Last updated: April 17, 2026

Privacy Policy

This Privacy Policy explains how Tomedio Tomasz Bajorek, operating under the brand name "Doxtly" ("we", "us", "our", or "Service Provider"), collects, uses, stores, discloses, and protects personal data when you access or use our platform, websites, and services. It applies to all users of the Doxtly platform available at https://app.doxtly.com, visitors to our website at doxtly.com, and individuals who interact with forms created by our customers through the Platform. Please read this Privacy Policy carefully before using our services.

This Privacy Policy is incorporated into and should be read in conjunction with our Terms and Conditions. By creating an account, using our services, or interacting with our platform, you acknowledge that you have read and understood this Privacy Policy.

In this Privacy Policy, "you" refers to those who use and/or interact with any or all of our products, services, and websites. "Customer" refers specifically to those who create an account and use Doxtly services. "User" refers to any individual who accesses or uses the Platform under a Customer's account. "Form Respondent" refers to those who fill in and/or submit forms created by our Customers.

1. Definitions

For the purposes of this Privacy Policy, the following definitions apply. Terms not defined here have the meanings assigned to them in our Terms and Conditions.

"Personal Data" — any information relating to an identified or identifiable natural person ("data subject"), as defined by the General Data Protection Regulation (GDPR). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
"Processing" — any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Customer" — any individual or legal entity that creates an account on the Platform and enters into an agreement with the Service Provider under the Terms and Conditions.
"User" — any individual who accesses or uses the Platform under a Customer's account, including the Customer themselves and any authorized team members.
"Form Respondent" — any individual who fills in, completes, or submits a form created by a Customer through the Platform.
"Customer Data" — any data, files, documents, templates, form submissions, content, and other information uploaded, created, or processed by the Customer or Users through the Platform.
"Platform" — the Doxtly cloud-based software application available at https://app.doxtly.com, including all related interfaces, APIs, and functionalities.
"Services" — all services provided by the Service Provider through the Platform, including document generation, form building, workflow automation, email template design, cloud storage integration, and API access.
"Website" — the informational website located at doxtly.com and any related subdomains.
"Third-Party Services" — external services integrated with the Platform, including but not limited to Google Drive, OneDrive, and Stripe.

2. Information We Collect

We collect different categories of Personal Data depending on how you interact with our Services. Below we describe the types of information we collect from each category of individuals.

2.1. Information from Customers and Users

When you register for an account, use the Platform, or interact with our Services, we may collect the following information:

Registration information — your name, email address, and password when you create an account on the Platform.
Billing information — your name, billing address, and payment details (such as credit card number and expiration date) when you subscribe to a paid Subscription Plan. Payment processing is handled exclusively by Stripe, a PCI DSS-compliant third-party payment processor. We do not store or have direct access to your full credit card number or financial account details — they are securely processed and stored by Stripe in accordance with PCI DSS standards.
Account settings and preferences — your preferences, language settings, timezone, notification preferences, and communication preferences configured within the Platform.
Customer Data — documents, document templates (Word/DOCX and SVG), form configurations, form submissions, workflow definitions, email templates, and any other content you create, upload, or process through the Platform. We treat your Customer Data as private and do not access it except as necessary to provide the Services, provide customer support at your request, ensure security and integrity of the Platform, or comply with legal obligations.
Cloud integration data — when you connect your Google Drive or OneDrive account, we collect authentication tokens and limited account information necessary to store generated documents in your cloud storage. We do not access files in your cloud storage beyond what is necessary to perform the integration functionality you have requested.
Communications — information you provide when you contact our customer support, submit feedback, report issues, or otherwise communicate with us, including the content of your messages, any attachments, and your contact details.

2.2. Information Collected Automatically

When you visit our Website or use the Platform, we automatically collect certain information about your device and usage patterns:

Usage data — information about how you interact with our Services, including pages visited, features used, actions taken (such as creating templates, generating documents, building forms, or configuring workflows), timestamps, session duration, and click patterns.
Device data — your IP address, browser type and version, operating system and version, device type, screen resolution, and language settings. We may also infer your approximate geographic location based on your IP address.
Referral data — if you arrive at our Website from an external source (such as a link on another website, a search engine, or an email), we may record information about the source that referred you to us.
Log data — our servers automatically record information from each request, including originating IP addresses, request timestamps, URLs accessed, HTTP methods and status codes, user agent strings, and response times. Log files are maintained for security, troubleshooting, and compliance purposes.

