Back to home
Legal

Privacy Policy

Last updated: 11 April 2026

Redacto ("we", "us", "our") is a GDPR-focused document redaction service. This Privacy Policy explains what personal data we collect, why we collect it, and how you can exercise your rights. If anything is unclear, write to us at support@redacto.co.

1. Who we are

Redacto provides a hosted service that allows users to upload documents, detect sensitive data, and produce a redacted copy. For the purposes of applicable data protection law we act as the data controller for account and billing information, and as a data processor for the content of documents you upload.

2. Data we collect

Account data

  • Email address (used as your login identifier)
  • Authentication details handled by our identity provider
  • Optional display name, if you set one

Billing data

  • Plan information and page allowance usage
  • Payment identifiers issued by our payment provider — we do not see or store full card numbers
  • Billing name and country (for invoicing and VAT)

Uploaded documents

Documents you upload are processed for the sole purpose of providing redaction. They are not retained after processing. Once a document has been redacted, the original upload is deleted from our storage. You can also delete the redacted output from your account at any time.

Technical and operational data

  • Minimal server logs (timestamps, IP address, request path, response status) used for security, abuse prevention, and debugging
  • Error reports, which never contain the content of your documents
  • Basic usage metrics (e.g. number of pages processed) to enforce plan limits

3. Why we process your data

  • To provide the service — accepting your upload, detecting entities, producing a redacted output, and making it available for download
  • To operate your account — authentication, plan management, and billing
  • To keep the service secure and reliable — abuse detection, rate limiting, incident response
  • To comply with legal obligations — tax records, responding to lawful requests

4. Legal bases (GDPR)

  • Contract — to provide you with the service you signed up for
  • Legitimate interests — keeping the service safe and reliable
  • Legal obligation — tax, accounting, lawful access requests
  • Consent — for any optional communications you opt into

5. How long we keep data

  • Uploaded documents: deleted after redaction is complete
  • Redacted output: kept until you delete it or close your account
  • Account data: kept for as long as your account is active, then deleted on request
  • Billing records: retained for the period required by applicable tax law
  • Server logs: retained only as long as needed for security and reliability

6. Sharing and subprocessors

We use a small number of vetted providers to run the service — for example, for hosting, authentication, payments, and AI-assisted entity detection. All subprocessors are bound by confidentiality and data-protection terms and only process data on our instructions. A current list of subprocessors is available on request at support@redacto.co.

7. International transfers

Where data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses and appropriate supplementary measures to protect your information.

8. Your rights

Under the GDPR, you have the right to access, correct, delete, export, or restrict the processing of your personal data, to object to processing, and to lodge a complaint with your supervisory authority. To exercise any of these rights, email support@redacto.co — we will respond within the legally required timeframe.

Deleting your account yourself. You can permanently delete your Redacto account and all associated data — uploaded files, redacted outputs, OCR page images, and audit records — at any time from your Profile page in the app. Deletion is immediate and irreversible; no support ticket is required.

9. Cookies and analytics

Redacto uses only essential cookies needed for authentication and session management. We do not use advertising cookies or third-party trackers. Any future analytics will be privacy-respecting and aggregated only.

10. Security

We apply appropriate technical and organisational measures to protect your data, including HTTPS in transit, access controls, and isolated processing workspaces for uploaded documents. No system is perfectly secure, but we take security seriously and publish a clear DPA separately.

11. Changes to this policy

We may update this policy to reflect changes in the service or legal requirements. Significant changes will be communicated on this page with a new "last updated" date.

12. Contact

Questions or data-subject requests: support@redacto.co.