DocOtto Privacy Policy

DocOtto ("we," "us," or "our") operates the website https://www.docotto.com and provides a document management and electronic signature platform (the "Service"). We help businesses turn existing PDF forms into signed, paid, organized digital workflows—without requiring signers to create an account—while capturing legally binding e-signatures with audit trails. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using DocOtto, you agree to the collection and use of information in accordance with this Privacy Policy.

1. Introduction; Roles & Responsibilities

DocOtto ("we," "us," or "our") provides a SaaS platform that helps businesses digitize their existing PDF forms into secure workflows for collecting information, legally binding electronic signatures, and (optionally) payments.

Data Roles (Controller vs. Processor)

DocOtto processes data in two main contexts:

• DocOtto as Data Controller (account/business contact data): For information related to your DocOtto account (e.g., admin users, billing contacts, subscription management), DocOtto acts as the Data Controller.
• DocOtto as Data Processor (end-customer submission data): When you use DocOtto to send forms to your customers/clients/participants (your "End Users"), you (our customer) are the Data Controller, and DocOtto acts as a Data Processor for the information submitted through your forms (including e-signature data), processing it on your behalf and according to your instructions.

If you need a Data Processing Addendum (DPA), see Section 17.

2. Information We Collect

2.1 Information You Provide to Us

Account information (DocOtto as Data Controller):

When you create or manage a DocOtto account, we collect:

• Name and email address (and, if provided, company/organization name)
• Login and authentication information (e.g., password, stored in encrypted/hashed form)
• Subscription plan and billing details
• Support communications and information you choose to provide

User-created content and submissions (DocOtto as Data Processor):

When you use our Service to upload PDFs, build forms, and collect submissions, we collect and store on your behalf:

• PDFs and documents you upload
• Form configurations (fields such as signatures, initials, dates, checkboxes, dropdowns, and text inputs)
• Data submitted by your End Users through your forms (which may include names, addresses, phone numbers, email addresses, and any other information you request)
• Signature and audit data (e.g., timestamps, IP addresses, and audit trail events associated with viewing, completing, and signing)

2.2 Information Collected Automatically (Usage/Device Data)

When you, your team, or your End Users use the Service, we automatically collect:

• IP address and approximate location derived from IP
• Browser type/version and device/operating system information
• Date/time stamps and event logs (e.g., creation, sending, viewing, submission, signing)
• Pages visited and feature usage (e.g., submission counts, feature utilization)
• Referring URLs
• Cookies and similar tracking technologies (see Section 13)

2.3 Financial Data (Stripe)

Subscription payments:

We use Stripe, Inc. ("Stripe") to process subscription payments. DocOtto does not store full credit card numbers. Stripe collects and processes payment information according to Stripe's Privacy Policy.

Payments collected from your End Users (if enabled):

If you enable payment collection (e.g., via Stripe/Stripe Connect), payment card data is provided directly to Stripe. DocOtto receives limited transaction details (such as transaction ID, amount, status, and timestamps) to provide receipts, reconciliation, and service functionality, but we do not store full payment card numbers.

3. How We Use Your Information

3.1 To Provide and Maintain the Service

We use your information to:

• Create and maintain your account
• Process your subscription payments
• Enable you to create, send, and manage digital forms
• Capture and store electronic signatures with legally compliant audit trails
• Facilitate payment collection through Stripe Connect (when enabled)
• Send automated email confirmations and communications you configure
• Provide customer support and respond to your inquiries
• Store and organize submission data for your access

3.2 To Improve and Develop Our Service

We may use aggregated, anonymized data to:

• Analyze usage patterns and trends
• Develop new features and functionality
• Improve user experience and interface design
• Conduct testing and troubleshooting

3.3 To Communicate With You

We use your contact information to:

• Send transactional emails (order confirmations, password resets, account notifications)
• Provide important service updates and security alerts
• Respond to your support requests
• Send marketing communications (you may opt out at any time)

3.4 For Legal and Security Purposes

We may use your information to:

• Comply with legal obligations and lawful requests
• Enforce our Terms of Service
• Protect against fraud, abuse, and security threats
• Resolve disputes and investigate complaints

4. How We Share Your Information

4.1 Service Providers and Infrastructure Partners

We share information with trusted third-party service providers who help us operate, secure, and deliver the Service (for example, payment processing, cloud hosting/storage, email delivery, monitoring, and analytics). These providers are permitted to process information only as necessary to perform services for DocOtto and are required to protect it.

