Document Works
FeaturesSovereignty
Log inJoin Waiting List

Privacy Statement

Version 1.0 — last updated 15 April 2026.

Document Works ("we", "us") respects your privacy and processes your personal data with care. In this statement we explain which personal data we process, for what purpose, on what legal basis, how long we retain them, and which rights you have under the General Data Protection Regulation (GDPR).

1. Who is the controller?

The controller for the data you submit through our public website (contact form, demo requests, blog subscriptions) is:

DocumentWorks is a trade name of Newtech Studio B.V. Dutch Chamber of Commerce: 92716474 — VAT: NL851029279B01

For the data that you, or users within your organisation, process in the application (email, documents, calendar, contacts, chats, video calls, AI prompts), our role depends on the type of account:

  • Business customer — if you are an employee or staff member of an organisation that purchases the Service, Document Works acts as a processor within the meaning of GDPR art. 28. The business customer (your employer, or whoever signed the licence) is then the controller. The arrangements are set out in our data processing agreement.
  • Consumer — if you have signed up for a personal account (without a business licence), you are the controller for the content you process in your account. In that case Document Works acts as controller for account data and billing and as processor for the content you process yourself. You can exercise your rights (access, rectification, erasure, portability) directly with us via privacy@document.works.

Privacy contact: privacy@document.works

2. Which personal data do we process?

2.1 On the public website

  • Name, email address, company name, telephone number and message when you complete a contact form or demo request.
  • Limited technical data (IP address, user agent, request path) in our server logs for security and debugging.
  • Your email address if you sign up for our newsletter or blog updates.

2.2 In the application (processor role)

When your employer or organisation grants you access to the application, we process on their behalf, among other things:

  • Account and identity data: name, email address, role, organisation, password hash, two-factor settings.
  • Email: all content of mailboxes that you process via our integrated mail servers (sent, received and draft messages, attachments, folders, labels).
  • Files and documents: files you upload to our file storage and edit through our document editing environment.
  • Calendar and contacts: calendar items (incl. recurring appointments and invitations) and contact details from connected CalDAV/CardDAV sources.
  • Chat and chat history within teams and projects.
  • Video calls: signaling and session metadata via our video-call environment on our own servers. We do not record by default; recordings are only stored on our infrastructure if the user explicitly activates a recording feature.
  • AI interactions: the prompts you send to the AI assistant and the resulting output (text, images, transcriptions).
  • AI memory: concise facts about your work context extracted by the AI assistant (e.g. preferences, recurring tasks) that the assistant uses to better fit your situation in later interactions. These "memories" are designed to persist beyond a single conversation. You can view and delete individual memories, or the entire AI memory, at any time via your account settings.
  • Audit and activity logs: a limited trail of who did what when (login, failed login attempts, document open, document share) for security and compliance.
  • Technical logs: request logs, error logs, performance metrics.

3. For what purpose and on what legal basis?

Purpose Legal basis (GDPR art. 6)
Performance of the agreement (access, storage, collaboration, AI features) art. 6(1)(b) — performance of contract
Account management and authentication art. 6(1)(b) — performance of contract
Security of the service (logging, fraud detection, rate limiting) art. 6(1)(f) — legitimate interest
Legal obligations (tax and accounting obligations) art. 6(1)(c) — legal obligation
Customer service and helpdesk art. 6(1)(b) — performance of contract
Responses to contact forms / demo requests art. 6(1)(f) — legitimate interest
Newsletter / marketing communications art. 6(1)(a) — consent

We do not process special categories of personal data (GDPR art. 9) as part of the standard service. You may choose to include such data in your email or documents; in that case the usual confidentiality and security measures apply.

4. With whom do we share personal data?

We share your personal data with a limited set of sub-processors, as specified in our public list of sub-processors:

  • Hetzner Online GmbH (Germany): hosting of all servers, storage and back-ups.
  • Mistral AI SAS (France): AI text, image generation and speech recognition, at the user's request. For Mistral we have chosen the Scale Plan with Zero Data Retention (ZDR), so that submitted prompts and output are not retained by Mistral or used for model training.

