Privacy Policy

DocUnlock, Inc. ("DocUnlock," "Company," "we," "us," or "our") provides document processing and automation services for customs brokers ("Service"). This Privacy Policy describes how we collect, use, disclose, and protect Personal Data in connection with our website at www.docunlock.com (the "Marketing Site"), our application at app.docunlock.com (the "Platform"), and the Service.

This Privacy Policy applies to all visitors to the Marketing Site and all users of the Platform and Service. It should be read together with our Terms of Service (https://www.docunlock.com/legal/terms-of-service) and, where applicable, our Data Processing Agreement (https://www.docunlock.com/legal/data-processing-agreement).

By accessing the Marketing Site or using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. DATA CONTROLLER

The data controller for Personal Data collected through the Marketing Site and for account-related data is:

DocUnlock, Inc. PO Box 15683 San Francisco, CA 94115 United States

Email: privacy@docunlock.com
Data Protection Officer: dpo@docunlock.com

Where DocUnlock processes Personal Data contained within Customer Data on behalf of a customer (as described in Section 4), the customer acts as the data controller and DocUnlock acts as the data processor. In that context, the customer's privacy policy governs the processing of that data, and our Data Processing Agreement sets forth DocUnlock's obligations.

2. PERSONAL DATA WE COLLECT

We collect different categories of Personal Data depending on how you interact with us.

2.1 Marketing Site (www.docunlock.com)

When you visit the Marketing Site, we collect limited data for analytics and security purposes:

Automatically Collected Data:

  • IP address (anonymized where technically feasible)
  • Browser type and version
  • Device type and operating system
  • Referring URL and pages visited
  • Date, time, and duration of visit
  • General geographic location (country/region level, derived from IP)

Data You Provide

  • Name, email address, company name, and job title if you submit a contact or demo request form
  • Communication content if you email us or engage with our sales team

Technologies Used

  • Google Tag Manager: Tag management system for deploying analytics scripts. GTM itself does not collect Personal Data.
  • PostHog: Configured in cookieless mode with IP anonymization enabled. No cookies are placed on Marketing Site visitors.
  • HubSpot: Used for meeting scheduling, contact forms, and customer relationship management. HubSpot may place first-party cookies to track page visits by identified contacts (i.e., individuals who have submitted a form or booked a meeting). HubSpot does not track anonymous visitors who have not voluntarily provided their information.

We do not currently use third-party advertising cookies, cross-site tracking pixels, or retargeting technologies on the Marketing Site.

2.2 Platform and Service (app.docunlock.com)

When customers use the Platform, we collect:

Account Data

  • Name, email address, and job title of authorized users.
  • Company name, billing address, and payment information.
  • Account credentials (passwords are stored in hashed form only).

Usage Data

  • Feature usage, session data, and interaction logs.
  • Error reports and performance data (collected via Sentry).
  • Analytics data (collected via PostHog).

Customer Data

  • Documents uploaded by customers for processing, including shipping documents, commercial invoices, bills of lading, packing lists, and other trade documentation.
  • Customs filing outputs generated by the Service (e.g., Entry Summary 7501, In-Bond 7512).
  • Any derivatives or processed results generated through the Service.

Customer Data may contain Personal Data of third parties, including but not limited to: names, addresses, tax identification numbers (such as EINs), contact information of importers, exporters, consignees, shippers, and other parties identified in trade documentation. DocUnlock processes this data solely on behalf of and under the instructions of the customer, as described in Section 4.

2.3 Data We Do Not Collect

We do not intentionally collect sensitive or special categories of Personal Data (such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data). If such data is incidentally contained within Customer Data, the customer is responsible for ensuring a lawful basis exists under applicable law.

We do not collect Personal Data from individuals under 18 years of age. The Service is a business-to-business platform for customs brokerage professionals and is not directed at minors.