• Stripe (payment processing): We use Stripe for subscription payment processing and (if enabled) payment collection features. Information shared with Stripe is subject to Stripe's Privacy Policy.
• Email service providers: To send automated confirmation emails and communications you configure.
• Cloud hosting and storage providers: To host the application and store data securely.
• Analytics/monitoring providers: To help us understand performance and usage and to improve reliability (using aggregated or de-identified data when possible).

4.2 When You Direct Us

When you use DocOtto to send forms to your customers:

• We deliver form links via email or other methods you specify
• Your customers' submitted data is stored in your DocOtto account for your access
• You control how this data is used, shared, or exported

4.3 Business Transfers

If DocOtto is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website before your information becomes subject to a different privacy policy.

4.4 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal process (subpoenas, court orders, warrants)
• Government or regulatory requests
• Situations involving potential threats to safety or security
• Protection of DocOtto's legal rights and property

4.5 With Your Consent

We may share your information for other purposes with your explicit consent.

5. Your Data Rights and Choices

5.1 Access and Portability

You may request:

• Access to the personal information we hold about you (as an account holder/admin user)
• Export of your data and customer submissions in standard formats (e.g., CSV, PDF)
• Copies of audit trails and signature records associated with your forms/submissions

5.2 Correction

You may:

• Update certain account information at any time through your account settings
• Request correction of inaccurate personal information we maintain

5.3 Deletion

You may request deletion of your account and associated data, subject to:

• The retention periods described in Section 7
• Legal requirements (e.g., tax and accounting rules)
• Legal holds or legitimate business needs (e.g., dispute resolution)

5.4 How to Submit a Rights Request

To submit an access, correction, or deletion request, contact us at support@docotto.com. We may need to verify your identity and/or your authority to make the request before fulfilling it.

5.5 Marketing Opt-Out

You may opt out of marketing emails by:

• Clicking the "unsubscribe" link in any marketing email
• Updating your communication preferences in your account settings
• Contacting us directly at support@docotto.com

Note: You cannot opt out of transactional or service-related emails necessary for the operation of your account.

5.6 Your Customers' (End Users') Rights

As the Data Controller for information your End Users submit through your forms, you are responsible for:

• Responding to End User data access, correction, and deletion requests
• Providing privacy notices to End Users
• Obtaining necessary consents for data collection and processing
• Complying with applicable privacy laws regarding End User data

DocOtto will assist you in fulfilling these obligations upon request as your Data Processor, consistent with applicable law and our agreements.

6. Data Security

We implement industry-standard administrative, technical, and organizational measures designed to protect your information, including:

• Encryption in transit: Data transmitted to and from DocOtto is encrypted using SSL/TLS
• Encryption at rest: Data stored by DocOtto is encrypted at rest (e.g., AES-256 or equivalent)
• Access controls: Role-based access, authentication, and least-privilege controls to limit access to personal data
• Monitoring and logging: Security monitoring and event logging to detect suspicious activity
• Secure development and testing: Ongoing maintenance, patching, and vulnerability management practices
• Audit trails: Document actions and signature events are logged with tamper-evident audit trails

However: No method of transmission or storage is 100% secure. While we work to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

7. Data Retention

7.1 Account Data

We retain your account information and subscription data for as long as your account is active or as needed to provide services to you.

7.2 Customer Submission Data

Form submissions, signatures, and audit trails are retained in your account until:

• You manually delete them
• You delete your account
• As required by applicable law or legal holds

7.3 Retention After Cancellation (by Subscription Tier)

If you cancel your subscription, we retain your forms, submissions, and related audit trail data for a period that depends on your subscription tier, generally ranging from 180 days up to 36 months after cancellation (the "Post-Cancellation Retention Period"). During this period, you may be able to reactivate your account (depending on product availability) to access retained data.

