Document Crunch Privacy Notice

Last Updated: March 4, 2026

Introduction

Document Crunch (“we,” “us,” “our”) takes the protection of personal data (“Personal Data”) seriously. Please read this privacy notice (the “Notice”) to learn what we do with your Personal Data, how we protect it, and what privacy rights you may have under applicable data protection and privacy laws. 

What Is Not Covered by this Privacy Notice?

Platform Data 

​​​This Notice does not address Personal Data we may receive from our customers (“Customers”) in our web-based software applications that comprise the Document Crunch platform (collectively, the “Platform”). In these cases, we do not decide why or how that Personal Data will be processed. Our Customers use our Platform to store and process their own customers’ Personal Data. In these cases, we act only as a storage and service provider. We do not decide what Personal Data is being stored, and in general we will only access such Personal Data at our Customer’s request in connection with Customer support or account administration matters. We will only access Personal Data to provide the Services that our Customer has directed us to provide, or if we are required to do so by law.  

When you give your data to one of our Customers or when we collect your Personal Data on their behalf, our Customer’s privacy notice, rather than this Notice, will apply to our processing of your Personal Data. If you have a direct relationship with one of our Customers, please contact them to exercise your privacy rights. 

Human Resources Personal Data 

This Notice does not apply to the Personal Data of employees, job applicants, contractors, business owners, directors, officers of Document Crunch.

Information Which Does Not Constitute Personal Data 

If we do not maintain information in a manner that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular individual or household, such information is not considered Personal Data, and this Notice will not apply to our processing of that information. 

Our Role With Respect to Your Personal Data 

We act as a controller or business for the Personal Data of users of our ​​website(s), or business contacts and prospects of Document Crunch when we decide the purposes and means of processing, like when we market our services or engage with prospective customers.  

Most of the Personal Data we process we process under a service contract with one of Customers who are using our Platform. In such cases we act as a Service Provider or Processor and will only process Personal Data pursuant to our Customer’s instructions. Our Customer’s privacy notice, rather than this Notice, will apply to our processing of your Personal Data. If you have a direct relationship with one of our Customers, please contact them to exercise your privacy rights. 

What Personal Data We Process 

In our role as a Controller, when you visit our website, request a demo from us, engage with us at a trade show, conference, or other industry event, engage with us as prospective customer, or engage with us as a Customer outside the purposes of our Services contract, we may process:  

  • Identifying information. This may include your name, personal or business email, physical address, or phone number, IP Address, device information, account name and password, etc. 
  • Marketing information. This may include your activity on our website and preferences for receiving communications from us. Please see the section about Cookies, below, for additional information. 
  • Information from third parties. We may obtain information from social media platforms or other advertising partners, or from the partners, trade shows, industry events or conferences you may attend that we sponsor or are associated with.  
  • Other. To the extent you provide additional information to us, like in a free text field or in another interaction.  

Cookies

A “cookie” is a small file stored on your device that contains information about your device. We may use cookies to provide basic relevant ads, website functionality, authentication (session management), usage analytics (web analytics), to remember your settings, and to generally improve our websites and Services. 

We use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser but always have an expiration date.  

This information includes: 

  • Device Information: The manufacturer and model, operating system, IP address, and unique identifiers of the device, as well as the browser you use to access the Service. The information we collect may vary based on your device type and settings. We may also derive a rough estimate of your location from your IP address when you visit the Website. 
  • Usage Information: Information about how you engage with our Website such as the types of content that you view or actions you take on our Website, and the time, frequency, and duration of your activities. 

Most of the cookies placed on your device through our Services are first-party cookies which are placed directly by us. Other parties, such as Google or Meta, may also set their own (third-party) cookies or other tracking technologies (like pixels) on our website or through our Services. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you. 

For more information about our use of cookies, as well as the use of cookies and other tracking technologies by third parties on our website, please see our  Cookie Notice

If you prefer not to accept cookies, you can change the setup of your browser to reject all or some cookies. Note, if you reject certain cookies, you may not be able to use all features of our Services. For more information, please visit https://www.aboutcookies.org/

For What Purposes Do We Use Your Personal Data?  