3. HOW WE USE PERSONAL DATA

3.1 Purposes and Lawful Bases

Responding to inquiries and demo requests — Data: Contact data provided via forms or email; Basis: Legitimate interests (pre-contractual engagement)

Marketing site analytics — Data: Automatically collected visitor data; Basis: Legitimate interests (website improvement and security)

Providing and operating the Service — Data: Account data, usage data, Customer Data; Basis: Contract performance

Customer support and account management — Data: Account data, communication history; Basis: Contract performance

Processing Customer Data (document analysis, customs filing generation) — Data: Customer Data including Personal Data contained therein; Basis: Contract performance (as processor on behalf of customer)

Error monitoring and platform stability — Data: Usage data, error reports (via Sentry); Basis: Legitimate interests (service reliability)

Platform analytics and improvement — Data: Usage data (via PostHog); Basis: Legitimate interests (service improvement)

Internal business analytics — Data: Aggregated usage and performance data (via Hex); Basis: Legitimate interests (business operations)

Billing and payment processing — Data: Account and payment data; Basis: Contract performance; legal obligation

Security monitoring and fraud prevention — Data: Access logs, IP addresses, session data; Basis: Legitimate interests (security); legal obligation

Compliance with legal obligations — Data: As required by applicable law; Basis: Legal obligation

Creating Aggregate Data for service improvement — Data: Anonymized, non-reversible data derived from usage patterns and system performance metrics — not derived from the content of Customer Data; Basis: Legitimate interests (see Terms of Service, Aggregate Data section)

DocUnlock has conducted Legitimate Interest Assessments for each purpose relying on legitimate interests as a lawful basis. These assessments are available upon request by contacting dpo@docunlock.com.

3.2 Processing Customer Data as a Processor

When customers upload shipping documents and trade documentation to the Platform, DocUnlock processes the Personal Data contained in those documents solely to provide the Service — specifically, to analyze documents and generate completed customs filings. In this context:

  • The customer is the data controller and determines the lawful basis for processing.
  • DocUnlock acts as a data processor and processes data only in accordance with the customer's instructions and our Data Processing Agreement.
  • DocUnlock does not use Customer Data — or any Personal Data contained within Customer Data — to train, fine-tune, or improve any machine learning or AI model, whether operated by DocUnlock or any third-party subprocessor, except where the customer has provided explicit written consent.
  • DocUnlock does not use Personal Data contained in Customer Data for its own independent purposes, except to create Aggregate Data as described in Section 3.1 above and the Terms of Service.

For details on DocUnlock's obligations as a processor, see our Data Processing Agreement at https://www.docunlock.com/legal/data-processing-agreement.

4. HOW WE SHARE PERSONAL DATA

We do not sell, rent, or trade Personal Data. We share Personal Data only in the following circumstances:

Service Providers and Subprocessors. We share Personal Data with third-party service providers who assist in delivering the Service. Each provider is bound by written data protection obligations. Our current subprocessors are:

Google Cloud Platform — Purpose: Infrastructure hosting; Data Accessed: All Customer Data and account data

Anthropic — Purpose: AI/LLM document processing; Data Accessed: Customer Data submitted for processing

OpenAI — Purpose: AI/LLM document processing; Data Accessed: Customer Data submitted for processing

PostHog — Purpose: Product analytics; Data Accessed: Usage data, device identifiers, anonymized IP

Sentry — Purpose: Error monitoring; Data Accessed: Error reports, session data, device info

HubSpot — Purpose: CRM, scheduling, and sales communications; Data Accessed: Contact name, email, company name, communication history, scheduling data

Customer Data submitted to AI/LLM providers (Anthropic and OpenAI) is processed solely for the purpose of providing the Service. DocUnlock maintains contractual commitments with each AI/LLM provider that Customer Data is not used for model training, fine-tuning, or improvement of any AI or machine learning system. These restrictions apply regardless of whether the customer has opted in or out, and no opt-in for such use is offered.

Legal Requirements. We may disclose Personal Data if required by law, regulation, legal process, or enforceable governmental request, or to establish, exercise, or defend legal claims. Where permitted by law, DocUnlock will provide reasonable advance notice to the affected customer before disclosing their data in response to such a request.

Business Transfers. In the event of a merger, acquisition, reorganization, or sale of assets, Personal Data may be transferred as part of the transaction. We will notify affected parties of any such transfer and any choices they may have regarding their data.

With Customer's Consent or Instructions. We may share data as directed by the customer or with the customer's explicit consent.

A full subprocessor register with processing activities and transfer mechanisms is available in Appendix A of the Terms of Service and Annex III of the Data Processing Agreement.

5. INTERNATIONAL DATA TRANSFERS

DocUnlock is based in the United States. Personal Data collected through the Marketing Site and processed through the Platform is stored and processed in the United States.

