Plain English Summary: We only collect what we need to run DocuAI. We never sell your data. Your documents stay in your database. AI generation only processes the text you type — not your stored client data.
1. Overview
DocuAI ("the Platform", "we", "us") is a business document management system developed and operated by iKHENZ IT SOLUTION (www.ikhenz.com). This Privacy Policy explains what personal information we collect, how we use it, and your rights regarding that information.
By using DocuAI, you agree to the collection and use of information in accordance with this policy. If you are using DocuAI on behalf of an organization, you represent that you have the authority to bind that organization to this policy.
2. Data We Collect
2.1 Account & Organization Data
- Full name, email address, and hashed password (we never store plain-text passwords)
- Organization name, address, phone number, tax ID, and website
- Role and permission settings within your organization
- Profile avatar (if uploaded)
2.2 Document & Business Data
- Document content you create: invoices, quotations, agreements, payment reminders
- Client names, contact information, and addresses you enter
- Payment records and transaction references you log
- Line items, amounts, and tax information in your documents
2.3 Usage & Technical Data
- IP address at login and session activity
- Browser type and operating system (from User-Agent header)
- Pages visited and actions performed (stored in audit log)
- Session tokens (stored in your browser as a secure, httpOnly cookie)
- Date and time of all actions
2.4 AI Input Data
When you use the AI Document Generator feature, the text you type in the input field is sent to Anthropic's Claude API to generate document content. See Section 5 for details.
3. How We Use Your Data
- Providing the service: Storing and displaying your documents, client records, and reports
- Authentication: Verifying your identity and maintaining your session
- Security: Detecting and preventing unauthorized access, logging audit trails
- AI features: Sending your typed input to Anthropic's API to generate document content
- Support: Responding to your inquiries and resolving technical issues
- Billing: Managing your subscription plan and usage limits
We do not use your data for advertising, profiling, or any purpose unrelated to operating DocuAI.
4. Data Storage & Security
Your data is stored in a MySQL database on the server where DocuAI is installed. If you are self-hosting, your data stays entirely on your own server — iKHENZ does not have access to it.
For cloud-hosted instances managed by iKHENZ:
- Data is stored on servers in India (or the region you select during setup)
- Databases are protected by firewall rules and require authentication
- Backups are encrypted and stored separately
- HTTPS/TLS is enforced for all connections
Security measures we implement:
- Passwords hashed with bcrypt (cost factor 10) — irreversible
- CSRF tokens on all forms and state-changing requests
- SQL injection prevention via PDO prepared statements exclusively
- XSS prevention via htmlspecialchars() on all output
- Rate limiting on login (5 attempts per 15 minutes)
- Session ID regeneration on login
- HttpOnly, SameSite=Strict session cookies
- Security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy
5. AI Processing (Anthropic Claude)
Important: When you use the AI Document Generator, your typed description is sent to Anthropic's API. Do not include sensitive personal data (e.g. government ID numbers, bank account numbers, passwords) in your AI input text.
DocuAI uses the Anthropic Claude API for AI document generation. The following applies:
- Only the text you type in the AI input field is sent to Anthropic — not your stored documents or client records
- Anthropic processes your input to generate document content and returns the result
- Anthropic's own Privacy Policy governs how they handle API data: anthropic.com/privacy
- As of the effective date, Anthropic does not train models on API inputs by default
- You can disable AI features entirely by not configuring an API key
6. Third Parties
We do not sell, rent, or share your personal data with third parties for their marketing or commercial purposes. We may share data with:
- Anthropic — only the AI input text you type (see Section 5)
- Hosting providers — for cloud-hosted instances, the server provider (e.g. cPanel host) may process data as a data processor under our agreement
- Law enforcement — only if required by a valid legal order, and only to the extent required
7. Your Rights
You have the following rights regarding your personal data:
- Access: Request a copy of all personal data we hold about you
- Correction: Update incorrect or incomplete information via Settings
- Deletion: Request deletion of your account and all associated data
- Export: Export your documents and data via the Reports CSV export
- Restriction: Request that we stop processing your data in certain ways
- Objection: Object to processing where we rely on legitimate interests
To exercise these rights, contact us at privacy@ikhenz.com. We will respond within 30 days.
8. Cookies & Sessions
DocuAI uses one essential cookie — the session cookie (named DOCUAI_SESS) — to maintain your login state. This cookie:
- Is set as HttpOnly (cannot be accessed by JavaScript)
- Uses SameSite=Strict (not sent on cross-site requests)
- Expires when you close your browser or after 2 hours of inactivity
- Is destroyed when you sign out
We do not use advertising cookies, tracking pixels, or third-party analytics.
9. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account deletion request
- Documents: Retained until you delete them or request account deletion
- Audit logs: Retained for 12 months for security purposes
- Session data: Cleared on logout or after 2 hours of inactivity
- Password reset tokens: Expire after 60 minutes and are then deleted
10. Children's Privacy
DocuAI is a business platform intended for users aged 18 and above. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us immediately at privacy@ikhenz.com.
For privacy-related questions, data requests, or concerns:
We may update this Privacy Policy from time to time. We will notify users of significant changes by displaying a notice in the application. Your continued use of DocuAI after changes constitutes acceptance of the updated policy.