Overview
SmartDMS (“we”, “us”, or “our”) operates an AI-powered document management system. This Privacy Policy explains what data we collect, how we use it, and the choices you have as an organization administrator or user.
By using SmartDMS, your organization agrees to the practices described here. If you do not agree, do not use the service.
What data we collect
We collect only the data necessary to provide the service:
- Account information: email address, name, and role for each user in your organization.
- Document files: PDFs, images (JPEG, PNG, TIFF), and DOCX files you upload, scan, or send via email to your intake address.
- OCR and extracted text: the text content extracted from your documents by our OCR pipeline, stored alongside the original file.
- Extracted fields: structured data pulled from documents (invoice amounts, vendor names, dates, etc.) as part of AI classification.
- Audit log entries: timestamped records of user actions (uploads, approvals, deletions, logins) within your organization.
- Usage metadata: page and document counts, storage consumption, and feature usage for billing and quota management.
We do not collect payment card details directly. Payment processing is handled by Stripe; their privacy policy governs that data.
AI processing — Anthropic API
We transmit document text and, where necessary, image data to Anthropic’s API. We do not use your documents to train our own models or Anthropic’s models. Your Org Brain (per-organization AI learning) is trained solely on your own corrections and confirmations — never shared across organizations.
For customers operating in sensitive or regulated environments, please review Anthropic’s Privacy Policy before using SmartDMS.
Data storage & encryption
Document files and extracted data are stored on the deployment associated with your SmartDMS instance:
- Self-hosted / local deployments: files are stored on your own server’s filesystem. We never access those files remotely.
- Cloud-hosted: managed files are encrypted at rest with AES-256-GCM, and regulated document types additionally use field-level encryption. Each organization is isolated to its own storage path.
Database records (user accounts, extracted fields, audit logs) are stored in your deployment’s database. Cloud-hosted instances use encrypted, managed PostgreSQL.
Data retention
Your organization’s data is retained for as long as your subscription is active. Organization administrators can delete individual documents at any time from the SmartDMS interface.
On subscription cancellation or account deletion, your data is retained for 30 days to allow for export, then permanently deleted. You may request immediate deletion by contacting hello@smartdms.ai.
How we use your data
- To provide, operate, and improve the SmartDMS service.
- To classify, route, and organize your documents as configured by your organization.
- To send email notifications (approval requests, anomaly alerts, billing receipts) when configured by your organization.
- To calculate page and document counts and enforce plan limits.
- To provide customer support when you contact us.
No sale of personal data
We do not sell, rent, or trade your personal data or your organization’s document data to any third party, ever. We do not use your document content for advertising purposes.
Data sharing
We share data only with the following categories of third-party service providers, strictly to operate the service:
- Anthropic — AI classification and extraction (document content)
- Stripe — payment processing (billing details only)
- Email provider — transactional email delivery (email addresses and notification content)
- Postmark — inbound email ingestion, when the email intake feature is enabled
We do not share data with advertising networks, data brokers, or analytics platforms.
Security
All data is transmitted over TLS. Stored files and database records use encryption at rest. User passwords are stored as bcrypt hashes and never in plaintext. Access to your organization’s data is gated by authentication and enforced at the API layer for every request, with a per-organization tamper-evident audit chain.
Despite our security measures, no system is completely secure. We encourage you to use strong passwords and to revoke access for users who leave your organization promptly.
Your rights
- Export your documents and extracted data at any time.
- Delete individual documents or your entire account.
- Request a full data export by emailing hello@smartdms.ai.
- Request permanent deletion of all data associated with your organization.
If you are located in the EU or UK and have concerns about how we handle your personal data under GDPR or UK GDPR, please contact us at hello@smartdms.ai.
Cookies & sessions
SmartDMS keeps you signed in using a first-party, httpOnly session cookie with CSRF protection. We do not use advertising cookies or third-party tracking cookies.
Changes to this policy
We may update this Privacy Policy from time to time. We will notify organization administrators by email of material changes at least 14 days before they take effect. Continued use of SmartDMS after the effective date constitutes acceptance of the updated policy.
Contact
Questions about this Privacy Policy? Contact us at hello@smartdms.ai.