After the applicable Post-Cancellation Retention Period ends, we delete or de-identify retained data in accordance with our deletion processes, unless:

• We are required to retain it by law
• It is subject to a legal hold
• We need it for legitimate business purposes such as establishing, exercising, or defending legal claims

7.4 After Account Deletion

Upon account deletion, we will:

• Delete or de-identify your account data and customer submissions within a commercially reasonable timeframe, unless a longer retention period applies under Section 7.3 or legal requirements
• Retain certain financial records and transaction logs as required by law (typically 7 years)
• Retain anonymized, aggregated data for analytics purposes

8. Electronic Signatures and Audit Trails

8.1 ESIGN and UETA Compliance

DocOtto provides tools to capture legally binding electronic signatures in compliance with the U.S. Electronic Signatures in Global and National Commerce Act (ESIGN) and the Uniform Electronic Transactions Act (UETA).

To support ESIGN/UETA compliance and evidentiary integrity, we generate and store audit logs associated with form and signing events. These logs may include:

• Signature images and/or signature captures, initials, and related signer actions
• Typed names and electronic consent (where presented/collected as part of the workflow)
• IP address at the time of key events (e.g., viewing, signing, submitting)
• Device and browser information
• Timestamps for each relevant event (e.g., sent, viewed, completed, signed)
• Document identifiers, versioning information, and tamper-evident audit trail records

We retain these audit logs alongside the associated records in accordance with Section 7 (Data Retention) to help Users evidence who signed, what was signed, and when it was signed.

8.2 Your Responsibility

You are responsible for:

• Ensuring your specific use case complies with applicable laws and regulations
• Obtaining appropriate consent from signers to conduct business electronically
• Determining whether electronic signatures are legally valid for your specific documents and jurisdiction
• Maintaining copies of signed documents and audit trails as required by your industry

DocOtto provides the technical tools; you are responsible for legal compliance in your specific context.

9. International Data Transfers

DocOtto is based in the United States. If you access our Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States where our servers are located and our central database is operated.

By using our Service, you consent to the transfer of your information to the United States and the collection, storage, and processing of your information in accordance with this Privacy Policy and United States law.

10. Children's Privacy

DocOtto is not intended for use by children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately, and we will take steps to delete such information.

Note for Educational Users: If you use DocOtto to collect information from minors (e.g., school permission slips), you are responsible for obtaining appropriate parental consent and complying with the Children's Online Privacy Protection Act (COPPA) and other applicable laws.

11. California Privacy Rights (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA):

11.1 Right to Know

You have the right to request:

• Categories of personal information we collect
• Specific pieces of personal information we hold about you
• Categories of sources from which we collect information
• Business purposes for collecting information
• Categories of third parties with whom we share information

11.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

11.3 Right to Opt-Out

You have the right to opt out of the "sale" of your personal information. DocOtto does not sell your personal information.

11.4 Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights.

To exercise your rights, contact us at support@docotto.com. We will verify your identity before fulfilling your request.

12. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

12.1 Legal Basis for Processing

We process your information based on:

• Contract performance: To provide the Service you've subscribed to
• Legitimate interests: To improve our Service, prevent fraud, and ensure security
• Consent: For marketing communications (which you may withdraw at any time)
• Legal obligations: To comply with applicable laws

12.2 Your GDPR Rights

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making

To exercise your rights, contact us at support@docotto.com.

13. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Maintain your login session
• Remember your preferences
• Analyze usage patterns
• Improve website functionality

13.1 Types of Cookies We Use

• Essential Cookies: Required for the Service to function (authentication, security)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how the Service is used (Google Analytics or similar)

13.2 Your Cookie Choices

Most web browsers allow you to control cookies through settings. However, disabling essential cookies may affect your ability to use certain features of the Service.

14. Third-Party Links

Our Service may contain links to third-party websites or services (such as Stripe). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last Updated" date
• Sending an email notification to the address associated with your account
• Displaying a prominent notice on our website

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

DocOtto

Email: support@docotto.com

Website: https://www.docotto.com

For data protection inquiries, please include "Privacy Request" in your subject line and provide sufficient detail for us to verify your identity and process your request.

17. Data Processing Addendum

If you are using DocOtto to process personal data on behalf of your organization and require a Data Processing Addendum (DPA) to comply with GDPR or other privacy regulations, please contact us at support@docotto.com to request our standard DPA.