2.3. Information from Form Respondents

When you fill in or submit a form created by one of our Customers through the Platform, we collect and store the form responses on behalf of that Customer. The specific Personal Data collected depends entirely on how the Customer has configured their form — we do not determine what information is requested from Form Respondents.

The Customer who created the form is the data controller for form submission data and is responsible for:

Determining what information is collected through their forms.
Providing you with appropriate privacy notices before or at the time of data collection.
Obtaining any necessary consents for the collection and processing of your Personal Data.
Ensuring that the collection of data through their forms complies with applicable data protection laws.

If you have questions about a specific form or how your responses will be used, please contact the Customer who provided you with the form directly, as Doxtly is not responsible for the content of that form.

We do not use Form Respondent data for our own purposes unrelated to providing the Services. We do not sell Form Respondent data. We do not use contact details collected through our Customers' forms to contact Form Respondents independently.

2.4. Information from Third Parties

We may receive limited information about you from third-party services that you or your account administrator choose to integrate with the Platform:

Google Drive — when you connect your Google Drive account, we receive authentication tokens and basic account information (such as your email address) necessary to store generated documents in your Google Drive. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
OneDrive — when you connect your OneDrive account, we receive authentication tokens and basic account information necessary to store generated documents in your OneDrive.
Stripe — our payment processor may provide us with limited information about the status of your payments and subscription, such as payment confirmation, subscription status, and billing-related notifications.

We only collect information from third parties that is necessary to provide the requested integration functionality.

3. How We Use Your Information

We use the Personal Data we collect for the following purposes:

3.1. Providing and Maintaining the Services

To create and manage your account on the Platform.
To provide, operate, and maintain the Platform and all its features, including document generation from Word and SVG templates, form building and submission collection, workflow automation, email template design and sending, and cloud storage integrations with Google Drive and OneDrive.
To process payments and manage subscriptions through our payment processor, Stripe.
To provide customer support and respond to your inquiries, troubleshoot technical issues, and resolve disputes.
To send you service-related communications, including account notifications, security alerts, billing information, password reset notices, and updates about the Services. These communications are necessary for the provision of the Services and cannot be opted out of while you maintain an active account.
To authenticate your identity and manage access to the Platform, including through two-factor authentication (available on paid plans).

3.2. Improving and Developing the Services

To analyze usage patterns and trends in order to understand how our Services are used and to identify areas for improvement.
To monitor and improve the performance, reliability, stability, and security of the Platform.
To develop new features, products, and services based on aggregated usage insights.
To conduct internal research and analytics using aggregated or anonymized data that does not identify individual users.
To test and monitor the Services, diagnose or fix technical issues, and optimize the user experience.

3.3. Security and Compliance

To protect the security and integrity of the Platform, including detecting, preventing, and responding to fraud, abuse, security incidents, and technical issues.
To screen for and prevent undesirable or abusive activity, such as phishing, spam, or unauthorized access attempts.
To maintain audit logs of system activities for security monitoring and incident investigation purposes.
To enforce our Terms and Conditions and other applicable policies.
To comply with applicable legal obligations, regulations, and lawful requests from public authorities.

3.4. Communications

To send you service-related communications that are necessary for the operation of your account. You cannot opt out of these communications while you maintain an active account, as they are essential to the provision of the Services.
With your explicit consent, to send you marketing and promotional communications about our products, services, new features, and offers. You may opt out of marketing communications at any time by clicking the "unsubscribe" link in any marketing email or by contacting us at contact@doxtly.com.

3.5. Aggregated and Anonymized Data

We may generate aggregated, de-identified, or anonymized data from the information we collect. Such data does not identify any individual and is not considered Personal Data under applicable data protection laws. We may use this data for any lawful business purpose, including analytics, benchmarking, research, improving our Services, and publishing statistical observations. When we do this, neither individual Customers nor Form Respondents will be identified or identifiable.

4. Legal Basis for Processing

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your Personal Data only where we have a valid legal basis to do so under the General Data Protection Regulation (GDPR) or equivalent applicable legislation. The legal bases we rely on include:

4.1. Performance of a Contract

Processing is necessary to perform our contractual obligations to you under the Terms and Conditions, including providing the Services, managing your account, processing payments, and providing customer support. This legal basis applies when you create an account and agree to our Terms and Conditions.