We will use your personal information for one or more of the purposes set out below: 

To operate and deliver our Services. We will use your personal information to perform our contractual obligations, when it is in our legitimate business interests or based on your consent, including to: 

  • Provide, operate, maintain, and secure our Services;
  • Provide support assistance and troubleshooting;
  • To send you updates about administrative matters such as changes to our terms or policies; and
  • Provide user support, and respond to your requests, questions and feedback.

To improve, monitor, personalize, and protect our Services. It is in our legitimate business interests to improve and keep our Services safe, which includes:

  • Enriching your user experience and customize your relationship with us;
  • Protecting the security of our Services; and
  • Preventing and detecting security threats, fraud or other criminal or malicious activities.

To comply with legal obligations and to defend Document Crunch against legal claims or disputes. We may use your personal information to comply with our legal obligations or when it is in our legitimate business interests, which includes to:

  • Comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;
  • Protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);
  • Audit our compliance with legal and contractual requirements and internal policies; and
  • Protect the security of and manage access to our premises and prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.

For marketing and advertising. We and our advertising partners may use your personal information for marketing and advertising purposes, including sending you direct marketing communications as permitted by law.  

  • To facilitate corporate acquisitions, mergers, or transactions. We may use your personal information, when it is in our legitimate business interests, when we do a business deal, or negotiate a business deal, involving the sale or transfer of all or a part of our business or assets. These deals can include any merger, financing, acquisition, or bankruptcy transaction or proceeding. 

Lawful Bases for Processing 

To use your Personal Data, we must have a valid reason, which under some laws is called the “lawful basis for processing” or “legal grounds for processing.” When we act as a data controller, we may process your Personal Data based on your consent, to fulfill our contractual obligations, or because it is in our legitimate interest to maintain, grow, and develop our Product and business to do so. When relying on our legitimate interest, we do so only after considering whether it will unduly impact the rights or freedoms of the individuals whose data we process.  

When we use your Personal Data because you gave us permission (consent), you can change your mind at any time. However, this will not undo the things we did with your data before you changed your mind. It also will not change the things we are allowed to do with your data based on other reasons. 

Where we receive your Personal Data as part of providing our Services to you to fulfill a contract, we require such Personal Data to be able to carry out the contract. Without that necessary Personal Data, we will not be able to provide the Services to you. 

How Long We Keep Your Personal Data 

We retain Personal Data for as long as instructed by the respective Customer (who typically acts as a data controller). We delete any Personal Data submitted to us by our Customers within ​30 days of the end of our service agreement with the Customer, unless applicable laws require other time periods. 

​​​Your Personal Data may need to be retained in our backup systems and will only be deleted or overwritten at a later time, normally up to 30 days past original date of deletion. This may be the case even when you or a Supervisory Authority has validly asked us to delete your Personal Data or when we do not no longer have a legal basis for processing such Personal. Please note that our backups are protected, and we have implemented a system to remind us to delete the data again when we restore a backup to production systems. 

Sharing Personal Data with Third Parties 

 The following table describes, in the last (12) twelve months, the categories of information we have disclosed to third parties for business purposes, and the categories of those third parties. It also describes the categories of information we sell to third parties, and the categories of those third parties. 

We may share your personal information with the following third parties:  

  • Service Providers: to assist us in meeting business operational needs and to perform certain services and functions, we may share personal information with our vendors and service providers, including providers of hosting services, cloud services, and other information technology services providers. Pursuant to our instructions, these parties will access, process, or store personal information in the course of performing their duties for us. 
  • Professional Advisors: we may share personal information with our professional advisors such as lawyers and accountants where doing so is necessary to facilitate the services they render to us.  
  • Advertising and Industry Partners: As part of our marketing efforts, we may share information with trade show or industry partners, or with third party advertising partners.  
  • Legal Requirements: we do not volunteer your personal information to government authorities or regulators, but we may disclose your personal information where required to do so to comply with laws and regulations applicable to us as described above. 
  • Business Transaction: if Document Crunch is involved in a merger, acquisition, asset sale, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your personal information may be sold, transferred, or otherwise shared including as part of any due diligence process. 

​​International Transfers of Your Personal Data​ 

We are a global company headquartered in the United States (US), and our service providers and other third parties with whom we share Personal Data with operate globally.  

When you use the Services, certain third parties may collect Personal Data about your online activities over time and across different websites or online services. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you.  

