DoclyDocly

Privacy Policy

Last updated: May 2, 2026

Effective date: May 2, 2026

This Privacy Policy explains how Signal and Co Studios LLC, the operator of Docly (“Docly,” “we,” “our,” or “us”), collects, uses, discloses, retains, and protects information when you visit askdocly.com or use our document-review service (the “Service”). It also describes the choices and rights you have regarding your information.

Docly is operated from the State of New Jersey, United States. By using the Service, you acknowledge that your information will be processed as described in this policy. If you do not agree, please do not use the Service.

1. Quick summary

The plain-English version, in case you don’t want to read everything:

  • We collect what we need to run the Service: your account details, the documents you upload, the questions you ask, and basic usage data.
  • We use third parties (Google’s Firebase platform, Anthropic for AI analysis, reCAPTCHA Enterprise for abuse prevention, and a payment processor for paid features). They are bound by contract to protect your information.
  • Documents are encrypted in transit and at rest, and are automatically deleted within 28 days. You can delete them yourself at any time.
  • We do not sell your personal information. We do not allow third-party AI providers to train their models on your documents or chats.
  • You can access, export, correct, or delete your data, and you have specific rights under California, EU/UK, and certain other laws (see Section 11).

2. Information we collect

2.1 Information you provide

  • Account information. When you create an account, we collect your email address and (depending on the sign-in method) your name and profile photo. If you sign in with Google or Apple, the identity provider shares limited profile information with us in accordance with the permissions you authorize.
  • Authentication credentials. If you sign up with email and password, your password is stored by our authentication provider (Firebase Authentication) using industry-standard hashing. We never see or store your raw password.
  • Documents and content (“User Content”). Files you upload (such as leases, employment offers, or other agreements), text you paste, the AI-generated analysis of those files, and the questions, messages, and notes you submit through the chat assistant.
  • Communications. If you contact us (for example, by emailing support), we collect the contents of those communications and any attachments.
  • Payment information. When paid features become available, payments are processed by a third-party payment processor (such as Stripe). We receive transaction confirmations and limited billing metadata (for example, the last four digits of your card and country); we do not see or store full card numbers.

2.2 Information collected automatically

  • Device and connection data. IP address, browser type and version, operating system, device identifiers, language preferences, and approximate location derived from IP.
  • Usage data. Pages visited, features used, buttons clicked, referring/exit pages, dates and times of access, and similar interaction data.
  • Log and diagnostic data. Server logs, crash reports, performance traces, and error messages that help us keep the Service reliable.
  • Cookies and similar technologies. See Section 9 for details on what we use and why.
  • Bot-protection signals. We use Google reCAPTCHA Enterprise (via Firebase App Check) to detect automated traffic. reCAPTCHA collects hardware and software information (such as device data and browser information) and is governed by the Google Privacy Policy and Google Terms of Service.

2.3 Information from third parties

  • Identity providers. If you sign in using Google or Apple, we receive limited profile information you authorize them to share (typically your name, email, and a unique identifier).
  • Payment processor. When you make a purchase, our processor sends us transaction confirmation and limited billing metadata.

2.4 Sensitive information

The documents you upload may contain information that some laws treat as sensitive (for example, social security numbers, driver’s license numbers, financial account numbers, or health information that appears in the documents you analyze). You decide what to upload. We process this information solely to provide the Service to you and apply the same protections described in this policy.

3. How we use information

We use the information described above for the following purposes:

  • Provide the Service. Authenticate you, process and analyze the documents you upload, generate summaries and flags, answer your questions, and store your account and content.
  • Process transactions. Charge for paid plans or document credits, send receipts, and manage refunds and chargebacks.
  • Communicate with you. Send service-related notices (such as security alerts, account confirmations, and billing messages) and, where permitted, product updates and marketing — which you can opt out of.
  • Improve and develop the Service. Understand how the Service is used, debug issues, monitor performance, and develop new features. We use de-identified or aggregated data for these purposes whenever practical.
  • Protect Docly and our users. Detect, investigate, and prevent fraud, abuse, security incidents, and other illegal or harmful activity, and enforce our terms.
  • Comply with the law. Meet our legal, regulatory, tax, and audit obligations and respond to lawful requests.

4. AI processing of your documents

To produce your analysis and chat responses, the Service sends the contents of your document and your messages to a third-party large-language-model provider, Anthropic, PBC (operator of Claude), which acts as our sub-processor for AI inference. We have a data-processing relationship with Anthropic under which:

  • Your documents and chats are processed solely to generate the response you requested;
  • Anthropic does not use Docly customer inputs or outputs to train its models; and
  • Inputs and outputs are subject to Anthropic’s commercial data-handling and retention commitments.