4.2. Legitimate Interests

Processing is necessary for our legitimate interests or the legitimate interests of a third party, provided that such interests are not overridden by your data protection rights and fundamental freedoms. Our legitimate interests include:

Improving, maintaining, and securing our Services and Platform.
Understanding how our Services are used through analytics and usage monitoring.
Preventing fraud, abuse, and unauthorized access.
Conducting internal research and development.
Protecting the security of our IT infrastructure.
Establishing, exercising, or defending legal claims.

4.3. Consent

Where required by law, we process your Personal Data based on your freely given, specific, informed, and unambiguous consent. This applies, for example, to marketing communications and certain cookie-based tracking. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal. To withdraw consent, please contact us at contact@doxtly.com or use the specific opt-out mechanism provided (such as the "unsubscribe" link in marketing emails).

4.4. Legal Obligation

Processing is necessary to comply with a legal obligation to which we are subject, such as tax regulations, accounting requirements, anti-money laundering obligations, or responding to lawful requests from courts, law enforcement, or other public authorities with proper jurisdiction.

5. Disclosure of Personal Information

We do not sell, rent, or trade your Personal Data to third parties for their own marketing or commercial purposes. We may disclose your Personal Data only in the following limited circumstances:

5.1. Service Providers

We engage trusted third-party service providers to help us operate and improve our Services. These providers have access to your Personal Data only to the extent necessary to perform their services on our behalf and are contractually obligated to protect your data, use it only as instructed by us, and handle it in accordance with this Privacy Policy and applicable data protection laws. Our service providers include:

Stripe — for secure payment processing and subscription management. Stripe is certified as a PCI DSS Level 1 Service Provider.
Cloud hosting providers — for hosting the Platform infrastructure and storing data on secure servers.
Email delivery services — for sending transactional emails (such as account notifications and password resets) and, where applicable, marketing communications.
Analytics providers — for understanding usage patterns and improving our Services through aggregated and anonymized data analysis.

5.2. Legal Requirements and Law Enforcement

We may disclose your Personal Data if we are required to do so by law, regulation, legal process, subpoena, court order, or enforceable governmental request. We carefully review each legal request for information and, where we do produce Personal Data, we endeavor to produce only that information which is actually required. We may also disclose your data if we believe in good faith that disclosure is necessary to:

Comply with applicable law, regulation, or court order.
Protect the rights, property, or safety of the Service Provider, our users, or the public.
Detect, prevent, or address fraud, security issues, or technical problems.
Enforce our Terms and Conditions or other applicable agreements.
Prevent potentially illegal activities.

5.3. Business Transfers

If the Service Provider undergoes a merger, acquisition, reorganization, sale of all or substantially all of its assets, or any other change in business ownership or structure, your Personal Data may be transferred to the successor entity as part of that transaction. We will notify you of any such change by email or by a prominent notice on our Website before your Personal Data becomes subject to a different privacy policy. You expressly consent to such transfer in connection with any such event.

5.4. With Your Consent

We may disclose your Personal Data to third parties when you have given us your explicit consent to do so. You may later revoke such consent, but if you wish to stop receiving communications from a third party to which we provided your information with your permission, you will need to contact that third party directly.

5.5. Aggregated or Anonymized Data

We may share aggregated, de-identified, or anonymized data that does not reasonably identify any individual with third parties for analytics, research, industry benchmarking, or other business purposes. Such data is not considered Personal Data under this Privacy Policy or applicable data protection laws.

5.6. Account Details to Billing Contact

If your account holder details are different from the billing contact listed for your account, we may disclose your identity and account details to the billing contact upon their request. We will typically attempt to notify you of such requests.

6. Third-Party Services and Integrations

The Platform enables integration with Third-Party Services, including Google Drive, OneDrive, and Stripe. When you enable an integration, certain data may be exchanged between the Platform and the Third-Party Service as necessary to provide the requested functionality. By enabling an integration, you authorize us to access and transmit data between the Platform and the Third-Party Service as described in this Privacy Policy and our Terms and Conditions.

Your use of Third-Party Services is governed by the respective terms and privacy policies of those providers. We do not own or operate Third-Party Services and are not responsible for their privacy practices, data processing, availability, security, or accuracy. We encourage you to carefully review the privacy policies and terms of any Third-Party Services you connect to the Platform before providing any Personal Data.