We do not share your personal data with other third parties, except where required by law (e.g. on a lawful request from a law enforcement authority) or where you yourself unambiguously consent (e.g. an integration with an external service that you activate).

5. Transfers outside the EEA

All sub-processors we have chosen are established within the European Economic Area (EEA). Personal data are not transferred to countries outside the EEA. If we were to engage a sub-processor outside the EEA in the future, we will only do so on the basis of adequacy decisions or standard contractual clauses (SCCs, GDPR art. 46) and we will inform you in advance.

6. How long do we retain personal data?

Category Retention period
Account and profile data As long as the account is active, then a 30-day deletion period
Email, documents, calendar, contacts, chat As long as you or your organisation keep them in the application; permanently erased within 30 days of deletion
Back-ups (encrypted, at rest) Up to 30 days rolling
AI conversations (chat with assistant) 90 days, then deleted
AI memory (facts extracted by the assistant) Persistent until you delete it; permanently erased on account deletion
Audit and security logs 12 months
Server and application logs (debugging) 30 days
Billing data 7 years (Dutch tax retention obligation, art. 52 AWR)
Contact form content 12 months, then deleted
Newsletter subscription Until withdrawal of your consent

Note on back-ups: back-ups are stored encrypted and have a rolling window. Even after deletion from the live environment, data may briefly persist in older back-ups, until the natural expiry of that back-up.

7. How do we secure your data?

A more detailed explanation is in our Security Statement. In summary:

  • Encryption in transit: TLS 1.2+ with HSTS preload on all public endpoints.
  • Encryption at rest: all credentials for third-party services (IMAP, SMTP, OAuth tokens) are stored encrypted with a separate key (ENCRYPTION_KEY). Database back-ups are GPG-encrypted before being written.
  • Authentication: OIDC with optional two-factor authentication, short session tokens (30 minutes) for document editing.
  • Access control: strict role-based, audit-logged. Our staff have access to production environments only on a need-to-know basis.
  • Strict CSP with nonce-based script policy in the web application; defensive HTTP security headers.
  • Rate limiting on authentication and API endpoints, automatic blocking on brute-force attempts.
  • Periodic security audits and vulnerability analyses of our own code and the open-source components we use.

8. Your rights under the GDPR

You have the following rights with respect to your personal data:

  • Right of access (art. 15) — you may request a copy of your data.
  • Right to rectification (art. 16) — correct inaccurate data.
  • Right to erasure (art. 17, "right to be forgotten") — have your data erased, subject to statutory retention obligations.
  • Right to restriction of processing (art. 18).
  • Right to data portability (art. 20) — receive your data in a structured, commonly used, machine-readable format.
  • Right to object (art. 21) — object to processing based on legitimate interest.
  • Right to withdraw consent for processing for which your consent is the legal basis, without affecting the lawfulness of processing before the withdrawal.

How to exercise your rights?

Send a request to privacy@document.works. We respond within 1 month, and in complex cases within 3 months at the latest (GDPR art. 12(3)). We may ask you to identify yourself to prevent abuse.

If you are in the application and your employer is the controller, please submit your request primarily to them. At your employer's request we will carry out the technical execution.

Automated decision-making

The AI features (summarisation, writing assistance, image generation) process text or image prompts at your initiative and return text or image suggestions. These features do not make automated decisions with legal effects or similarly significant effects on you within the meaning of GDPR art. 22. Suggestions are only applied on your explicit action.

9. Filing a complaint

Disagree with how we handle your data? We appreciate it if you first contact us via privacy@document.works so we can find a resolution together. In addition, you always have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens Postbus 93374, 2509 AJ The Hague autoriteitpersoonsgegevens.nl

10. Changes to this statement

We may update this privacy statement when our service or laws and regulations give reason to do so. The most recent version is always available at document.works/en/legal/privacy, with version and effective date at the top. For material changes we inform active users by email or by an announcement in the application.

Document Works

The European Productivity Suite

🇪🇺 Made in Europe

Product

  • Features
  • Security

Company

  • Contact
  • Imprint

Legal

  • Terms of Service
  • Privacy Policy
  • Cookies
  • Acceptable Use
  • Security
  • Sub-processors
  • Data Processing Agreement
© 2026 Document Works. All rights reserved.