Privacy Policy.

doclish is committed to the privacy, security, and integrity of Protected Information in our custody. This policy explains what information we collect, how we use it, and your rights with respect to your data. By using doclish, you agree to the practices described here.

We collect only what is necessary to operate and improve the platform:

• Account information — your name, email address, and organization name provided during registration.
• Billing information — processed and stored by Stripe, Inc. doclish does not store full card numbers.
• Document metadata — file names, sizes, SHA-256 hash values, registration timestamps, and custody chain records.
• Document files — uploaded files are stored encrypted in Cloudflare R2 object storage. doclish staff do not access file contents.
• Usage data — pages visited, features used, and session timing, collected to improve the platform.
• Communications — emails sent to and from support.

• To deliver and operate the doclish service.
• To process payments through Stripe.
• To generate and maintain document audit logs and chain-of-custody records.
• To notify you of activity on your account (registrations, deliveries, access events).
• To respond to support requests.
• To comply with applicable legal obligations.

We do not sell, rent, or trade your personal information to third parties.

Document files are stored in Cloudflare R2, encrypted at rest using AES-256. All data in transit is protected by TLS 1.3. Document integrity is verified by SHA-256 hashing at the time of registration — this hash is immutable and publicly verifiable.

Access to your data is role-gated within your organization. Only users you designate as Admin, Member, or Viewer can access your workspace.

Document records and audit logs are retained for a minimum of 45 years to satisfy HIPAA, CJIS, and general legal admissibility requirements. You may request deletion of personal account data at any time; however, registered document records and audit entries are immutable and cannot be removed once created.

• Stripe — payment processing. Subject to Stripe's Privacy Policy.
• Cloudflare — content delivery, DDoS protection, and R2 file storage.
• Emailit — transactional email delivery for notifications.
• Convex — backend database and real-time infrastructure.

Depending on your jurisdiction, you may have the right to access, correct, or request deletion of your personal data. To exercise these rights, contact us at legal@doclish.com.

We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and notify active customers by email.

For privacy-related questions, contact us at legal@doclish.com or write to: doclish, Inc., United States.