6. DATA RETENTION

We retain Personal Data only as long as necessary for the purposes described in this Privacy Policy, subject to the following:

Marketing site visitor data — Retention: 24 months from collection; Basis: Legitimate interests (analytics)

Contact/demo request data — Retention: Duration of sales engagement plus 24 months, or until deletion requested; Basis: Legitimate interests (pre-contractual)

Account data — Retention: Duration of the Agreement; Basis: Contract performance

Customer Data — Retention: Duration of the Agreement; deleted within 90 days of termination; Basis: Contract performance

Billing and payment records — Retention: Up to 7 years after termination; Basis: Legal obligation (tax/accounting)

System and access logs — Retention: 12 months; Basis: Legitimate interests (security); legal obligation

Aggregate/anonymized data — Retention: Indefinitely; Basis: No longer Personal Data once anonymized

Backup data — Retention: Up to 90 days after deletion from production (encrypted, functionally inaccessible); Basis: Legitimate interests (disaster recovery)

Backup copies are encrypted, access-controlled, and restored only in the event of a system failure or disaster recovery event — they are not accessible for ordinary processing or in response to data subject requests. Upon termination of a customer agreement, customers may request deletion of Customer Data within 90 days. After this period, and upon expiration of the 90-day backup retention window, all Customer Data — including backup copies and data held by subprocessors — is permanently deleted through automated rotation.

For full details on post-termination data handling, see the Data Retention section of the Terms of Service.

7. COOKIES AND TRACKING TECHNOLOGIES

7.1 Marketing Site (www.docunlock.com)

The Marketing Site uses a cookie consent banner to manage non-essential cookies. The banner automatically honors Global Privacy Control (GPC) signals — visitors with GPC enabled are automatically opted out of non-essential cookies without further interaction. Visitors without GPC enabled are prompted to accept or deny non-essential cookies before any such cookies are set.

The Marketing Site uses the following technologies:

  • Google Tag Manager: Tag management system that deploys analytics and scheduling scripts. GTM itself does not collect Personal Data but facilitates the loading of other tools.
  • PostHog: Configured in cookieless mode with IP anonymization enabled. No cookies are placed on Marketing Site visitors. Used to understand visitor behavior, page performance, and traffic sources.
  • HubSpot: Used for meeting scheduling and contact forms. HubSpot may place first-party cookies on individuals who have voluntarily submitted a form or booked a meeting, to track subsequent page visits by those identified contacts. HubSpot does not place cookies on or track anonymous visitors.

We do not currently use third-party advertising cookies, cross-site tracking pixels, or retargeting technologies on the Marketing Site. If this changes, we will update this policy and, where required, seek your consent before any such technologies are deployed.

7.2 Platform (app.docunlock.com)

The Platform uses:

  • Google Tag Manager: Tag management for deploying analytics and monitoring tools.
  • PostHog: Product analytics to understand feature usage and improve the Service. Configured with first-party cookies.
  • Sentry: Error monitoring and performance tracking to maintain Platform stability. Sentry collects error reports and associated session context but does not track users for analytics purposes.

7.3 Cookie Details

PostHog analytics — Site: Platform only; Type: Functional; Purpose: Usage analytics and product improvement; Duration: Session / 1 year; Party: First party

HubSpot — Site: Marketing Site only; Type: Functional; Purpose: Tracking page visits by identified contacts who have submitted a form or booked a meeting; Duration: Session / 1 year; Party: First party

Sentry — Site: Platform only; Type: Functional; Purpose: Error monitoring and diagnostics; Duration: Session; Party: First party

Session cookies — Site: Platform; Type: Strictly necessary; Purpose: Authentication and session management; Duration: Session; Party: First party

Security cookies — Site: Platform; Type: Strictly necessary; Purpose: CSRF protection, security tokens; Duration: Session; Party: First party

7.4 Your Choices

The Marketing Site uses a consent banner that automatically detects and honors Global Privacy Control (GPC) signals, opting out visitors with GPC enabled from all non-essential cookies without requiring any additional action. Visitors without GPC enabled will be prompted to accept or deny non-essential cookies.

On the Platform, cookies are limited to first-party, functional, and strictly necessary categories required to operate and monitor the Service.

You can manage cookies through your browser settings at any time. Disabling cookies may affect the functionality of the Platform.

