Dokmatiq DOKMATIQ

Privacy Policy

Last updated: April 2026

1. Controller

Oliver Lieven
Alfred-Delp-Weg 3
73765 Neuhausen
Germany
Email: support@dokmatiq.com

2. Overview of data processing

Types of data processed

  • Identity data (e.g. name, email address)
  • Usage data (e.g. pages visited, access time)
  • Meta and communication data (e.g. IP address, browser type)
  • Payment data (for paid plans, processed by Stripe)
  • Content data (documents processed via the API)

3. Legal basis

We process personal data based on the following provisions of the GDPR:

  • Performance of a contract (Art. 6(1)(b) GDPR) — provision of the API services and developer portal.
  • Legitimate interests (Art. 6(1)(f) GDPR) — security, abuse prevention and service improvement.
  • Consent (Art. 6(1)(a) GDPR) — where you have given your consent.
  • Legal obligation (Art. 6(1)(c) GDPR) — tax and commercial record-keeping obligations.

4. Hosting

Our website and API are hosted on servers located in Germany. Content data (documents) processed through the API generally does not leave the EU and is not stored persistently after processing unless you explicitly configure retention. An exception applies to Receipt Recognition (AI) — see section 9.

The website loads no resources from external content delivery networks. Fonts, scripts and images are served exclusively from our own servers. In particular, we do not use Google Fonts, Google Analytics or comparable third-party resources that would transmit your IP address to servers outside the EU.

5. Access data and server log files

When accessing our website and API, the following information is automatically stored in server log files:

  • IP address
  • Date and time of the request
  • Requested endpoint / URL
  • HTTP status code
  • Amount of data transferred
  • User agent (browser or client identifier)

This data is used solely to ensure reliable operation and to detect abuse. It is not merged with other data sources. Log files are deleted automatically after 30 days.

6. Developer portal and API usage

Using the DocGen API requires registration in the developer portal. The following data is stored:

  • Email address
  • API keys (hashed)
  • Usage statistics (number of API calls, volume consumed)

The legal basis is performance of a contract (Art. 6(1)(b) GDPR).

7. Payment processing

For paid plans we use Stripe Inc. as our payment processor. Payment data (credit card numbers, IBAN, etc.) is processed exclusively by Stripe and is not stored on our servers. Stripe's privacy policy applies.

8. Document processing

Documents processed through the DocGen API are held in memory only for the duration of processing. Input and output data are deleted after the result is delivered, unless you have explicitly configured storage.

We do not access the content of your documents and do not use them for analytics or training purposes.

9. Receipt Recognition (AI) — data processing outside the EU

The receipt recognition feature uses AI models (large language models) that may be operated by third-party providers outside the European Union. When using this feature, uploaded receipt data (images or PDFs of receipts, invoices and bills) is transmitted to the respective AI provider, processed there, and the extracted structured data is returned to Dokmatiq.

Important notes:

  • The transmitted data is not used for training purposes by the AI provider.
  • Data is processed solely for the analysis of the respective receipt and is not stored persistently by the provider.
  • Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR serve as the basis for data transfers to third countries.

Receipt recognition can only be used after you have acknowledged and accepted this data processing arrangement in the developer portal. The feature is not available without this consent.

The legal basis is consent (Art. 6(1)(a) GDPR) in conjunction with Art. 49(1)(a) GDPR.

10. Cookies

The Dokmatiq website does not use tracking cookies or third-party analytics tools. Functional cookies (e.g. session cookies in the developer portal) are used solely for technical operation.

11. Web analytics (Umami)

To analyse how our website is used we run the open-source software Umami, which we self-host on our own servers in Germany under the subdomain analytics.dokmatiq.com. No cookies are set and no personal data is transferred to third parties.

Umami only stores anonymised, aggregated data (e.g. pages visited, country of origin at country level, browser and device type, referrer). IP addresses are not stored; visitors are counted pseudonymously via a daily rotating hash, so recognition beyond a single day is not possible.

The legal basis is our legitimate interest in statistical analysis to improve our service (Art. 6 (1) (f) GDPR). As no cookies or comparable identification technologies are used, consent under § 25 (1) TDDDG / Art. 5 (3) ePrivacy Directive is not required.

12. Your rights

You have the right to:

  • Access data stored about you (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of your data (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing (Art. 21 GDPR)

To exercise your rights, please contact support@dokmatiq.com.

13. Right to lodge a complaint

You have the right to lodge a complaint with a data protection supervisory authority regarding the processing of your personal data (Art. 77 GDPR).

14. Changes

We reserve the right to update this privacy policy to reflect changes in the law or our services. The current version published on this page applies.