6.1. Google Drive Integration

If you choose to integrate your Google Drive account with the Platform, we will access your Google Drive solely to store generated documents in the location you specify. We do not read, modify, or delete any other files in your Google Drive. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

We only use access to Google Drive to store documents generated through the Platform, as requested by you.
We do not transfer Google user data to others unless doing so is necessary to provide and improve the integration, comply with applicable law, or as part of a merger, acquisition, or sale of assets.
We do not use Google user data for serving advertisements.
We do not allow humans to read Google user data unless we have your affirmative agreement for specific data, doing so is necessary for security purposes such as investigating abuse, to comply with applicable law, or for our internal operations when the data have been aggregated and anonymized.

6.2. OneDrive Integration

If you choose to integrate your OneDrive account with the Platform, we will access your OneDrive solely to store generated documents in the location you specify. We do not read, modify, or delete any other files in your OneDrive.

6.3. Stripe Integration

We use Stripe as our payment processor for all paid Subscription Plans. When you provide payment information, it is transmitted directly to Stripe's secure servers. We do not store your full credit card number or sensitive payment details on our servers. Stripe's privacy policy governs the processing of your payment data by Stripe.

6.4. Third-Party Links

Our Website and Platform may contain links to third-party websites or services that we do not own or operate. We are not responsible for the content, privacy practices, or data processing of those websites or services. Clicking on a third-party link will take you away from our Website, and this Privacy Policy will no longer apply. We recommend reviewing the privacy policies of any third-party websites before providing any Personal Data.

7. International Data Transfers

The Service Provider is based in Kraków, Poland (a member state of the European Union). The Platform's servers are located in the United States. If you are accessing the Services from outside the United States, including from the European Economic Area (EEA), the United Kingdom, or Switzerland, please be aware that your Personal Data will be transferred to, stored, and processed in the United States.

We take appropriate measures to ensure that your Personal Data receives an adequate level of protection in the jurisdictions in which we process it, regardless of where it is transferred. For transfers of Personal Data from the EEA, the United Kingdom, or Switzerland to the United States or other countries not deemed to provide an adequate level of data protection, we rely on the following safeguards:

Standard Contractual Clauses (SCCs) — as approved by the European Commission (and, where applicable, the UK Information Commissioner's Office), to ensure that Personal Data transferred outside the EEA or UK is adequately protected. These clauses impose contractual obligations on the data exporter and data importer to protect the privacy and security of the transferred data.
Contractual safeguards with service providers — we enter into data processing agreements with our service providers that require them to protect Personal Data in accordance with applicable data protection laws and to process it only as instructed by us.
Technical and organizational measures — we implement appropriate technical and organizational security measures to protect Personal Data during and after transfer, including encryption in transit and at rest.

By using the Platform, you acknowledge and consent to the transfer and processing of your Personal Data in the United States and other jurisdictions as described in this Privacy Policy, in accordance with applicable data protection laws. If you have questions about the specific safeguards applied to your data transfers, please contact us at contact@doxtly.com.

8. Data Retention

We retain your Personal Data for as long as necessary to fulfill the purposes for which it was collected, including to provide the Services, comply with our legal and contractual obligations, resolve disputes, enforce our agreements, and protect ourselves from potential disputes. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process it, and the applicable legal requirements.

Specifically:

Account data — we retain your account information (name, email, preferences) for as long as your account is active. If you close your account, we will delete your Personal Data within 60 days, except where retention is required by applicable law or to establish, exercise, or defend legal claims.
Customer Data — upon termination of your account, we retain your Customer Data for up to 60 days to allow you to export it through the Platform's export functionality or via the REST API. After this period, Customer Data is permanently deleted from our systems, unless retention is required by applicable law.
Billing and transaction data — we retain billing records, invoices, and transaction information for as long as required by applicable tax and accounting regulations (typically 5–10 years depending on the jurisdiction).
Usage and log data — we retain usage data and server logs for a reasonable period necessary for analytics, security monitoring, troubleshooting, and compliance purposes.
Marketing consent records — we retain records of your marketing consent or opt-out preferences for as long as necessary to comply with applicable laws and to honor your preferences.
Support communications — we retain customer support correspondence for a reasonable period to provide ongoing support, improve our Services, and maintain records of our interactions.
Form submission data — form submissions are retained as part of Customer Data and are subject to the same retention policies. The Customer (form creator) determines the retention period for their form data.

