Privacy Policy
Last updated: May 2026
Found section
Quick Navigation
Doksa.io ("we", "us", "our") is a qualitative research analysis platform operated by NordAIConsult AS. For the purposes of the EU General Data Protection Regulation (GDPR), we are the data controller for personal data you provide when creating an account and using our service.
Company: NordAIConsult AS
Organization Number: 936 175 953
Country: Norway
Contact: privacy@doksa.io
Support: support@doksa.io
Account Information
- Username, email address, password (hashed)
- Account creation date, last login
- Credit balance and transaction history
Research Documents You Upload
You decide what documents to upload for analysis. Your research data belongs to you.
Privacy-First Approach
Your source documents are deleted promptly after analysis completes. We extract the text, send it to our AI service provider for processing, receive the results, and then delete your original files. Files from analyses that fail or are abandoned are deleted within 48 hours. We do not retain your research documents beyond this, and residual copies are purged from encrypted backups on our normal backup cycle.
What we keep temporarily (30 days):
- Analysis results: codes, themes, patterns, structured outputs
- Metadata: file name, upload date, document length
- Analysis parameters: coding method, research questions, framework
After 30 days, analysis results are automatically deleted. Export your results before then.
Usage & Technical Data
- IP address, browser type, device information
- Pages visited, features used, error logs
- Session data (via cookies for authentication)
- Stripe payment identifiers (no card numbers stored by us)
Contract Performance (GDPR Art. 6(1)(b))
Account data, uploaded documents, and analysis outputs are necessary to provide our service.
Legitimate Interest (GDPR Art. 6(1)(f))
Usage analytics, error monitoring, security logs, and fraud prevention.
Legal Obligation (GDPR Art. 6(1)(c))
Transaction records for tax compliance, fraud investigation when required.
Consent (GDPR Art. 6(1)(a))
Optional cookies beyond strictly necessary (you can refuse). Marketing emails (if you opt in).
⚠️ Important: Your Data Upload Decision
You decide what documents to upload. When you upload research documents for analysis, you are instructing us to send that content to our third-party AI service provider for processing.
You are responsible for ensuring you have the right to upload and process your documents (consent from participants, ethical approval, anonymization, etc.).
Third-Party AI Service Provider
- Role: Our AI service provider acts as a data processor under GDPR Article 28
- Location: Data may be processed outside the EU. We rely on our AI provider's data processing terms and standard contractual safeguards for any such transfer
- Purpose: AI-powered qualitative coding, thematic analysis, memo generation
- Training: Our AI service provider does not use your data to train models (per their API terms)
- Retention: Our AI service provider retains API logs for up to 30 days for abuse monitoring, then deletes
- Security: Encrypted in transit (TLS) and at rest
Our Infrastructure: Our primary infrastructure (application servers, database, file storage) is hosted in the EU. Some sub-processors, such as AI processing and transactional email delivery, may process limited data outside the EU under appropriate safeguards.
Data Processing Agreement: We use AI service providers that offer GDPR-compliant data processing terms covering Article 28 requirements, and we are finalizing our data processing agreement and transfer safeguards with them. A current list of our sub-processors is available upon request at privacy@doksa.io.
Other Service Providers
- Stripe: Payment processing (PCI-DSS compliant, EU servers)
- Hosting: Cloud infrastructure in EU data centers
- Email: Transactional emails (account notifications, receipts)
✓ Access
Request a copy of your personal data
✓ Rectification
Correct inaccurate data
✓ Erasure
Delete your data ("right to be forgotten")
✓ Portability
Receive your data in machine-readable format
✓ Restrict Processing
Limit how we use your data
✓ Object
Object to processing based on legitimate interest
How to exercise your rights: Email privacy@doksa.io with your request.
Response time: We will respond within one month. For complex requests, we may extend by two months and will notify you.
We implement technical and organizational measures appropriate to the risk (GDPR Article 32):
- Encryption: TLS 1.2+ for data in transit, AES-256 at rest
- Authentication: Hashed passwords (bcrypt), secure session management
- Access Control: Role-based permissions, principle of least privilege
- Monitoring: Security logs, intrusion detection, regular audits
- Backups: Regular encrypted backups with secure retention
- Vendor Security: All processors assessed for GDPR compliance
Data Breach Notification: Where a breach poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours where feasible (GDPR Article 33) and inform affected users without undue delay (Article 34).
Our Data Minimization Commitment
We follow the GDPR principle of storage limitation: we keep your data only as long as necessary.
- Source documents: Deleted immediately after analysis completes
- Analysis results: Automatically deleted after 30 days
- Account data: Deleted when you delete your account
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Source documents (PDFs, Word, etc.) | Deleted immediately after processing | GDPR Art. 5(1)(e) - Storage limitation |
| Analysis results | 30 days | Service delivery + user convenience |
| Account information (active) | While account is active | Contract performance |
| Personal data after account deletion | Immediately anonymized | GDPR Article 17 |
| Transaction records (anonymized) | 5 years | Norwegian Bookkeeping Act |
| Invoice records | 5 years | Norwegian Bookkeeping Act |
| Payment processing records | 120 days | Chargeback protection |
| Security logs | 90 days | Security & fraud prevention |
| Support correspondence | 3 years | Legal defense & quality improvement |
When You Delete Your Account
Your personal information (username, email, profile) is immediately anonymized. You lose access to all files and data, and your account cannot be restored after the undo window expires.
Legal Compliance Retention:
We may retain anonymized system data for legal and regulatory compliance, including:
- Transaction and invoice records (Norwegian accounting law: 5 years)
- Payment processing records (chargeback protection: 120 days)
- Audit logs and system backups
- Anonymized file metadata for copyright compliance (DMCA: 3 years)
Important: This anonymized data is not linked to your identity and is retained solely for legal, financial, and security purposes as required by law. Under GDPR Recital 26, anonymized data is not considered personal data.
Active Account: You can delete individual documents at any time from your account dashboard. To delete your entire account, visit your account settings or email support@doksa.io.
Data Protection Contact
Email: privacy@doksa.io
Right to Complain
You have the right to lodge a complaint with a supervisory authority if you believe we have not complied with GDPR.
Find your local supervisory authority: EDPB Member List
We may update this policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or a prominent notice on our website. Continued use after notification constitutes acceptance.
Version history: Available upon request to privacy@doksa.io