8. YOUR RIGHTS

8.1 Rights Under GDPR and UK GDPR

If you are located in the EEA or UK, you have the following rights regarding your Personal Data:

  • Access: Request a copy of your Personal Data and information about how it is processed.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your data where it is no longer necessary, or where you withdraw consent.
  • Restriction: Request that processing be restricted in certain circumstances.
  • Portability: Receive your data in a structured, commonly used, machine-readable format.
  • Object: Object to processing based on legitimate interests (on grounds relating to your particular situation) or to direct marketing at any time.
  • Automated Decision-Making: Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
  • Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

How to Exercise Your Rights: Contact us at privacy@docunlock.com. We will respond without undue delay and within one (1) month. We may extend this by up to two (2) additional months for complex requests, with notice to you. We may request identity verification before processing your request.

Where DocUnlock Acts as Processor: If your Personal Data is contained within Customer Data processed on behalf of a DocUnlock customer, please direct your request to that customer (the data controller). DocUnlock is not the appropriate point of contact for data subject rights requests relating to Personal Data contained within Customer Data, as DocUnlock does not control how that data is collected or used. DocUnlock will assist the relevant customer in fulfilling your request in accordance with our Data Processing Agreement.

8.2 Rights Under CCPA/CPRA

If you are a California resident, you have the following rights:

  • Right to Know: Request disclosure of the categories and specific pieces of Personal Information collected, the purposes of collection, and the categories of third parties with whom it is shared.
  • Right to Delete: Request deletion of your Personal Information, subject to legal exceptions.
  • Right to Correct: Request correction of inaccurate Personal Information.
  • Right to Opt Out of Sale/Sharing: DocUnlock does not sell or share Personal Information as defined under the CCPA/CPRA.
  • Non-Discrimination: We will not discriminate against you for exercising your rights.

To exercise your rights, contact us at privacy@docunlock.com.

8.3 Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority. EEA supervisory authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK: the Information Commissioner's Office at https://ico.org.uk.

8.4 Marketing Communications

You may opt out of marketing communications at any time by following the unsubscribe link in any marketing email or by contacting support@docunlock.com. Opting out of marketing does not affect transactional or service-related communications.

9. SECURITY

DocUnlock implements and maintains technical and organizational security measures designed to protect Personal Data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls with multi-factor authentication
  • Regular vulnerability assessments and penetration testing
  • 24/7 security monitoring and incident response capabilities
  • SOC 2 Type II certified infrastructure
  • Annual security training for all personnel

Full details of our security measures are set forth in Appendix B of the Terms of Service and Annex II of the Data Processing Agreement.

No method of transmission or storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security.

10. SECURITY INCIDENT NOTIFICATION

In the event of a Security Incident affecting Personal Data, DocUnlock will:

  • Notify affected customers without undue delay upon becoming aware of the incident
  • Provide details on the nature, scope, and likely consequences of the incident as they become known
  • Describe measures taken or planned to contain and remediate the incident
  • Assist customers in meeting their own notification obligations to supervisory authorities and data subjects
  • Conduct a post-incident review and implement improvements as necessary

DocUnlock's ability to provide complete incident details at the time of initial notification may be limited by the early stage of an investigation. DocUnlock will provide updates as additional information becomes available. Full incident notification procedures are set forth in the Terms of Service and Data Processing Agreement.

11. THIRD-PARTY LINKS

The Marketing Site or Platform may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party site you visit.

12. BUSINESS TRANSFERS

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, Personal Data may be transferred as part of the transaction. We will provide notice before Personal Data becomes subject to a different privacy policy and will ensure that the acquiring entity is bound by obligations no less protective than those in this Privacy Policy, or will provide you with the opportunity to opt out.

13. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. We will notify customers of material changes by email to the address associated with their account at least fourteen (14) days before the changes take effect. Non-material changes take effect upon posting to the Marketing Site. Where changes materially affect the processing of Personal Data in a manner requiring consent under applicable law, we will obtain your explicit consent before the changes take effect.

The "Last Updated" date of this Privacy Policy indicates when it was most recently revised.

Contact Information

General: support@docunlock.com
Legal: legal@docunlock.com
Privacy: privacy@docunlock.com
Security: security@docunlock.com
Data Protection Officer: dpo@docunlock.com

DocUnlock, Inc.
PO Box 15683
San Francisco, CA 94115

Last Updated: January 1, 2026

NCBFAA Logo (World with letters)
NCBFAA Member
AICPA SOC2 Certification Logo
We are SOC2 certified
Wireframe Globe
English
Spanish
French
Ask your favorite AI about DocUnlock
Google Gemini AI LogoAnthropic Claude AI LogoOpenAI ChatGPT AI LogoPerplexity AI Logo
Legal
Contact us
© 2026 DocUnlock, Inc. · All rights reserved