International Transfers of Your Personal Data: Europe 

When your Personal Data is safeguarded by the EU or UK General Data Protection Regulation, before sending it to parties the European Economic Area (“EEA”) , the UK, we will do one of two things: 

  • Seek your consent; or 
  • Demand privacy and security: We will ensure the third party maintains the same level of privacy and security for your Personal Data as we do. 

In some cases, the authorities of a country may have determined that the laws of other countries, territories or sectors within a country provide a level of protection equivalent to domestic law. You can see here the list of countries, territories and specified sectors that the European Commission recognized as providing an adequate level of protection for personal data, and here the list of the UK. 

We are accountable for the protection of your Personal Data when we transfer it to others. We either send it to a country, territory or sector within a country that is recognized as providing the same level of personal data protection as the country of origin, or use safeguards like the Data Privacy Framework (as defined below), Binding Corporate Rules or the Standard Contractual Clauses (also known as the “SCCs”) approved by the European Commission under Article 46.2 of the GDPR, with necessary adjustments for transfers from the UK, or use specific transfer instruments like the UK International Data Transfer Agreement.  

Other Disclosures of Your Personal Data 

We may disclose your Personal Data to the extent required by law, or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties). If we have to disclose your Personal Data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data. 

We may also disclose your Personal Data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your Personal Data to our subsidiaries or affiliates, but only if necessary for business purposes, as described in the section above.  

We reserve the right to use, transfer, sell, and share aggregated, anonymous data for any legal purpose. Such data does not include any Personal Data. The purposes may include analyzing usage trends or seeking compatible advertisers, sponsors, and customers. 

Artificial Intelligence (AI), Your Personal Data, and  Your Rights 

We use AI systems and automated decision-making technologies to identify risk in construction contracts and project documents uploaded by customers, and to help our customers more efficiently manage projects by organizing and summarizing information for them. These systems are meant to improve review by humans \by identifying potential legal risks in contracts, or by summarizing and organizing complex information. No final decisions are made by our AI: it classifies, characterizes, and highlights information for ultimate review and decision making by a user in the Document Crunch platform.   

Although our AI systems operate independently, we have implemented measures to ensure human oversight of their outputs where necessary. In certain cases, decisions made by AI systems are reviewed by our staff to ensure accuracy. 

Any personal data processed by our AI system is incidental. Its focus is legal contract language and other project terms. We do not make AI-based decisions that have significant impact with respect to personal data. We only use AI to process Personal Data that is lawfully collected, relevant, accurate, and in compliance with our data protection policies. Our AI systems do not process sensitive categories of Personal Data, such as race, religion, or health information.  

AI will not be used to input confidential, sensitive, or customer-protected information without approval. Further, AI will not be used to make final decisions without human review, especially for anything affecting customers, legal outcomes, or decisions that can create risk to the business. Lastly, AI will not replace processes such as critical thinking, domain expertise, or ethical judgment. 

What Privacy Rights Do You Have?  

Right to Know What Happens to Your Personal Data 

This is called the right to be informed. It means that you have the right to obtain from us all information regarding our data processing activities that concern you (or your child), such as how we collect and use your Personal Data, how long we will keep it, and who it will be shared with, among other things. 

We are informing you of how we process your Personal Data with this Notice. 

We will make every effort to let you know how we use your Personal Data. Yet, if we did not get your data directly from you, the GDPR does not require us to inform you in these cases: (1) When it is impossible or too costly to provide the information. (2) When the law obliges us to gather or share the data. (3) If the Personal Data must stay confidential because of professional or other secrecy obligations. 

Right to Know What Personal Data Document Crunch Has About You 

This is called the right of access. This right allows you to (1) get confirmation of whether we process Personal Data about you (2) ask for full details of the Personal Data we hold about you and certain related information; (3) get a copy or access to the Personal Data. 

You have the right to obtain from us, including confirmation of whether or not we process Personal Data concerning you (or your child), and, where that is the case, a copy or access to the Personal Data and certain related information.  

