Privacy Policy

Privacy Policy for Papra, the document management platform.

Privacy Policy

  • Effective Date: October 16, 2025
  • Last Updated: October 16, 2025

Important: This Privacy Policy applies exclusively to the managed cloud service hosted at dashboard.papra.app (the “Hosted Service”). This Privacy Policy does not apply to self-hosted instances of the Papra open-source software. Self-hosters act as independent data controllers and are solely responsible for their own privacy practices and GDPR compliance.

1. Information Collection

Papra collects the following personal data:

  • Email addresses, names, and authentication details (email/password or Single Sign-On providers such as Google or GitHub).
  • Usage and analytics data collected via PostHog (including IP addresses, pages visited, interactions, and usage patterns).
  • Documents uploaded by users, including metadata (titles, descriptions, tags) and document content.

2. Purpose of Data Collection

Papra collects data to:

  • Provide, operate, and maintain the services offered by Papra.
  • Offer user support and address technical issues.
  • Analyze usage to continuously improve our services.
  • Perform marketing analysis and related activities (via PostHog).

3. Cookies and Tracking Technologies

Papra employs the following types of cookies and tracking technologies:

  • Strictly Necessary Cookies: Required for platform functionality, user authentication, and session management. These cannot be disabled.
  • Analytics Cookies: PostHog analytics to understand user behavior, track feature usage, and improve service quality. These cookies collect anonymized usage data.
  • Performance Cookies: To monitor platform performance and identify technical issues.

You can manage your cookie preferences through your browser settings. However, disabling certain cookies may affect platform functionality. For more information about managing cookies, visit your browser’s help documentation.

4. Data Storage and Security

All data collected by Papra is securely stored within Europe to ensure GDPR compliance. Papra implements industry-standard security measures including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Regular security audits and updates
  • Access controls and authentication mechanisms
  • Secure backup procedures

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.

5. Third-Party Providers

Papra uses the following trusted third-party services to operate and improve the platform:

  • Render: Hosting infrastructure and application deployment
  • Cloudflare: Document Storage, CDN, security, and DDoS protection services
  • Turso: Database hosting and management (based on libSQL/SQLite)
  • PostHog: Analytics, product insights, and feature usage tracking
  • Stripe: Payment processing for subscriptions (does not store card details on Papra servers)

All third-party providers are carefully selected based on their security practices and GDPR compliance. These providers only receive the minimum data necessary to perform their services.

6. Data Sharing and Transfer

Papra does not sell, rent, or trade user data to third parties for marketing purposes. Data sharing is limited to the following circumstances:

  • Service Providers: Sharing with third-party providers (listed in Section 5) necessary to operate the platform
  • Legal Compliance: When required by law, regulation, legal process, or governmental request
  • Protection of Rights: To protect the rights, property, or safety of Papra, our users, or the public
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with advance notice to affected users

International Data Transfers: While all primary data storage occurs within the European Union, some third-party providers may process data outside the EU. In such cases, we ensure appropriate safeguards are in place to protect your data in accordance with GDPR requirements.

7. User Rights (GDPR Compliance)

Under the General Data Protection Regulation (GDPR), users have the following rights:

  • Right of Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Correct any inaccurate or incomplete personal data
  • Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data under certain conditions
  • Right to Restriction: Request that we limit the processing of your personal data in specific circumstances
  • Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format
  • Right to Object: Object to the processing of your personal data for specific purposes, including direct marketing
  • Right to Withdraw Consent: Withdraw your consent at any time where we rely on consent to process your personal data
  • Right to Lodge a Complaint: File a complaint with your local data protection authority (in France: CNIL - Commission Nationale de l’Informatique et des Libertés)

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days. You may also access, update, or delete certain information directly through your account settings.

8. Data Retention

Papra retains personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy:

  • Active Accounts: Data is retained while your account remains active
  • Deleted Accounts: Upon account deletion, user data is permanently deleted within 30 days
  • Backups: Backup copies may be retained for up to 90 days after deletion for disaster recovery purposes
  • Legal Obligations: Certain data may be retained longer if required by law, regulation, or to resolve disputes
  • Anonymous Analytics: Aggregated, anonymized usage data may be retained indefinitely for statistical purposes

9. Changes to Privacy Policy

Papra reserves the right to update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes:

  • We will update the “Last Updated” date at the top of this policy
  • We will notify users via email to the address associated with their account
  • We may display a notification within the platform
  • Continued use of the service after changes indicates acceptance of the updated policy

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

Under GDPR, we process personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide services you’ve requested or to enter into a contract with you
  • Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our services, ensuring security, and preventing fraud
  • Consent: Where you’ve provided explicit consent for specific processing activities (e.g., marketing communications)
  • Legal Obligations: Processing required to comply with legal obligations under EU or member state law

11. Automated Decision-Making and Profiling

Papra does not use automated decision-making or profiling that produces legal effects or similarly significantly affects users. Any analytics performed on user data is for aggregate statistical purposes only and does not result in automated decisions about individual users.

12. Children’s Privacy

Papra does not knowingly collect personal data from individuals under the age of 13 (or the applicable age of digital consent in your jurisdiction). The platform is intended for users aged 13 and above. If we become aware that we have inadvertently collected personal data from a child under this age, we will take steps to delete such information promptly. If you believe we have collected data from a child, please contact us at [email protected].

13. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request information about the categories and specific pieces of personal data we’ve collected
  • Right to Delete: Request deletion of your personal data, subject to certain exceptions
  • Right to Opt-Out: Opt-out of the sale of personal data (Note: Papra does not sell personal data)
  • Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights

To exercise these rights, contact us at [email protected]. We will verify your identity before processing requests.

14. Data Protection Officer

As a micro-entrepreneur based in France, Papra is not required to appoint a formal Data Protection Officer (DPO). However, all privacy-related matters are handled directly by Corentin Thomasset, who can be reached at [email protected].

15. Supervisory Authority

If you are located in the European Union and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local supervisory authority:

  • France: CNIL (Commission Nationale de l’Informatique et des Libertés) - https://www.cnil.fr/
  • You may also contact the supervisory authority in your country of residence

16. Contact Information

For privacy-related inquiries, to exercise your rights, or to report privacy concerns, please contact:

We aim to respond to all inquiries within 30 days.