd.). For enterprise Data Processing Agreements (DPA), please contact sales@docuexprt.com.