Once we receive and confirm that the request came from you or your authorized agent, we will disclose to you: 

  • The categories of your Personal Data that we process; 
  • The categories of sources for your Personal Data; 
  • Our purposes for processing your Personal Data; 
  • Where possible, the retention period for your Personal Data, or, if not possible, the criteria used to determine the retention period; 
  • The categories of third parties with whom we share your Personal Data; 
  • If we carry out automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you; 
  • The specific pieces of Personal Data we process about you in an easily sharable format; 
  • ​​​If we rely on legitimate interests as a lawful basis to process your Personal Data, the specific legitimate interests; and 
  • The appropriate safeguards used to transfer Personal Data from the EEA or the UK to a third country, if applicable. 

Under some circumstances, we may deny your access request. In that event, we will respond to you with the reason for the denial.  

For security and legal compliance, we cannot disclose certain sensitive information like Social Security numbers, driver’s license numbers, financial account numbers, health insurance or medical IDs, passwords, or security questions and answers. However, we can inform you if we have such information without disclosing specific details. 

Right to Change Your Personal Data  

This is called the right to rectification. It gives you the right to ask us to correct without undue delay anything that you think is wrong with the Personal Data we have on file about you, and to complete any incomplete Personal Data.  

If your account settings do not allow you change the information yourself, please contact us and we will do our best to change the Personal Data for you. 

Right to Delete Your Personal Data 

This is called the right to erasure, right to deletion, or the right to be forgotten. This right means you can ask for your Personal Data to be deleted. 

Sometimes we can delete your information, but other times it is not possible for either technical or legal reasons. If that is the case, we will consider if we can limit how we use it. We will also inform you of our reason for denying your deletion request. 

Right to Ask Us to Limit How We Process Your Personal Data 

This is called the right to restrict processing. It is the right to ask us to only use or store your Personal Data for certain purposes. You have this right in certain instances, such as where you believe the data is inaccurate or the processing activity is unlawful.  

Right to Ask Us to Stop Using Your Personal Data 

This is called the right to object. This is your right to tell us to stop using your Personal Data. You have this right where we rely on a legitimate interest of ours (or of a third party). You may also object at any time to the processing of your Personal Data for direct marketing purposes. 

We will stop processing the relevant Personal Data unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your Personal Data to establish, exercise, or defend a legal claim. 

Right to Port or Move Your Personal Data 

This is called the right to data portability. It is the right to ask for and receive a portable copy of your Personal Data that you have given us or that you have generated by using our Services, so that you can: 

  • Move it; 
  • Copy it; 
  • Keep it for yourself; or 
  • Transfer it to another organization. 

We will provide your Personal Data in a structured, commonly used, and machine-readable format. When you request this information electronically, we will provide you a copy in electronic format. 

Right Related to Automated Decision Making 

We sometimes use computers to study your Personal Data. We might use this Personal Data so that we know how you use our Services. For decisions that may seriously impact you, you have the right not to be subject to automatic decision-making, including profiling. But in those cases, we will always explain to you when we might do this, why it is happening and the effect. 

To turn off personalized advertising based on information obtained through cookies we place, please contact us at privacy@documentcrunch.com.  

Right to Withdraw Your Consent 

Where we rely on your consent as the legal basis for processing your Personal Data, you may withdraw your consent at any time. If you withdraw your consent, our use of your Personal Data before you withdraw is still lawful. 

If you have given consent for your details to be shared with a third party and wish to withdraw this consent, please also contact the relevant third party in order to change your preferences. 

Right to Non-Discrimination & Financial Incentives 

We will not discriminate against you for exercising any of your privacy rights. Unless the applicable data protection laws permit it, we will not: 

  • Deny you goods or services; 
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits or imposing penalties; 
  • Provide you a different level or quality of goods or services; or 
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services. 

How Can You Exercise Your Privacy Rights? 

To exercise any of the rights described above, please submit a request by either: 

Call us at 855-215-4727  
Contact us by email at privacy@documentcrunch.com
Write to us at: 3000 Summit Place, Ste. 200, Alpharetta, GA 30009

Verification of Your Identity

In order to correctly respond to your privacy rights requests, we need to confirm that YOU made the request. Consequently, we may require additional information to confirm that you are who you say you are. 

​​​For requests submitted via password-protected accounts, your identity is already verified. For requests sent by other means, we will verify your identity via reasonable and proportionate measures, including email or phone call. 

We will only use the Personal Data you provide us in a request to verify your identity or authority to make the request. 

