Privacy Policy

TheDocademy acts as data controller for the processing carried out to operate the platform, manage user accounts, process orders, organize assignments, handle payments, ensure security, and comply with legal obligations. Contact for privacy matters: legal@thedocademy.com If a Data Protection Officer is appointed or mandatory company details must be disclosed, those details should be added here before production publication.

We may process the following categories of personal data: Account data: first name, last name, email address, authentication data, account type, account history. Order and service data: uploaded files, document category, notes, correction instructions, timestamps, order status, assigned professional, support exchanges. Professional compliance data: identity, business information, tax information, payment details, onboarding and DAC7-related data where applicable. Payment data: payment identifiers, status, amount, billing data, anti-fraud signals. Full bank card data is processed by payment providers, not stored by TheDocademy. Technical and security data: IP address, connection logs, device or browser metadata, authentication events, error logs, audit trails. Communication data: messages sent to support, satisfaction reviews, complaints, moderation exchanges.

We process personal data for the following purposes and legal bases: • Performance of a contract — account creation, login, order management, delivery of AI or human services, customer support • Legitimate interests — cybersecurity, fraud prevention, service continuity, quality monitoring, moderation, internal reporting, evidence preservation • Legal obligations — accounting, invoicing, tax obligations, DAC7 reporting, responses to lawful authority requests • Consent — only where a specific optional feature requires it Where several legal bases apply, TheDocademy relies on the basis most appropriate to the relevant processing activity.

Uploaded documents are processed only to deliver the requested service, ensure security, handle support, and comply with applicable law. For human correction, the document and related instructions may be made available to the assigned professional strictly on a need-to-know basis. Unless expressly stated otherwise in separate terms or notices, documents are not reused to train foundation AI models on behalf of TheDocademy.

Personal data may be disclosed, strictly where necessary, to: • hosting, infrastructure, security, communication, and software providers acting as processors or subprocessors • payment service providers and banking partners • assigned human professionals, for the sole purpose of carrying out the ordered service • external advisors, auditors, insurers, or debt collection entities where justified • competent administrative, tax, judicial, or regulatory authorities where required by law TheDocademy requires data processing agreements where Article 28 GDPR applies. Human professionals may, depending on the situation, act either as recipients acting under platform rules for the mission entrusted to them, or as separate controllers for their own independent legal obligations.

TheDocademy seeks to host and process data within the European Economic Area whenever possible. Where a provider involves a transfer outside the EEA, such transfer must be framed by an adequacy decision, standard contractual clauses, or another valid transfer mechanism under Chapter V GDPR.

Personal data is retained only for as long as necessary for the relevant purpose, then archived or deleted according to legal and operational requirements. Indicative retention periods: • account data: for the life of the account, then for the applicable limitation period and evidence needs • documents and service files: for the duration strictly necessary to perform the service, manage disputes, and meet legal obligations • billing and accounting data: up to 10 years where required by French law • security logs: according to operational necessity and proportionality • DAC7 and tax compliance data: for the legal retention period applicable to reporting obligations Retention periods may be extended where necessary to establish, exercise, or defend legal claims.

Subject to the applicable legal conditions, you have the following rights: • right of access • right to rectification • right to erasure • right to restriction of processing • right to data portability • right to object, where the processing is based on legitimate interests • right to withdraw consent, where processing is based on consent • right to define instructions regarding the fate of your data after death under French law, where applicable Requests may be sent to: legal@thedocademy.com You also have the right to lodge a complaint with the CNIL: https://www.cnil.fr

Certain data is necessary to create an account, authenticate users, process orders, assign work to professionals, deliver services, ensure payment, and meet legal obligations. If such mandatory data is not provided, TheDocademy may be unable to open an account, accept an order, complete a service, or maintain a professional account in good standing.

TheDocademy implements technical and organizational measures designed to protect personal data, including access controls, compartmentalization, secure transport, authentication controls, logging, and reasonable security governance measures adapted to the risks presented by the processing. No system can guarantee absolute security. Users are also responsible for protecting their credentials and devices.

TheDocademy uses cookies and similar technologies that are strictly necessary for authentication, session continuity, security, and core platform operation. Where non-essential cookies or trackers are introduced in the future, they must be governed by a dedicated information and consent mechanism where required by law.

Where TheDocademy qualifies as a reporting platform operator, certain professional user data may be collected, verified, retained, and reported to tax authorities under DAC7 and applicable French tax law. This processing is based on a legal obligation under Article 6(1)(c) GDPR. It may include identity, address, tax identification, payment details, and transaction-related reporting data. Such processing is mandatory where the law applies and cannot be opted out of.

The service is not intended for persons who may not validly contract under applicable law. If you believe personal data relating to a minor has been submitted without proper authorization, please contact us promptly.

This Privacy Policy may be updated to reflect legal, technical, or operational changes. The date of the latest update appears at the top of this page.

For any question regarding privacy or personal data: legal@thedocademy.com