Anthropic’s practices are described at anthropic.com/legal/privacy. We do not sell, rent, or otherwise make your User Content available for AI model training, advertising, or any purpose unrelated to providing the Service.

AI outputs may contain errors. The analysis Docly provides is not legal advice. See our Terms of Service for details.

5. How we share information

We share information only as described below. We do not sell personal information.

5.1 Service providers and sub-processors

We use vendors to operate the Service. They process information on our behalf, only for the purposes we direct, and under contractual confidentiality and security obligations. Our principal sub-processors are:

  • Google LLC / Google Cloud (Firebase). Authentication, database (Firestore), file storage, serverless backend (Cloud Functions), App Check, and analytics infrastructure. United States and other regions where Google operates.
  • Anthropic, PBC. AI inference for document analysis and chat (see Section 4). United States.
  • Google reCAPTCHA Enterprise. Abuse and bot detection. United States.
  • Payment processor (e.g., Stripe, Inc.). Processes payments for paid features when offered. United States.
  • Email and customer-support platforms. Used to send transactional and support emails and to handle inbound support requests.
  • Analytics and error-monitoring providers. Used to understand product usage and diagnose errors. We configure these to minimize the personal information they receive.

We update this list from time to time. Contact us for the current detailed list.

5.2 Legal, safety, and compliance

We may disclose information when we believe in good faith it is necessary to: comply with a law, regulation, legal process, or governmental request; enforce our terms; investigate or prevent fraud, security issues, or harm to any person; or protect the rights, property, or safety of Docly, our users, or others.

5.3 Business transfers

If Docly is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of its assets, your information may be transferred to the successor or acquirer, subject to confidentiality protections and (where required) notice to you.

5.4 With your direction

We may share information at your direction or with your consent — for example, when you choose to share an analysis with another party.

5.5 Aggregated or de-identified data

We may share aggregated or de-identified information that cannot reasonably be used to identify you (for example, statistics about how the Service is used). We do not attempt to re-identify de-identified data.

6. How long we keep information

We retain personal information only as long as necessary for the purposes described in this policy.

  • Documents and analyses. Uploaded documents and the AI-generated analyses tied to them are automatically deleted within 28 days of upload. You can delete them sooner from your account at any time.
  • Chat messages. Chat threads about a document are deleted when the document is deleted.
  • Account information. Retained while your account is active. When you delete your account, we remove your profile, documents, analyses, chats, and storage objects from production systems.
  • Backups. Encrypted backups taken in the ordinary course are retained for a limited period (typically 30–90 days) and then overwritten.
  • Logs and diagnostic data. Retained for a limited period (typically up to 90 days) for security and reliability.
  • Transaction records. Retained for as long as required by tax, accounting, and other legal obligations (typically up to seven years).
  • Communications with us. Retained for a reasonable period to respond to inquiries and maintain records.

We may retain limited information beyond these periods where necessary to comply with legal obligations, resolve disputes, or enforce our agreements.

7. Security

We use administrative, technical, and physical safeguards designed to protect your information, including:

  • Encryption in transit (TLS) and at rest (AES-256 or equivalent provided by our cloud platform);
  • Authentication, role-based access controls, and audit logging for internal access;
  • Bot and abuse detection via Firebase App Check and reCAPTCHA Enterprise;
  • Vendor security review and contractual data-protection commitments;
  • Routine review of our security posture.

No method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security. If we learn of a security incident affecting your information, we will notify you and regulators where required by law.

8. International data transfers

Docly is based in the United States, and our service providers may process information in the United States and other countries. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States, where data-protection laws may differ from those of your country.

Where required (for example, transfers from the European Economic Area, the United Kingdom, or Switzerland), we rely on appropriate transfer mechanisms such as the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) or another lawful basis recognized under applicable law.

9. Cookies and similar technologies

We use cookies, local storage, and similar technologies to operate the Service. The categories we use are:

  • Strictly necessary. Required for the Service to function — for example, to keep you signed in, remember your session, and protect against abuse. These cannot be turned off in our system.
  • Functional. Remember preferences such as theme and language.
  • Analytics. Help us understand how the Service is used and improve it. We configure analytics providers to minimize the personal information they receive.

You can control cookies through your browser settings. Blocking strictly necessary cookies will prevent the Service from working correctly. We currently do not use cookies for cross-site advertising.

10. Your choices

  • Access and update. You can review and update your account information from your settings page.
  • Delete documents. You can delete any uploaded document and its analysis at any time from your documents page.
  • Delete your account. You can delete your entire account from your settings page, or follow the steps at www.askdocly.com/delete-account if you no longer have access to the app. This removes your profile, documents, analyses, chats, and storage objects from production systems.
  • Email preferences. You can opt out of marketing emails by clicking the unsubscribe link. Service-related emails (such as security and billing notices) cannot be turned off while you have an account.
  • Browser controls. You can use your browser’s privacy settings to manage cookies and control tracking. We recognize the Global Privacy Control (GPC) signal as a valid opt-out request to the extent required by applicable law.

11. Your rights

11.1 California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), gives you specific rights regarding your personal information. The categories of personal information we have collected, used, and disclosed in the past 12 months are summarized below using CCPA categories.

  • Identifiers (name, email, unique IDs, IP address);
  • Customer-records information (account credentials, billing details);
  • Commercial information (purchase history, document credits);
  • Internet or other electronic network activity (usage and device data);
  • Geolocation data (approximate location derived from IP);
  • Inferences drawn from any of the above (preferences, behavior); and
  • The contents of documents you upload, which may incidentally include sensitive personal information you choose to include.

We collect this information from the sources described in Section 2 and use it for the purposes described in Section 3. We disclose it for business purposes to the categories of recipients described in Section 5. We do not sell or share personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information for any purpose other than those permitted under the CCPA without first providing the right to limit. As a California resident, you have the right to:

  • Know what personal information we have collected, used, disclosed, and (if applicable) sold or shared;
  • Request a copy of specific pieces of personal information we have collected about you;
  • Request correction of inaccurate personal information;
  • Request deletion of personal information, subject to certain exceptions;
  • Opt out of any sale or sharing of personal information (we do not sell or share);
  • Limit our use and disclosure of sensitive personal information;
  • Be free from retaliation for exercising your rights.

You can exercise these rights by emailing support@signalandcostudios.com. We will verify your request using the email address associated with your account or other reasonable means. You may use an authorized agent to submit a request, with proof of authorization. We do not discriminate against you for exercising your rights.

11.2 Other U.S. state privacy laws

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws may have rights similar to the CCPA, including the rights to access, correct, delete, and obtain a portable copy of personal information, and to opt out of certain processing such as targeted advertising, sale, and certain profiling. We do not sell personal information or use it for targeted advertising. To exercise your rights, contact support@signalandcostudios.com. If we deny your request, you may appeal by replying to our response.

11.3 European Economic Area, United Kingdom, and Switzerland

If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation, the UK GDPR, or the Swiss Federal Act on Data Protection (as applicable) gives you the following rights with respect to personal data we hold about you:

  • The right to be informed and to access your personal data;
  • The right to rectification of inaccurate or incomplete data;
  • The right to erasure (the “right to be forgotten”);
  • The right to restrict processing;
  • The right to data portability;
  • The right to object to processing based on legitimate interests or direct marketing;
  • Rights in relation to automated decision-making and profiling that produce legal or similarly significant effects (we do not engage in such automated decision-making);
  • The right to withdraw consent at any time, where processing is based on consent;
  • The right to lodge a complaint with a supervisory authority in your country of residence, place of work, or place of the alleged infringement.

Legal bases. We process personal data on the following bases: (i) performance of a contract with you (to provide the Service); (ii) our legitimate interests in operating, securing, improving, and marketing the Service in a balanced way; (iii) compliance with legal obligations; and (iv) your consent, where applicable. You can ask us about the legal basis for any specific processing.

For purposes of EU/UK data-protection law, Docly is the controller of personal data processed about you. If you have any questions or want to exercise any of these rights, contact support@signalandcostudios.com.

12. Children’s privacy

The Service is intended for adults. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA/UK). If you believe we have collected information from a child without parental consent, contact us at support@signalandcostudios.com and we will take appropriate steps, including deletion.

13. Do Not Track and Global Privacy Control

Some browsers transmit “Do Not Track” (DNT) signals. Because there is no industry-wide standard for DNT, we do not currently respond to DNT signals. We do honor the Global Privacy Control (GPC) signal as an opt-out of sale and sharing where required by applicable law.

14. Third-party links and services

The Service may link to third-party websites or services that are not operated by Docly. This Privacy Policy does not apply to those third parties. We encourage you to review their privacy policies before providing them with information.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service before the changes take effect, where required by law. The “Last updated” and “Effective date” at the top reflect the most recent revision. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

16. Contact us

If you have questions, requests, or complaints about this Privacy Policy or our practices, contact us at:

Signal and Co Studios LLC (operator of Docly)
Email: support@signalandcostudios.com
Postal address: 112 Heatherington Ct, Lanoka Harbor, NJ 08734

EU and UK residents may also lodge a complaint with their local data-protection supervisory authority (for example, the UK Information Commissioner’s Office).