Verification of Authority 

If you submit a request on behalf of somebody else, we will need to verify your authority to act on behalf of that individual. When contacting us, please provide us with proof that the individual gave you signed permission to submit this request, a valid power of attorney on behalf of the individual, or proof of parental responsibility or legal guardianship. Alternatively, you may ask the individual to directly contact us by using the contact details above to verify their identity with Document Crunch and confirm with us that they gave you permission to submit this request. 

Response Timing and Format of Our Responses 

We will confirm the receipt of your request within ten (10) business days, and, in that communication, we will also describe our identity verification process (if needed) and when you should expect a response, unless we have already granted or denied the request. 

Please allow us up to a month to reply to your requests (except requests to stop selling your Personal Data) from the day we received your request. If we need more time (up to 90 days in total), we will inform you of the reason why and the extension period in writing.  

​​​We will act upon your request to opt-out from selling your Personal Data within fifteen (15) business days. We will also notify the third parties to whom we sold your Personal Data of your request and instruct them not to further sell your Personal Data. We will inform you about this in ninety (90) days from the receipt of your request. 

If we cannot satisfy a request, we will explain why in our response. For data portability requests, we will choose a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without difficulty. 

We will not charge a fee for processing or responding to your requests. However, we may charge a fee if we determine that your request is excessive, repetitive, or manifestly unfounded. In those cases, we will tell you why we made that determination and provide you with a cost estimate before completing your request. 

Privacy of Children

Even though our Website is not designed for use by anyone under the age of 13, we realize that a child under the age of 13 may attempt to access our Website. We do not knowingly collect personal information from children under the age of 13. If you are a parent or guardian and believe that your child is using our Website, please contact us. Before we remove any information we may ask for proof of identification to prevent malicious removal of account information. If we discover that a child is accessing our website, we will delete his/her information within a reasonable period of time. You acknowledge that we do not verify the age of our users nor have any liability to do so. 

Data Integrity & Security

We are strongly committed to keeping your Personal Data safe. We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect your Personal Data from unauthorized processing. Unauthorized processing includes unauthorized access, exfiltration, theft, disclosure, alteration, or destruction.  

Right to Lodge a Complaint with a Supervisory Authority

If the EU or UK General Data Protection Regulation applies to our processing of your Personal Data, you have the right to lodge a complaint with a supervisory authority if you are not satisfied with how we process your Personal Data.  

Specifically, you can lodge a complaint in the Member State of the European Union of your habitual residence, place of work, or the alleged violation of the GDPR. In the UK, you can lodge a complaint with the UK Information Commissioner’s Office.  

Changes to this Notice

If we make any material change to this Notice, we will post the revised Notice to this web page. We will also update the “Effective” date. 

Contact Us

If you have any questions about this Notice or our processing of your Personal Data, or want to submit a verifiable consumer request, please write to our Privacy Team by email at privacy@documentcrunch.com, or call at 855-215-4727 or by postal mail at: 

Document Crunch, Inc. 
Privacy Team 
3000 Summit Place, Ste. 200, Alpharetta, GA 30009 United States 

Please allow up to four (4) weeks for us to reply. 

European Union Representative 

We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/ or via telephone at: +420 228 881 031 

Alternatively, VeraSafe can be contacted at: 

VeraSafe Ireland Ltd Unit 3D North Point House North Point Business Park New Mallow Road Cork T23AT2P Ireland  

VeraSafe Netherlands BV Keizersgracht 555 Amsterdam 1017 DR The Netherlands  		VeraSafe Czech Republic s.r.o. Rohanské nábřeží 678/23,  Prague 8,  18600,  Czech Republic   

United Kingdom Representative 

We have appointed VeraSafe as our representative in the UK for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/ or via telephone at: +44 (20) 4532 2003. 

VeraSafe United Kingdom Ltd.  
37 Albert Embankment 
London  
SE1 7TL 
United Kingdom 

Data Protection Officer

We have appointed VeraSafe as our Data Protection Officer (DPO). While you may contact us directly, VeraSafe can also be contacted on matters related to the processing of Personal Data. VeraSafe’s contact details are: 

VeraSafe LLC 
100 M Street S.E., Suite 600  
Washington, D.C.  20003  
USA 

Email: experts@verasafe.com  
Web: Contact VeraSafe Today