When Personal Data is no longer needed for the purposes described above, we securely delete or irreversibly anonymize it in accordance with our data retention policies and applicable law.

9. Data Security

We implement appropriate technical and organizational measures to protect your Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. We are committed to maintaining the security and confidentiality of your data. Our security measures include:

Encryption at rest and in transit — all Personal Data is encrypted both at rest (when stored on our servers) and in transit (when transmitted between your device and our servers) using industry-standard encryption protocols (TLS/SSL for data in transit, AES-256 or equivalent for data at rest).
Access controls and role-based permissions — access to Personal Data is restricted to authorized personnel on a strict need-to-know basis. We implement role-based access controls to ensure that staff can only access data necessary for their specific job functions.
Two-factor authentication (2FA) — available on paid Subscription Plans (Starter and Pro) to provide an additional layer of account security beyond username and password.
Audit logging — system activities and access to sensitive data are logged for security monitoring, incident investigation, and compliance purposes. Audit logs help us detect and respond to unauthorized access attempts.
Regular security assessments — we conduct regular reviews, assessments, and updates of our security practices, infrastructure, and software to identify and address potential vulnerabilities.
Secure software development practices — we follow secure software development lifecycle (SDLC) practices to minimize vulnerabilities in the Platform, including code reviews, dependency management, and security testing.
Infrastructure security — our hosting infrastructure is protected by firewalls, intrusion detection systems, and other network security measures. We use reputable cloud hosting providers that maintain their own comprehensive security certifications and practices.
Employee security — our staff with access to Personal Data are bound by confidentiality obligations and receive appropriate training on data protection and security practices.

While we strive to protect your Personal Data using commercially reasonable security measures, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your data. You are responsible for maintaining the confidentiality of your account credentials (including your password) and for notifying us immediately at contact@doxtly.com if you become aware of any unauthorized access to or use of your account.

10. Cookies and Tracking Technologies

We use cookies and similar technologies on our Website and Platform to provide, secure, and improve our Services. Cookies are small text files placed on your device by your web browser when you visit a website.

10.1. Types of Cookies We Use

Strictly necessary cookies — these cookies are essential for the operation of our Website and Platform. They enable core functionality such as user authentication, session management, security features (including CSRF protection), and load balancing. You cannot opt out of strictly necessary cookies, as the Services cannot function properly without them.
Analytics and performance cookies — these cookies help us understand how visitors interact with our Website and Platform by collecting information about pages visited, time spent on pages, error messages encountered, and other usage statistics. This data is collected in aggregate form and is used to improve our Services and user experience.
Functionality and preference cookies — these cookies remember your settings and preferences, such as language selection, timezone, display options, and other customization choices, to provide a more personalized and consistent experience across sessions.

10.2. Managing Cookies

Most web browsers allow you to control cookies through their settings. You can typically configure your browser to:

Refuse all cookies.
Accept only certain types of cookies.
Notify you when a cookie is being set.
Delete cookies that have already been set.

Please note that disabling or blocking certain cookies may affect the functionality of our Website and Platform, and some features may not work as intended.

For more information about cookies and how to manage them, visit www.allaboutcookies.org.

10.3. Web Beacons and Similar Technologies

Emails sent by Doxtly or by Customers through our email template functionality may include web beacons (also known as tracking pixels) that allow the sender to collect information about who opened those emails and clicked on links in them. This is done to measure the performance of email communications and to improve email deliverability. Customers who use our email template feature are responsible for providing appropriate privacy notices to their email recipients.

11. Your Rights

Depending on your location and applicable data protection laws (including the GDPR, the UK GDPR, and other national data protection legislation), you may have the following rights regarding your Personal Data:

