Privacy & Data Security

Data Processing

When you submit a document, the file is transmitted over encrypted transport (TLS) to our application layer. The document is then dispatched to isolated GPU workers running on Modal infrastructure for optical character recognition, optional AI-assisted structuring or refinement, and—where enabled—embedding generation for search and chat features within your workspace.

Processing occurs in ephemeral compute environments. Input bytes exist only for the duration required to complete the job pipeline. System logs may record non-content metadata (such as job identifiers, timestamps, and status codes) strictly for reliability, abuse prevention, and support. We do not use document contents for profiling, advertising, or unrelated analytics.

Account-related data (such as email address, subscription status, and usage quotas) is stored separately from document payloads in our authentication and billing systems (e.g., Supabase) under access controls appropriate to production SaaS operations.

Third-Party Sharing

We do not sell, rent, or license your documents or extracted text to third parties. Your content is not contributed to public or proprietary large-language-model training datasets, and we contractually and technically restrict subprocessors to processing on our instructions only.

Infrastructure providers (including cloud GPU hosts and email delivery services) may process data solely as processors to deliver the service you request. They do not acquire ownership of your materials and may not use them for their own product development or model training purposes.

We may disclose information only where required by applicable law, valid legal process, or to protect the rights, safety, and integrity of OCR Context, our users, and the public—always to the minimum extent necessary.

GDPR & KVKK Compliance

OCR Context is designed to align with the principles of the EU General Data Protection Regulation (GDPR) and the Turkish Law on Protection of Personal Data (KVKK). Where we act as a data controller for account and billing information, we process personal data on lawful bases such as contract performance, legitimate interests, and—where applicable—consent.

Where we process documents on your behalf, you remain responsible for ensuring that you have an appropriate legal basis to submit those materials (for example, employee notices, customer agreements, or data-processing agreements with your own clients). We implement technical and organizational measures including encryption in transit, role-based access, least-privilege administration, and the zero-retention workflow described above.

Abuse Prevention & Account Deletion

When you request account deletion, your active personal data is permanently purged from our systems. However, to maintain the integrity of our platform and prevent free-tier abuse, we retain a cryptographically hashed (one-way, mathematically irreversible) footprint of your email address. This hash cannot be used to identify you, contact you, or reverse-engineer your email. It is stored strictly under our legitimate business interest (GDPR Art. 6(1)(f)) solely to prevent unauthorized creation of duplicate trial accounts.

Data subjects in applicable jurisdictions may have rights to access, rectify, erase, restrict, or object to certain processing of personal data, and to lodge complaints with supervisory authorities. To exercise rights or request information about our processing activities, contact support@ocrcon.com.

International transfers, if any, are conducted with appropriate safeguards consistent with applicable law. We review our subprocessors and security practices periodically to maintain compliance as the product and regulatory landscape evolve.