Privacy Policy
Effective date: Feb 6 2026. This policy explains how Obscura Document Redaction ("we", "us") handles information when you use the Service.
1. Information you provide
When you use the Service, you may upload documents or images for redaction. We process this content solely to provide the Service.
2. Data handling and storage
- Browser processing: PDF rendering and OCR may run in your browser.
- Server processing: DOC/DOCX or certain image formats may be uploaded to the server for conversion.
- Account history: when you are signed in, we store project history (document name, metadata, redactions, and a copy of the document) on our servers so you can access it across devices.
- History availability: history improves workflow, but it is not a system of record. Keep your own backups for critical records.
- Retention: history retention is configurable by workspace admins within plan limits.
- Local-only option: workspace admins can choose local-only history, which stores history only on the user's device and does not sync to the server.
- Local-only history applies to history data only; audit logs and billing records remain server-side.
- Deletion: when you delete a history item, it is removed from our active systems.
- Backups: retained for 12 months by default. Longer retention is available by request.
- Audit logs: retained for 12 months by default. Longer retention is available by request.
3. Legal bases for processing (GDPR/UK GDPR)
Where GDPR or UK GDPR applies, we process personal data based on one or more legal bases:
- Contract: to provide the Service you request.
- Legitimate interests: to secure, maintain, and improve the Service.
- Consent: for optional features where required.
- Legal obligation: to comply with applicable laws.
4. Logs and analytics
We may collect minimal service logs (such as timestamps, IP addresses, and error messages) to keep the Service reliable and secure. We do not sell personal information.
We do not use third-party analytics or behavioral tracking scripts.
5. Sharing
We do not share your content with third parties except to comply with law, protect rights and safety, or with your consent.
Sub-processors (limited to the services below):
- Netcup GmbH (hosting only; Manassas, VA data center).
- Amazon AWS SES (email delivery).
- Backblaze E2 (backup storage; US East).
- Stripe (payments; name and address for verification).
We will provide advance notice of material new sub-processors when required by our agreements and vendor-management process.
DNS providers only route traffic and do not process customer content.
6. Security
We use reasonable safeguards to protect data in transit and at rest. Uploaded documents are encrypted at rest. No method of transmission or storage is 100% secure.
We do not use customer content to train AI or machine-learning models.
7. International data transfers
Data residency: the Service stores and processes data in the United States (Manassas, Virginia).
If you access the Service from outside the United States, your data will be transferred to and processed in the United States.
8. Your privacy rights
Depending on your location, you may have rights to access, correct, delete, or export your personal data, object to or restrict processing, or withdraw consent.
EU/UK residents: you may also lodge a complaint with your local supervisory authority.
8a. California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with the following rights:
- Right to know. You may request a description of the categories and specific pieces of personal information we have collected about you, the sources, the business or commercial purpose, and the third parties with whom it is shared.
- Right to delete. You may request that we delete your personal information, subject to certain exceptions (for example, where we are required to retain it by law).
- Right to correct. You may request correction of inaccurate personal information we maintain about you.
- Right to opt out of sale or sharing. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. No opt-out action is required.
- Right to non-discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights.
To submit a request, contact us at support@useobscura.com with the subject "California Privacy Request." We will verify your identity and respond within 45 days. Requests may be extended once for an additional 45 days when reasonably necessary.
9. Data processing addendum
If you are a business customer and require a data processing addendum (DPA), review the DPA and contact us at support@useobscura.com to execute it.
10. Changes
We may update this policy from time to time. The effective date will be updated, and continued use of the Service constitutes acceptance of the new policy.
11. Contact
Questions about privacy? Contact us at support@useobscura.com.