Right of access (Article 15 GDPR) — you have the right to request confirmation of whether we process your Personal Data and, if so, to request a copy of the Personal Data we hold about you, together with information about how we process it, the purposes of processing, the categories of data concerned, and the recipients to whom data has been disclosed.
Right to rectification (Article 16 GDPR) — you have the right to request that we correct any inaccurate Personal Data we hold about you and to have incomplete Personal Data completed.
Right to erasure ("right to be forgotten") (Article 17 GDPR) — you have the right to request that we delete your Personal Data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected, when you withdraw consent (where consent is the legal basis), or when the data has been unlawfully processed. This right is subject to certain exceptions, such as where we are required to retain data for legal compliance or to establish, exercise, or defend legal claims.
Right to restriction of processing (Article 18 GDPR) — you have the right to request that we restrict the processing of your Personal Data in certain circumstances, such as when you contest the accuracy of the data, when the processing is unlawful but you oppose erasure, or when you have objected to processing pending verification of our legitimate grounds.
Right to data portability (Article 20 GDPR) — you have the right to receive your Personal Data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance, where technically feasible. This right applies where processing is based on consent or contract performance and is carried out by automated means.
Right to object (Article 21 GDPR) — you have the right to object to the processing of your Personal Data where we rely on legitimate interests as the legal basis. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims. You have an absolute right to object to processing for direct marketing purposes at any time.
Right to withdraw consent — where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
Right not to be subject to automated decision-making (Article 22 GDPR) — you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where such processing is necessary for a contract, authorized by law, or based on your explicit consent.
Right to lodge a complaint — you have the right to lodge a complaint with a supervisory data protection authority in your jurisdiction if you believe that our processing of your Personal Data violates applicable data protection laws. For individuals in the EEA, a list of data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. For individuals in Poland, the relevant authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych — UODO), ul. Stawki 2, 00-193 Warszawa, https://uodo.gov.pl. For individuals in the UK, the relevant authority is the Information Commissioner's Office (ICO), https://ico.org.uk.

11.1. How to Exercise Your Rights

To exercise any of the rights described above, please contact us at contact@doxtly.com. We will respond to your request within one calendar month of receipt, as required by the GDPR. In certain circumstances (for example, where requests are complex or numerous), we may extend this period by up to two additional months, in which case we will inform you of the extension and the reasons for it within the initial one-month period.

We may require you to verify your identity before processing your request, to ensure that we do not disclose Personal Data to unauthorized persons. If you have an account with us, we may verify your identity through your account login. If you do not have an account, we may request additional information to confirm your identity.

Certain Personal Data may be exempt from such requests under applicable law, for example where we need to retain data to comply with legal obligations, to establish, exercise, or defend legal claims, or where the data has been anonymized.

We provide these rights free of charge. However, if your requests are manifestly unfounded or excessive (in particular because of their repetitive character), we may charge a reasonable fee or refuse to act on the request, as permitted by applicable law.

11.2. Form Respondent Rights

If you are a Form Respondent and wish to exercise your data protection rights regarding data submitted through a form created by one of our Customers, please contact the Customer (form creator) directly. The Customer is the data controller for form submission data and is responsible for handling data subject requests. If you contact us directly, we will make reasonable efforts to redirect your request to the relevant Customer or advise you on how to contact them.

11.3. Marketing Opt-Out

You may opt out of receiving marketing communications from us at any time by:

Clicking the "unsubscribe" link in any marketing email we send you.
Contacting us at contact@doxtly.com.

Opting out of marketing communications does not affect service-related communications that are necessary for the operation of your account. We may send you one confirmation message to verify your opt-out request.

12. Data Controller and Data Processor

Under the General Data Protection Regulation (GDPR) and other applicable data protection laws, different roles apply depending on the context of data processing. Below we explain how these roles apply to our Services.

12.1. Doxtly as Data Controller

The Service Provider (Tomedio Tomasz Bajorek, with its registered office in Kraków, Poland) acts as the data controller for the Personal Data of Customers, Users, Website visitors, and prospective customers. This includes:

Registration and account information.
Billing and payment information (to the extent processed by us, as distinct from data processed directly by Stripe).
Account settings and preferences.
Usage data, device data, and log data.
Communications and support correspondence.
Cookie and tracking data collected through our Website.

As the data controller, we determine the purposes and means of processing this data and are responsible for complying with applicable data protection laws, including the GDPR.

The Service Provider can be contacted regarding data protection matters at: contact@doxtly.com.

12.2. Doxtly as Data Processor

The Service Provider acts as a data processor for Customer Data, including form submissions collected through forms created by our Customers, documents generated on behalf of Customers, and any other content that Customers upload, create, or process through the Platform. We process this data on behalf of and under the documented instructions of the Customer (who acts as the data controller), in accordance with our Terms and Conditions and any applicable data processing agreements.

