Privacy Policy

Effective date: June 4, 2026 · Last updated: June 4, 2026

This Privacy Policy explains how OverZero AI Inc. ("OverZero", "we", "us", "our") collects, uses, discloses, and retains personal information when you use DocsUnderstood — our free browser extension — and the website at docsunderstood.com (together, the "Service").

The most important thing to know is this: the extension does its work entirely inside your own browser. When you attach a PDF on a supported AI chat, the extension reads the file, finds sensitive information, and removes it on your device, before anything is shared. We do not receive your document, we do not upload it to our servers, and we have no server that processes it. We never see the contents of your files.

OverZero is a Canadian corporation incorporated federally and headquartered in Toronto, Ontario. To the limited extent we process personal information (for example, the website analytics and optional donations described below), we act as the controller (under U.S. state privacy laws) and the organization responsible (under Canada's Personal Information Protection and Electronic Documents Act, "PIPEDA").

The Service is offered only to residents of the United States and Canada who are at least 18 years old. We do not knowingly collect personal information from anyone under 18.

1. What We Collect

We collect very little. There is no account, no login, and no payment to use the extension, so for most people we collect nothing that identifies them.

1.1 Your documents — which we never receive

The extension reads your PDF, finds sensitive information, and removes it entirely within your browser, on your device. The document, and the sensitive information found in it, are never sent to us and never leave your device through us. We have no servers in this flow and cannot see your files, the text inside them, or what was redacted. When you then share the redacted document with the AI chat you chose, that exchange is between you and that provider under your own account with them (see Section 4).

1.2 Information you provide

• Support correspondence. If you choose to contact us, we receive your email address and whatever you put in your message. Please do not paste sensitive document contents into a support message.
• Optional donations. The extension is free. If you choose to leave a pay-what-you-want donation, the payment is handled by Stripe through a hosted payment link. You enter your card details on Stripe's page, not ours. OverZero does not receive or store your full card number; we receive a transaction identifier and basic billing metadata sufficient to recognize the donation and meet our records obligations. You do not need to donate to use the extension.

1.3 Information collected automatically on our website

• Website analytics. Our website at docsunderstood.com uses a privacy-respecting analytics tool (Umami) that helps us understand aggregate visits. It does not set advertising cookies and is not designed to identify you. The browser extension itself does not run this or any other tracker. If we ever adopt analytics that require consent under applicable law, we will update this Policy and present a notice before doing so.
• Donation logs. When you make a donation through Stripe, limited technical information is recorded by Stripe and by us to process and account for the payment and to investigate fraud. We do not use this to build advertising profiles.

1.4 What we do not collect

We do not ask for, and do not want, your government-issued ID numbers, financial-account numbers, biometric identifiers, precise geolocation, contacts, or health records. We do not collect the contents of your documents at all. Please do not include sensitive information in messages to us.

2. How We Use Personal Information

Because the extension processes your documents on your own device, there is very little personal information for us to use. To the extent we do process personal information, we use it to:

• process and account for any optional donation you choose to make, and handle any related request;
• detect, investigate, and prevent fraud, abuse, or security incidents;
• maintain records required by law (for example, tax records relating to donations);
• respond to you if you contact us, and tell you about material changes to the Service; and
• understand aggregate website usage so we can improve the Service, without using the contents of your documents — which we never receive — for any purpose.

We do not sell personal information. We do not share personal information for cross-context behavioural advertising. The contents of your documents never reach us, so we cannot and do not use them to train any model.

3. Legal Bases (for users in jurisdictions that require them)

Where we process personal information about a user resident in a jurisdiction that requires identification of a legal basis, we rely on:

• performance of a contract with you, to process a donation you choose to make;
• legitimate interests, to keep the Service secure and to understand aggregate website usage;
• legal obligation, to keep tax, anti-fraud, and similar records; and
• consent, where required, which you may withdraw at any time without affecting prior processing.

4. Service Providers, and the AI Chat You Choose

We use very few third parties, because the extension does its work on your device.

4.1 Our service providers (subprocessors)

The following third parties help us run the website and process optional donations. Each is bound by contractual data-protection obligations and processes personal information only on our instructions.

Notably, the extension does not send your documents to any database, model-inference, or email provider — there is no such flow. We will update this list as our subprocessors change. Material changes will be reflected in the "Last updated" date above.

4.2 The AI chat service you choose

The extension is built to work with the AI chat services you already use — currently ChatGPT (OpenAI), Gemini (Google), and Claude (Anthropic). When you share a redacted document, you share it with that provider directly, through your own session with them, under their terms and privacy policy. We are not a party to that exchange and do not receive a copy. The whole point of the extension is that, by the time anything reaches that provider, the sensitive information you reviewed has already been removed in your browser.

5. Cross-Border Transfers

We are based in Canada. The document processing performed by the extension happens on your own device and does not cross any border through us. The limited personal information we do handle — website analytics and optional donations — may be processed in Canada and the United States by us and by Stripe. Government and law-enforcement authorities in those countries may, in limited circumstances, be entitled to access personal information held by service providers operating there. We require our service providers to protect personal information at a level comparable to what it would receive in your home jurisdiction.

6. Retention

We retain personal information for only as long as we need it for the purposes described above:

• Your documents and the redactions: we never hold these, so there is nothing for us to retain or delete. They stay on your device.
• Donation transaction records: retained for as long as required to meet our financial-records obligations (typically up to seven years under Canadian tax law) and to handle any chargeback.
• Website analytics: retained in aggregate; not tied to an identified person.
• Support correspondence: retained for as long as needed to address the matter and for a reasonable period afterward.

After the applicable period, we delete personal information or irreversibly de-identify it.

7. Security

The strongest protection for your documents is built into how the extension works: detection and redaction run on your own device, so your files and the sensitive information in them never travel to us. For the limited personal information we do handle — optional donations and website analytics — we use administrative, technical, and physical safeguards appropriate to its sensitivity, including encryption in transit and restricted internal access on a need-to-know basis. Card payments are handled on Stripe's own secure systems; we never receive your full card number.

No system is perfectly secure. If we become aware of a security incident that creates a real risk of significant harm to you, we will notify you and any applicable regulator as required by law (including under PIPEDA).

8. Your Rights

Subject to applicable law and reasonable verification of your identity, you may:

• Access the personal information we hold about you;
• Correct information that is inaccurate or incomplete;
• Delete information we hold (we will honour deletion requests unless we are required to retain the information by law);
• Withdraw consent to processing that relies on consent;
• Receive a copy of certain information in a portable format; and
• Lodge a complaint with our privacy contact (below) and, if not satisfied, with a regulator.

Because we hold so little — and never hold your documents — there may be nothing for us to access or delete in many cases. To make a request, email hello@docsunderstood.com; if your request relates to a donation, please write from the email address you used for that donation so we can locate the record. We will respond within the period required by applicable law (typically 30 days under PIPEDA and 45 days under U.S. state privacy laws). We will not discriminate against you for exercising any right under applicable privacy law.

Canadian residents may file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca, or with your provincial regulator if applicable.

California residents have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we have collected, the right to delete, the right to correct, the right to limit the use of sensitive personal information, and the right to opt out of "sale" or "sharing." We do not sell personal information and do not share it for cross-context behavioural advertising. You may exercise CCPA rights through the same email above, and you may designate an authorized agent to act on your behalf.

Residents of other U.S. states with comprehensive privacy laws (including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and others) may exercise comparable rights through the same email.

9. Children

The Service is not directed to children. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected information from a child, contact us and we will delete it promptly.

10. Automated Decision-Making

The extension automatically detects and removes sensitive information from your document, and the AI chat you choose then explains the document to you. None of this produces, on its own, legal or similarly significant effects on you, and we do not use the Service to take decisions about credit, employment, insurance, or eligibility for any benefit. The detection is not perfect — please review the redactions before you share. As stated in our Terms, any explanation you receive is not legal advice, and you should consult a qualified professional before acting on a document.

11. Changes to This Policy

We may update this Policy from time to time. When we do, we will revise the "Last updated" date above. If the change is material, we will give you reasonable advance notice through the Service or by email. Your continued use of the Service after a change takes effect indicates acceptance of the updated Policy.

12. Contact and Privacy Officer

Questions, requests, or complaints about this Policy or our handling of your personal information should be directed to our Privacy Officer:

hello@docsunderstood.com