The Services are designed for business use. The people whose information we handle generally fall into two groups:

• Customers and Authorized Users – the organizations that create an account with Docjust and the individuals (employees, contractors) they authorize to log in and use the Services.
• End-Users – the individuals who are asked to verify their identity or sign documents through the Services because a Customer has sent them an IDV or eSig request.

When a Customer uses the Services to collect information from an End-User, the Customer is the organization primarily responsible for that End-User's personal information. Docjust processes that information on the Customer's behalf and in accordance with this Policy and our Terms of Service.

Information from Customers and Authorized Users

When you sign up for, or use, the Services, we collect:

• Account information: name, email address, company name.
• Profile information you choose to add in account settings.
• Usage information: actions taken in the Services, such as requests sent, settings changed, and documents downloaded.
• Device and technical information: IP address, browser type, operating system, and similar technical data collected automatically when you use the Services.
• Support communications: messages you send us through the in-app support form, phone, or by email.

Information from End-Users

When a Customer initiates an IDV or eSig request, we may collect the following information about the End-User through the Services:

• Identifying information submitted by the Customer, such as the End-User's name and email address, and, where relevant, a file or reference number.
• Identity-verification information, which may include government-issued identity document images (front/back), extracted document fields (such as name, date of birth, document number, expiry, issuing country), and biometric information (selfie and liveness images) used to confirm the End-User is a real, live person matching the document.
• Electronic-signature information, including the End-User's name, email, signature image or typed signature, signing timestamps, IP address, browser/user agent, and other audit-trail data captured during the signing ceremony.
• Consent records, including the date and time consent was provided for biometric verification.

Cookies and similar technologies

We use a small number of cookies and similar technologies that are necessary for the Services to function, including:

• Authentication cookies that keep you signed in.
• Security tokens that protect against unauthorized requests.

We do not rely on the use of third-party advertising cookies or analytics services that profile individual users.

We collect and use personal information for the following purposes:

• To create and administer Customer accounts.
• To authenticate users and secure the Services.
• To carry out identity-verification and electronic-signature workflows initiated by Customers.
• To deliver emails and notifications related to the Services (for example, verification links, signing invitations, and reminders).
• To process payments and manage billing.
• To provide customer support.
• To monitor and improve the security, performance, and reliability of the Services.
• To detect, investigate, and prevent fraud, misuse, and violations of our Terms of Service.
• To comply with legal obligations, including tax, accounting, and record-keeping requirements.
• To send you product updates and announcements about the Services (see “Product updates and unsubscribing” below).

We do not sell personal information. We do not use personal information – including biometric information – to train artificial-intelligence or machine-learning models, and we do not rent or share personal information for third-party marketing.

Product updates and unsubscribing

By creating an account, you agree to receive product updates and announcements from Docjust. You can unsubscribe at any time by clicking the unsubscribe link in any message or by emailing support@docjust.com. Transactional messages (such as verification links, signing invitations, and account notices) are required to operate the Services and are not subject to unsubscribe.

Service providers

We use select providers to deliver certain Services. Each operates under the mandate to safeguard personal information consistent with this Privacy standards and applicable law. Our service providers handle personal information only as necessary to perform their services for us. We select providers that maintain industry-recognized security certifications such as SOC 2 and ISO 27001.

While we select providers that maintain industry-recognized security practices and utilize them with appropriate safeguards, we are not responsible for the independent acts or omissions of third-party providers beyond our reasonable control.

Legal and safety disclosures

We may disclose personal information when we reasonably believe it is necessary to:

• comply with a law, regulation, legal process, or enforceable governmental request;
• enforce our Terms of Service or investigate potential violations;
• detect, prevent, or address fraud, security, or technical issues; or
• protect the rights, property, or safety of Docjust, our Customers, End-Users, or the public.

Business transfers

If Docjust is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to reasonable confidentiality and privacy protections.

Docjust encrypts, processes, and stores personal information on infrastructure located in Canada (AWS Canada Central region). Our cloud hosting and database provider operates our primary Canadian-region environment.

Certain service providers that support the Services (for example, email delivery, payment processing, and error monitoring) may process limited personal information outside Canada in the course of performing their services. Where this occurs, we take reasonable steps to ensure the information is subject to appropriate policy and technical safeguards.

We keep personal information only as long as necessary for the purposes described in this Policy or as required by law.

• Account information, and IDV and eSig records (including documents and biometric information): retained while your account is active; deleted within 30 days of a deletion request, subject to our rights and obligations below.
• Billing and tax records: retained for 7+ years to comply with Canadian tax law.
• Audit logs and security records: retained as long as necessary to support fraud prevention, dispute resolution, and legal obligations.

Biometric information (selfie and liveness images captured during identity verification) is retained while your account is active. It can be deleted on request and is also subject to an automatic purge mechanism. Biometric information is used only to perform the identity verification and is never sold, rented, or used to train AI or machine-learning models.

We may retain certain information for longer than the periods above where required by law, necessary to resolve disputes, enforce our agreements, or prevent fraud or abuse.

We use administrative, physical, and technical safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, and destruction. These include:

• Encryption of data in transit (TLS) and at rest on infrastructure in Canada;
• Role-based access controls and database level security;
• Strong authentication requirements and session management;
• Bot and abuse protection, rate limiting, and error monitoring;
• Use of service providers that maintain industry-recognized security certifications.

No method of transmission or storage is completely secure. While we take reasonable steps to protect your information, we cannot guarantee absolute security. If you have reason to believe that your personal information is no longer secure, contact us immediately.

Subject to applicable law, you have the right to:

• Access the personal information we hold about you;
• Correct personal information that is inaccurate or incomplete;
• Withdraw consent to our processing of your personal information, subject to legal and contractual restrictions (for example, withdrawing consent may mean we can no longer provide you with the Services); and
• Request deletion of your personal information.

How to exercise your rights

• Customers and Authorized Users: you can update some information directly in your account settings. For other requests – including access, correction, deletion, or closing your account – please contact support@docjust.com.
• End-Users: if you received an IDV or eSig request and wish to access, correct, or delete information collected about you, please contact the organization that sent you the request. That organization controls your information and is best placed to action your request. You may also contact us at support@docjust.com, and we will assist, typically by working with the organization that sent the request.

We will respond to verified requests within the timeframes required by applicable law.

The Services are intended for business use. Account holders must be at least 18 years of age. We do not knowingly create Customer accounts for those under the age of majority. If we learn that we have collected personal information from someone under the age limit in violation of this Policy, we will take reasonable steps to delete it.

We may update this Privacy Policy from time to time. Your continued use of or access to our Services following the posting of any changes constitutes acceptance of those changes. We invite you to visit the website to stay up to date and send questions if you have them.

If you have any questions, comments, or complaints regarding our privacy practices and policy, please contact our Data Protection Officer (as defined below) at the following address:

Email: support@docjust.com

Docjust Inc.