Privacy Policy
This Privacy Policy explains how OverZero AI Inc. ("OverZero", "we", "us", "our") collects, uses, discloses, and retains personal information when you use DocsUnderstood and the website at docsunderstood.com (together, the "Service").
OverZero is a Canadian corporation incorporated federally and headquartered in Toronto, Ontario. We act as the controller (under U.S. state privacy laws) and the organization responsible (under Canada's Personal Information Protection and Electronic Documents Act, "PIPEDA") for personal information processed through the Service.
The Service is offered only to residents of the United States and Canada who are at least 18 years old. We do not knowingly collect personal information from anyone under 18.
1. What We Collect
We collect only what we need to deliver and operate the Service.
1.1 Information you provide
- Email address. You give us an email address at checkout so we can deliver your report and any service notices.
- Documents you upload. When you submit a document for analysis, we receive its contents. Documents may contain personal information about you or about third parties (for example, the name of an employer, landlord, or counterparty). You are responsible for ensuring you are entitled to upload them.
- Support correspondence. If you contact us, we receive your email address and the contents of your message.
1.2 Information collected automatically
- Payment information. When you pay, Stripe collects and processes your payment-card details, billing address, and country directly. OverZero does not receive or store full card numbers; we receive a transaction identifier, the email you used, and basic billing metadata sufficient to issue refunds and meet our records obligations.
- Technical logs. Our servers automatically record limited technical information (timestamps, request types, error codes, coarse IP-derived region) needed to keep the Service running and to investigate abuse. We do not use these logs to build advertising profiles.
- Cookies and analytics. Our site uses only the cookies strictly necessary to operate checkout. We may add a privacy-respecting analytics tool (for example, one that does not set tracking cookies and does not collect personal information). If we adopt cookies or analytics that require consent under applicable law, we will update this Policy and present an in-product notice before doing so.
1.3 What we do not collect
We do not ask for, and do not want, your government-issued ID numbers, financial-account numbers, biometric identifiers, precise geolocation, contacts, or health records. Please do not include this information in messages to us.
2. How We Use Personal Information
We use personal information to:
- run the Service: analyze your document, generate the report, and send it to your email;
- process your payment, issue receipts, and handle refund requests;
- detect, investigate, and prevent fraud, abuse, or security incidents;
- maintain records required by law (for example, tax records);
- communicate with you about your transaction or about material changes to the Service; and
- improve the Service in aggregate (for example, by tracking error rates), without using the contents of your documents to train models.
We do not sell personal information. We do not share personal information for cross-context behavioural advertising. We do not use the contents of Your Content to train large language models, and our LLM provider is contractually required not to do so on our behalf.
3. Legal Bases (for users in jurisdictions that require them)
Where we process personal information about a user resident in a jurisdiction that requires identification of a legal basis, we rely on:
- performance of a contract with you, to deliver the Service you purchased;
- legitimate interests, to keep the Service secure and to improve it in aggregate;
- legal obligation, to keep tax, anti-fraud, and similar records; and
- consent, where required, which you may withdraw at any time without affecting prior processing.
4. Service Providers (Subprocessors)
We use the following third parties to deliver the Service. Each is bound by contractual data-protection obligations and processes personal information only on our instructions.
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Card data, billing email, country | United States |
| Neon, Inc. | Database hosting | Email, document text and analyses (during the retention window), transaction metadata | United States |
| DeepInfra, Inc. | Large language model inference | Document text after on-device pre-processing, including sensitive-information redaction where applicable | United States |
| Resend, Inc. | Sending the report and transactional emails | Recipient email, report contents | United States |
We will update this list as our subprocessors change. Material changes will be reflected in the "Last updated" date above.
5. Cross-Border Transfers
We are based in Canada, and our service providers are based in the United States. When you use the Service, your personal information is transferred to and processed in the United States and Canada. Government and law-enforcement authorities in those countries may, in limited circumstances, be entitled to access personal information held by service providers operating there. We require our service providers to protect personal information at a level comparable to what it would receive in your home jurisdiction.
6. Retention
We retain personal information for only as long as we need it for the purposes described above:
- Uploaded documents and generated analyses: automatically deleted 30 days after the analysis is delivered. The emailed report is your canonical copy; please save it.
- Email address and transaction record: retained for as long as required to meet our financial-records obligations (typically up to seven years under Canadian tax law) and to honour refund or chargeback requests.
- Technical logs: typically retained for up to 90 days, then deleted or aggregated.
- Support correspondence: retained for as long as needed to address the matter and for a reasonable period afterward.
After the applicable period, we delete personal information or irreversibly de-identify it.
7. Security
We protect personal information using administrative, technical, and physical safeguards appropriate to its sensitivity, including encryption in transit, encryption at rest for stored documents and analyses, restricted internal access on a need-to-know basis, and on-device detection that redacts sensitive information from document text before it is sent to our LLM provider where this is feasible.
No system is perfectly secure. If we become aware of a security incident that creates a real risk of significant harm to you, we will notify you and any applicable regulator as required by law (including under PIPEDA).
8. Your Rights
Subject to applicable law and reasonable verification of your identity, you may:
- Access the personal information we hold about you;
- Correct information that is inaccurate or incomplete;
- Delete information we hold (we will honour deletion requests unless we are required to retain the information by law);
- Withdraw consent to processing that relies on consent;
- Receive a copy of certain information in a portable format; and
- Lodge a complaint with our privacy contact (below) and, if not satisfied, with a regulator.
To make a request, email hello@docsunderstood.com from the email address used at checkout. We will respond within the period required by applicable law (typically 30 days under PIPEDA and 45 days under U.S. state privacy laws). We will not discriminate against you for exercising any right under applicable privacy law.
Canadian residents may file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca, or with your provincial regulator if applicable.
California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we have collected, the right to delete, the right to correct, the right to limit the use of sensitive personal information, and the right to opt out of "sale" or "sharing." We do not sell personal information and do not share it for cross-context behavioural advertising. You may exercise CCPA rights through the same email above, and you may designate an authorized agent to act on your behalf.
Residents of other U.S. states with comprehensive privacy laws (including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and others) may exercise comparable rights through the same email.
9. Children
The Service is not directed to children. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected information from a child, contact us and we will delete it promptly.
10. Automated Decision-Making
The reports we generate are produced by automated systems, but they do not, on their own, produce legal or similarly significant effects on you. We do not use the Service to take decisions about credit, employment, insurance, or eligibility for any benefit. As stated in our Terms, the report is not legal advice and you should consult a qualified professional before acting on it.
11. Changes to This Policy
We may update this Policy from time to time. When we do, we will revise the "Last updated" date above. If the change is material, we will give you reasonable advance notice through the Service or by email. Your continued use of the Service after a change takes effect indicates acceptance of the updated Policy.
12. Contact and Privacy Officer
Questions, requests, or complaints about this Policy or our handling of your personal information should be directed to our Privacy Officer:
OverZero AI Inc. — Privacy Officer 2727 Steeles Avenue West, Unit 103-819 Toronto, ON M3J 3G9 Canadahello@docsunderstood.com