DRAFT — Pending Legal Review. This policy has not yet been finalised by legal counsel. Do not rely on it as executed legal advice. Last updated: 18 June 2026.

Privacy Policy

Effective date: 18 June 2026  ·  Droqify by SKIFIN

1. Who We Are

Droqify is an intelligent document processing platform operated by SKIFIN ("SKIFIN", "we", "us", "our"). Our principal contact for privacy matters is contact@skifin.com.

2. Scope of This Policy

This Privacy Policy applies to personal data processed by SKIFIN when you:

  • Visit droqify.com (the marketing site);
  • Submit an enquiry, demo request, or contact form on this site;
  • Use the Droqify application at app.droqify.com.

It does not apply to data that our enterprise customers process through the Droqify platform on their own behalf as data controllers. That data is governed by the Master Services Agreement and (where applicable) our Business Associate Agreement (BAA) or Data Processing Agreement (DPA) with the customer.

3. Data We Collect

3.1 Marketing site visitors

  • Contact form submissions: name, company, business email address, industry, type of inquiry, and any message you provide.
  • Server logs: IP address, browser type, referring URL, and timestamps. These are retained for up to 30 days for security and abuse prevention.

We do not use third-party analytics, advertising pixels, or tracking cookies on this site. No personal data from visitors is shared with advertising platforms.

3.2 Application users

  • Account data: email address, display name, hashed password, optional Google OAuth ID, profile picture URL.
  • Usage data: authentication events, document upload and processing events, API calls. Usage data is associated with your user ID and your organisation's tenant.
  • Audit logs: every data access, modification, and deletion event is recorded with your user ID, action, resource ID, source IP, and timestamp. Audit logs do not contain document content or extracted text. These logs are retained for 7 years on immutable (WORM) storage under HIPAA §164.312(b).

4. How We Use Your Data

PurposeLawful basis (GDPR)
Responding to demo requests and enquiries from the contact formLegitimate interests (responding to inbound business enquiries)
Providing and operating the Droqify applicationPerformance of contract
Sending transactional emails (password reset, system notifications)Performance of contract
Security monitoring, fraud prevention, and incident responseLegitimate interests
HIPAA audit compliance (7-year audit log retention)Legal obligation
Improving and developing the platformLegitimate interests (aggregated/anonymised analytics only)

5. Data Sharing and Subprocessors

We share personal data only with the following categories of recipients:

  • Postmark (Wildbit LLC) — transactional email delivery (password reset, system notifications). Postmark processes sender and recipient email addresses.
  • Microsoft Azure — all infrastructure: compute, storage (Cosmos DB, Blob), Service Bus, Key Vault, Application Insights. Data is processed in the customer's selected Azure region.
  • Microsoft Azure OpenAI — AI inference on document text. Your data is not used for model training. Zero-retention policy applies.
  • Mistral AI — OCR processing of document images. EU-incorporated entity; processing within EU infrastructure. No training on customer data.

We do not sell personal data. We do not share personal data with advertising networks, data brokers, or social media platforms.

Full subprocessor details are available at droqify.com/security.

6. International Transfers

For customers in the European Economic Area (EEA) or UK, any transfer of personal data outside the EEA/UK to our subprocessors is protected by:

  • Standard Contractual Clauses (SCCs) for transfers to Microsoft Azure (US) and Postmark (US); and
  • EU-incorporated processing for Mistral AI (no transfer mechanism required).

7. Data Retention

  • Contact form data: retained for 12 months, then deleted from our email inbox.
  • Application account data: retained for the duration of your account, plus 90 days after termination to allow account recovery. On confirmed termination, account and user data is deleted from all Cosmos DB containers within 30 days.
  • Audit logs: 7 years (HIPAA compliance). Stored on immutable WORM-protected Blob Storage.
  • Server logs: 30 days.

8. Your Rights (GDPR / UK GDPR)

If you are in the EEA or UK, you have the following rights regarding personal data we hold about you:

  • Access: request a copy of your personal data.
  • Rectification: request correction of inaccurate data.
  • Erasure: request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
  • Restriction: request that we restrict processing of your data.
  • Portability: receive a machine-readable copy of data you have provided to us.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any right, contact us at contact@skifin.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

9. Security

We implement industry-standard technical and organisational measures to protect personal data, including:

  • Customer-Managed Key (CMK) encryption at rest (Azure Cosmos DB, Blob Storage).
  • TLS 1.2 or higher for all data in transit.
  • bcrypt password hashing; JWT access tokens with 15-minute expiry.
  • RBAC on all API endpoints; principle of least privilege.
  • Annual third-party penetration testing.

Full security details: droqify.com/security.

10. Cookies

This marketing site does not use tracking or analytics cookies. The Droqify application uses a single HttpOnly cookie for refresh token storage (security purpose, no tracking). We do not use advertising cookies.

11. Children's Privacy

Droqify is a business-to-business service and is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently done so, please contact us at contact@skifin.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified to active application users by email at least 14 days before they take effect. The current version is always published at droqify.com/privacy. The date at the top of this page shows when it was last updated.

13. Contact

For privacy enquiries, data subject requests, or GDPR-related questions: