Zurück

Privacy Policy

Last updated: April 2026

This Privacy Policy describes how DocNado (hereinafter "we", "us" or "the app") collects, processes and protects personal data. We take the protection of your data seriously and only process data that is necessary to provide our services.

1. Data Controller

The data controller for this app is: Guido N., Johanna-Kirchner-Straße 5, 53123 Bonn, Germany. Email: info@docnado.app

2. Data We Collect

We collect and process the following personal data:

  • Account data: Email address, display name, password (stored encrypted). Email confirmation is required during registration.
  • Document data: Documents and scans you create, invoices, items, participants, payment information, images and PDFs of your receipts.
  • PayPal integration (optional): PayPal email address, Payer ID, PayPal.Me username, transaction data (read-only access via OAuth 2.0 only).
  • Technical data: Browser type, device type and push notification endpoint (only when push notifications are active). We do not use tracking and do not collect IP addresses beyond server logs.
  • Encryption data: Salt value, encrypted Data Encryption Key (DEK), RSA public key and encrypted RSA private key are stored server-side. Your master password and unencrypted keys never leave your device.
  • Uploaded documents: Images and PDFs of your receipts are stored encrypted in Supabase Storage (paths: image-scans/ and pdf-scans/). Original files are removed from the server after encryption.
  • Push notifications (optional): Browser push endpoint (push service URL), p256dh and auth keys, user agent string. This data is used exclusively for sending notifications.

3. Legal Basis

The processing of your personal data is based on the following legal grounds: Art. 6 (1) lit. b GDPR (contract fulfillment for providing app features), Art. 6 (1) lit. a GDPR (consent for optional features such as PayPal integration, push notifications and OCR scanning), Art. 6 (1) lit. f GDPR (legitimate interest in maintaining IT security and error diagnosis).

4. Purpose of Processing

Your data is used exclusively for the following purposes:

  • Providing core features: Document management, invoice creation and splitting, calendar, QR-based invoice sharing
  • PayPal integration: Matching payments with your invoices, generating PayPal.Me links
  • Security and protection against misuse of the platform
  • Technical support and error diagnosis for issues
  • AI-powered document recognition (OCR): Automatic extraction of data from uploaded receipts and invoices
  • End-to-end encryption: Protecting your document data through client-side AES-256-GCM and RSA-4096 encryption
  • Push notifications and email reminders: Deadline reminders for invoice due dates and payment reminders

5. PayPal Integration

If you voluntarily link your PayPal account, the following applies:

  • Authentication: DocNado uses PayPal OAuth 2.0 for secure login – your PayPal credentials are never transmitted directly to us
  • Read-only access: We only receive read access to your transaction history
  • No payment initiation: DocNado cannot automatically trigger payments, transfer money or otherwise modify your PayPal account
  • Data matching: Transaction data is only used to match with your invoices
  • Revocation: You can remove the PayPal link at any time in your profile settings
  • PayPal privacy: For processing by PayPal, the PayPal Privacy Policy applies (https://www.paypal.com/us/webapps/mpp/ua/privacy-full)

6. AI Document Recognition (OCR)

For automatic recognition and data extraction from documents, we use external AI service providers:

  • Primary provider: Datalab (datalab.to) – specialized in document processing. Processing takes place on servers within the EU.
  • Processing purpose: Uploaded receipt images and PDFs are analyzed to automatically extract invoice data (amount, date, merchant, items).
  • No permanent storage: Your image data is not permanently stored by the OCR providers and is deleted immediately after processing.
  • No sharing: Your image data is not shared with third parties or used for other purposes (e.g., model training) by the providers.
  • GDPR compliance: All data processing is fully GDPR-compliant. Data processing agreements (DPAs) are in place with all external service providers.
  • Voluntary: AI recognition is an optional feature. You can always enter document data manually.
  • Encryption: When end-to-end encryption is enabled, the extracted data is encrypted on your device before being stored on the servers.

7. End-to-End Encryption

DocNado offers client-side end-to-end encryption (E2EE) for your documents:

  • Master Key (MK): Derived locally on your device from your password using PBKDF2 (600,000 iterations, SHA-256). The master key never leaves your device and is not stored on our servers.
  • Data Encryption Key (DEK): A random AES-256-GCM key that is encrypted (wrapped) with the master key and stored server-side. Only you can decrypt the DEK on your device.
  • File Encryption Key (FEK): An individual AES-256 key is generated per document, which is encrypted with the DEK. This provides perfect forward secrecy.
  • RSA-4096-OAEP: An asymmetric key pair for securely sharing documents between users. The public key is stored unencrypted; the private key is encrypted with the master key.
  • Encrypted scope: Document contents (title, description, amounts, location, invoice number, etc.), line items, OCR data and file attachments are encrypted. The server stores only encrypted data.
  • Search index: To enable search over encrypted data, a hash-based search index is created. The original terms cannot be derived from it.
  • Zero-knowledge principle: Even with full server access, we cannot read your document contents. If you lose your password, data recovery by us is not possible.

