Data Processing Agreement
Last updated: May 2026
1. Introduction
This Data Processing Agreement (“DPA”) forms part of the DocLearly Terms of Service and applies to all DocLearly customers who use the service to process personal data. This DPA is entered into between CampPear Labs LLC (“DocLearly”) and the customer entity that has agreed to the Terms of Service (“Customer”).
In the event of a conflict between this DPA and the Terms of Service with respect to data processing matters, this DPA shall govern. Capitalized terms not defined herein have the meanings given in the Terms of Service.
2. Roles of the Parties
For the purposes of applicable data protection legislation, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK GDPR:
- Customer is the Data Controller. The Customer determines the purposes and means of processing personal data submitted to DocLearly.
- DocLearly is the Data Processor.DocLearly processes personal data only on behalf of the Customer and in accordance with Customer's documented instructions as set out in this DPA and the Terms of Service.
3. Categories of Personal Data Processed
In providing the DocLearly service, the following categories of personal data may be processed:
- Document content: Text from documents submitted by the Customer or its end users for analysis. This may include names, contact details, and other personal data embedded in legal documents (e.g., contracts, NDAs, terms of service).
- Account data: The email address of registered users.
- Usage metadata: Analysis counts, timestamps of analysis requests, and subscription tier information associated with a user account.
4. Purpose and Legal Basis of Processing
DocLearly processes personal data solely to provide the AI-powered document analysis service described in the Terms of Service. Processing is carried out on the basis of the contractual relationship between DocLearly and the Customer.
Personal data — including document content — is never used to train, fine-tune, or improve any AI model. Document text is forwarded to Anthropic's Claude API solely to generate the Customer's requested analysis and for no other purpose. DocLearly does not sell personal data to third parties or use it for advertising or marketing purposes.
5. Data Retention
- Analysis data:Stored analyses and associated document text are automatically deleted in accordance with the user's retention setting. The default retention period is 30 days from the date of analysis.
- Account data: Upon account closure, all personal data associated with the account is deleted within 30 days.
- Anonymous analyses: Document text submitted without a signed-in account is processed in memory only and is not stored.
DocLearly will delete or return all personal data upon termination of the service relationship, unless retention is required by applicable law.
6. Sub-processors
DocLearly engages the following sub-processors to deliver the service. All sub-processors are bound by data processing agreements that impose data protection obligations no less protective than those in this DPA.
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic | AI inference (document analysis) | United States |
| Supabase | Database hosting | United States |
| Vercel | Application hosting | United States |
| Clerk | Authentication | United States |
| Stripe | Payment processing | United States |
| Upstash | Rate limiting | United States |
DocLearly will notify the Customer of any intended changes to sub-processors by updating this page. Customers who object to a new sub-processor may terminate the service in accordance with the Terms of Service.
7. Data Subject Rights
DocLearly will assist the Customer in responding to requests from data subjects exercising their rights under applicable data protection law (including rights of access, rectification, erasure, restriction, portability, and objection).
End users may exercise the following rights directly through the DocLearly service:
- Export: Users may download their analysis history from the dashboard.
- Deletion: Users may delete individual analyses or close their account entirely from the dashboard settings.
- Contact: For data subject requests that cannot be fulfilled through the product interface, users may contact privacy@doclearly.com.
8. Security Measures
DocLearly implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing. These measures include:
- Encryption in transit: All data is transmitted over TLS 1.2 or higher.
- Encryption at rest: Stored data is encrypted using AES-256, provided by Supabase.
- Access control: Role-based access controls limit who within DocLearly can access production data.
- SOC 2 Type II sub-processors: Core infrastructure sub-processors (including Supabase) are SOC 2 Type II certified.
For a full description of our security practices, see our Security & Compliance page.
9. International Data Transfers
DocLearly and its sub-processors are located in the United States. Transfers of personal data from the European Economic Area or United Kingdom to the United States are made on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission, or such other lawful transfer mechanism as may apply.
Request a Signed DPA
Business customers requiring a countersigned DPA for vendor onboarding, procurement reviews, or internal compliance purposes may request one by emailing:
legal@doclearly.com — DPA Request
Please include your company name, registered address, and the email address associated with your DocLearly Business account. We aim to respond within 2 business days.