Our Customers are solely responsible for:

Determining the types of Personal Data collected through their forms, documents, and other Platform features.
Providing appropriate privacy notices to Form Respondents and other individuals whose data they process through the Platform.
Obtaining any necessary consents for the collection and processing of Personal Data.
Ensuring a valid legal basis for processing Personal Data through the Platform.
Ensuring that their use of the Platform complies with applicable data protection laws, including the GDPR.
Responding to data subject access requests from Form Respondents and other individuals whose data they control.

If you would like to make any requests or queries regarding Personal Data we process as a data processor on our Customer's behalf, please contact the Customer directly.

13. Information for Form Respondents

This section provides specific information for individuals who fill in or submit forms created by Doxtly Customers through the Platform.

When you submit a form, the Personal Data you provide belongs to you unless you have given rights in that information to the Customer who provided you with the form. The form submission data is managed by the form creator (the Customer). Doxtly treats that information as private unless the Form Respondent and/or Customer has made it publicly available.

Please contact the form creator directly to understand how they use your form responses. Some form creators may provide you with a privacy policy or notice at the time you complete their form, and we encourage you to review that to understand how the form creator will handle your responses.

Whether your form responses are anonymous depends on how the Customer has configured the form. Even if a form is configured to collect responses anonymously, specific questions in the form may still ask you for Personal Data that could be used to identify you.

We do not sell Personal Data gathered from form responses. We will not use any contact details collected in our Customers' forms to contact Form Respondents for our own purposes.

14. Children's Privacy

Our Services are not designed for, directed at, or marketed to children under the age of 18 (or the age of legal majority in the applicable jurisdiction). We do not knowingly collect Personal Data from children. If you are a parent or guardian and believe that your child has provided us with Personal Data without your consent, please contact us immediately at contact@doxtly.com.

If we become aware that we have collected Personal Data from a child without verified parental consent, we will take steps to delete that information from our systems promptly, except where retention is required for legal purposes. If you are under 18, please do not use our Services or provide us with any Personal Data.

15. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for how to respond to DNT signals, we do not currently respond to or alter our practices when we receive DNT signals from your browser. However, you can manage your cookie preferences through your browser settings as described in Section 10 of this Privacy Policy.

16. No Sale of Personal Information

We do not sell, rent, lease, or trade your Personal Data to any third party for monetary or other valuable consideration. We do not share your Personal Data with third parties for their own direct marketing purposes. We may disclose aggregate demographic and statistical information with business partners, but this information does not identify you as an individual.

17. Automated Decision-Making

We do not use your Personal Data for automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you. Our Services do not make decisions about you based solely on automated processing without human involvement.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We regularly review this Privacy Policy to ensure it remains accurate and up to date.

When we make material changes to this Privacy Policy, we will notify you by one or more of the following methods:

Sending an email to the address associated with your account.
Posting a prominent notice on our Website or within the Platform.
Displaying a notification when you next log in to the Platform.

We will provide such notice at least 30 days before the material changes take effect, unless a shorter notice period is required by applicable law.

Non-material changes, such as corrections of typographical errors or clarifications that do not affect your rights or obligations, may be made without prior notice.

Your continued use of the Services after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated Privacy Policy, you should stop using the Services and close your account before the changes take effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your data. The "Last updated" date at the top of this page indicates when this Privacy Policy was last revised.

19. Governing Law

This Privacy Policy shall be governed by and construed in accordance with the laws of the Republic of Poland, without regard to its conflict of laws provisions, and in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection legislation.

Any disputes arising out of or in connection with this Privacy Policy shall be submitted to the exclusive jurisdiction of the courts competent for the city of Kraków, Poland, without prejudice to your right to lodge a complaint with a supervisory data protection authority or to bring proceedings before the courts of the EU member state in which you are domiciled.

20. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy, our data processing practices, or if you wish to exercise any of your data protection rights, please contact us:

Tomedio Tomasz Bajorek

Kraków, Poland

Email: contact@doxtly.com

Website: doxtly.com

We will make every effort to respond to your inquiry in a timely manner and within the timeframes required by applicable law. For data protection inquiries, we will respond within one calendar month of receipt, as required by the GDPR.

If you are not satisfied with our response to your complaint or inquiry, you have the right to lodge a complaint with the relevant supervisory data protection authority, as described in Section 11 of this Privacy Policy.