8. Storage and Security

  • Database: Your data is stored in a PostgreSQL database at Supabase (EU region). Supabase is SOC 2 Type II certified and processes data under a Data Processing Agreement (DPA).
  • Transport encryption: All connections between your browser and our servers are TLS-encrypted (HTTPS).
  • Password hashing: Passwords are hashed with bcrypt and never stored in plain text.
  • Retention period: Data is stored as long as your account is active. After account deletion, your data is completely and irrevocably removed.
  • File storage: Uploaded images and PDFs are stored encrypted in Supabase Storage. File paths are isolated per user (image-scans/{userId}/, pdf-scans/{userId}/).
  • Local storage: Encryption keys are stored locally in IndexedDB (browser) and in your session's working memory. The local browser cache of the PWA contains no sensitive data.

9. Data Processors

The following service providers process personal data on our behalf (data processing pursuant to Art. 28 GDPR):

  • Vercel Inc. (USA/EU) – Hosting and provision of the app infrastructure. Data processing based on Standard Contractual Clauses. Website: vercel.com
  • Supabase Inc. (USA, servers in EU) – Database, authentication, file storage and real-time updates. SOC 2 Type II certified. Website: supabase.com
  • Datalab (datalab.to, EU) – OCR document recognition. Processing of receipt images for data extraction. Data is deleted immediately after processing.
  • Resend Inc. (USA) – Sending transactional emails (confirmations, reminders). Email address and name are transmitted. Website: resend.com
  • PayPal (Europe) S.à r.l. et Cie, S.C.A. – OAuth integration for transaction matching (only with voluntary linking). Website: paypal.com

10. Cookies and Local Storage

DocNado does not use tracking or advertising cookies. The following technical cookies and local storage are used:

  • Authentication cookies: Supabase sets session cookies (sb-{projectRef}-auth-token) for login. These are httpOnly and secure in production. They are automatically deleted after logout or session expiration.
  • Language preference: A cookie (preferred-locale) stores your selected language (de/en). Validity: 1 year. SameSite: Lax.
  • IndexedDB: Local, encrypted storage of your encryption keys. This data never leaves your device and is not accessible to us.
  • Service Worker (PWA): The Service Worker caches static resources (HTML, CSS, JS) for improved loading times. No personal data is stored in the cache.
  • No tracking: We do not use Google Analytics, Facebook Pixel or similar tracking services. No tracking cookies are set.

11. Push Notifications

If you enable push notifications, the following applies:

  • Push subscription: Your browser generates a push subscription with an endpoint URL and encryption keys (p256dh, auth). This data is stored in our database.
  • VAPID: We use the VAPID protocol (Voluntary Application Server Identification) to authenticate ourselves to your browser's push service.
  • Browser push service: Push messages are delivered via your browser manufacturer's push service (e.g., Google Firebase Cloud Messaging for Chrome, Mozilla Push Service for Firefox). This service can see your IP address.
  • Content: Push notifications do not contain sensitive document contents. They only inform you about upcoming deadlines or activities.
  • Voluntary: Push notifications are completely optional and can be disabled at any time in settings. When disabled, the push subscription is deleted.

12. Sharing with Third Parties

Your personal data is not sold, rented or otherwise shared with third parties, except in the following cases:

  • Data processors: The service providers listed in Section 9 process data strictly according to our instructions and exclusively for the purposes stated in this policy.
  • Shared documents: If you share documents with other users via the sharing feature, they are transmitted encrypted. The recipient only has access to the documents you have shared.
  • Legal obligation: In the event of a legal order (e.g., court ruling), we may be required to disclose data. This only affects encrypted data, which cannot be read without your key.

13. Your Rights

Under the GDPR, you have the following rights. To exercise them, contact info@docnado.app:

  • Right of access (Art. 15 GDPR): Information about the personal data we store about you
  • Rectification (Art. 16 GDPR): Correction of inaccurate personal data
  • Erasure (Art. 17 GDPR): Deletion of your data. You can delete your account along with all data at any time in your profile settings.
  • Restriction (Art. 18 GDPR): Restriction of the processing of your data
  • Data portability (Art. 20 GDPR): Receiving your data in a structured, commonly used format
  • Objection (Art. 21 GDPR): Objection to the processing of your data
  • Complaint (Art. 77 GDPR): Complaint to a data protection supervisory authority, the competent authority is the North Rhine-Westphalia data protection authority
  • Withdrawal of consent (Art. 7 (3) GDPR): Withdrawal of given consent (e.g., PayPal linking, push notifications) at any time possible, without affecting the lawfulness of processing carried out before the withdrawal

14. Progressive Web App (PWA)

DocNado is a Progressive Web App (PWA). A Service Worker is installed to improve app performance and enable offline functionality. Data stored locally on your device (cache, IndexedDB for encryption keys) is under your control. You can clear the cache at any time via your browser settings. The PWA stores no sensitive data in the cache.

15. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy when introducing new features or changes to data processing. The current version is always accessible in the app. In the event of significant changes, we will inform you within the app.

16. Contact

For questions about this Privacy Policy or to exercise your rights, please contact: info@docnado.app

docnado • 2026