Privacy Policy
Effective date: 15 June 2026 · LXCoders, Lda.
1. Introduction
DocBridge ("we", "our", "the Service") is operated by LXCoders, Lda., a company incorporated in Portugal. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use DocBridge.
By using DocBridge, you agree to the collection and use of information described in this policy. If you do not agree, please discontinue use of the Service.
2. Data We Collect
Account data
When you create an account (via invitation) we collect: your name, email address, and optionally your phone number. This data is used to authenticate you and personalise your experience.
Document data
DocBridge processes invoices, receipts, and other financial documents that you submit via email, WhatsApp, Google Drive, or manual upload. We extract structured data (supplier name, NIF, amounts, dates) from these documents and store it in your company's workspace.
Usage data
We collect standard server logs (IP address, browser type, pages visited, timestamps) for security and performance monitoring. This data is not sold or shared with third parties.
3. Google Account and Gmail Data
Summary: DocBridge only reads email attachments that look like financial documents. We do not read your email body content, contacts, or any other personal Gmail data. We do not use Google data for advertising.
What we access
When you connect a Gmail account, DocBridge requests the gmail.modify scope, which allows us to:
- Read emails and attachments to detect invoices, receipts, and other financial documents.
- Apply labels (e.g. "DocBridge / Processed") to emails we have processed, so you can track what has been handled.
What we do NOT do
- We do not read the body text of your emails.
- We do not access your contacts, calendar, or other Google services.
- We do not store raw email content — only the extracted document data (amounts, dates, supplier names).
- We do not use Gmail data to serve advertising or train AI models beyond your own document processing.
- We do not share Gmail data with any third party except as required to provide the Service (e.g. Supabase cloud storage).
How we store Google tokens
OAuth access and refresh tokens are stored encrypted in our database (Supabase, hosted in the EU). Tokens are used exclusively to sync your documents. You can disconnect your Gmail account at any time in Settings → Connected Accounts, which immediately revokes our access.
Compliance with Google API Services User Data Policy
Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
4. How We Use Your Data
- To process and extract data from your financial documents
- To provide the document validation and export workflow
- To send transactional notifications (document received, validation required)
- To improve the accuracy of our AI extraction models (using only data from your own workspace — never shared across tenants)
- To comply with legal obligations under Portuguese and EU law
5. Data Storage and Security
Your data is stored on Supabase (PostgreSQL), hosted in the European Union. We apply the following security measures:
- Row-Level Security (RLS) enforced at the database level — your data is never accessible to other companies on the platform
- AES-256-GCM encryption for sensitive credentials (API keys, OAuth secrets)
- TLS/HTTPS for all data in transit
- Supabase Storage for document files, with per-tenant access control
6. Data Retention
We retain your account and document data for as long as your subscription is active. If you cancel your subscription or request account deletion, we will delete your data within 30 days, except where retention is required by law (e.g. SAF-T / AT obligations under Portuguese tax law).
7. Your Rights (GDPR)
As a data subject under the GDPR, you have the following rights:
- Right of access — request a copy of the data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your personal data
- Right to portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interests
To exercise any of these rights, contact us at privacy@lxcoders.com. We will respond within 30 days.
8. Third-Party Services
DocBridge uses the following sub-processors:
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database, auth, file storage | EU (AWS eu-west-1) |
| Anthropic | AI document extraction (Claude) | US (data not retained) |
| Vercel | Application hosting | US / EU edge |
| Gmail / Drive OAuth | EU / US | |
| Mailgun | Transactional email | EU |
9. Cookies
DocBridge uses only strictly necessary cookies for authentication (Supabase session cookies). We do not use tracking or advertising cookies. No cookie consent banner is shown.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of the page and notify active users by email if the changes are material. Your continued use of DocBridge after any changes constitutes acceptance of the updated policy.
11. Contact
For privacy-related questions or to exercise your GDPR rights, contact:
LXCoders, Lda.Privacy inquiries: privacy@lxcoders.com
General support: support@lxcoders.com