Privacy Policy
Last updated: March 3, 2026
Table of Contents
1. Who We Are
DokPath Inc. ("DokPath", "we", "us", or "our") is the data controller for personal data processed through our website at dokpath.com and our AI-powered documentation management platform.
DokPath provides a SaaS platform that uses artificial intelligence to help aviation, railway, and critical infrastructure maintenance teams search, access, and manage technical documentation.
Data Protection Officer
For all privacy-related matters, you may contact our Data Protection Officer at:
Email: dpo@dokpath.com
2. What Data We Collect
We collect the following categories of personal data:
Account Data
Full name, email address, company name, job title, and password (stored hashed). Collected when you register for an account or are provisioned by your organization's administrator.
Activity Logs (Audit Trail)
Tamper-proof "Who-When-What" records including: user identifier, timestamp (UTC), action performed (e.g., document queried, checklist completed, document uploaded), and the document or section accessed. These logs are essential for regulatory compliance and accident investigation purposes under EASA Part 145 and FAA requirements.
Technical Documents
PDF, Word, Excel files, and scanned documents uploaded by your organization. These documents may contain personal data if your organization's documents include such information. DokPath processes these documents solely on behalf of your organization (data processor role) under your organization's instructions.
Visual Component Search Photos
Images of components or parts uploaded by users for visual identification. These images are processed in real time for component identification and are not retained beyond the duration of the search session unless explicitly saved by the user as a "field note".
Offline Mode Device Data
When you use the DokPath offline vault feature, selected documents and associated metadata are encrypted (AES-256) and stored locally on your device. This data remains under your control at the device level. Sync events are logged in our activity log system.
Website Usage Data
When you visit dokpath.com, we may collect browser type, operating system, referring URLs, pages visited, and session duration via cookies and analytics tools. See Section 10 (Cookies) for full details.
3. How We Use Your Data
We use your personal data for the following purposes:
- ▪Service Delivery: To provide, maintain, and improve the DokPath platform, including document ingestion, AI-powered search, multilingual assistants, checklist functionality, and audit reporting.
- ▪Regulatory Compliance & Audit: To generate and preserve audit trails required by EASA Part 145, FAA regulations, and other applicable regulatory frameworks. These records demonstrate that maintenance activities were performed in accordance with approved data.
- ▪Product Improvement: Aggregated, anonymized usage patterns are used to improve platform performance and features. We do not use customer documents or queries to train, fine-tune, or improve AI models. See Section 8 (Zero AI Training Policy).
- ▪Technical Support: To diagnose technical issues, respond to support requests, and ensure service continuity.
- ▪Billing & Account Management: To process subscriptions, issue invoices, and manage your account lifecycle.
- ▪Security & Fraud Prevention: To detect and prevent unauthorized access, data breaches, and misuse of the platform.
4. Legal Basis for Processing
Under GDPR (Regulation (EU) 2016/679), we rely on the following legal bases:
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Service delivery and account management | Performance of contract | Art. 6(1)(b) |
| Audit logs and activity records | Legitimate interest (regulatory audit trail requirements) | Art. 6(1)(f) |
| Compliance reports for EASA/FAA | Legal obligation | Art. 6(1)(c) |
| Security monitoring and fraud prevention | Legitimate interest | Art. 6(1)(f) |
| Marketing communications (newsletter) | Consent | Art. 6(1)(a) |
Where we rely on legitimate interest, you have the right to object to that processing. See Section 6 (Your Rights).
5. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law:
| Data Category | Retention Period | Basis |
|---|---|---|
| Account data (name, email, company) | Duration of contract + 2 years | Contractual obligation, potential dispute resolution |
| Activity audit logs (Who-When-What) | 5 years | Regulatory requirement (EASA Part 145, FAA) |
| Uploaded technical documents | Deleted within 30 days of contract termination | Contractual — customer owns document data |
| Visual search photos (unsaved) | Session duration only (not persisted) | Data minimisation |
| Website analytics data | 26 months | Analytics provider default (Google Analytics) |
Upon expiry of a retention period, data is securely deleted or irreversibly anonymised. If you request deletion before the applicable retention period expires, we will delete all data not subject to a legal retention obligation and inform you of any data we are required to retain.
6. Your Rights (GDPR)
If you are located in the European Economic Area or the United Kingdom, you have the following rights regarding your personal data:
Right of Access (Art. 15)
Request a copy of all personal data we hold about you, along with information about how it is processed.
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17)
Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to Data Portability (Art. 20)
Receive your personal data in a structured, machine-readable format (JSON or CSV) to transfer to another controller.
Right to Object (Art. 21)
Object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Restriction (Art. 18)
Request restriction of processing while accuracy is contested or an objection is pending.
How to Exercise Your Rights
Submit a written request to: privacy@dokpath.com
We will respond within 30 days of receiving your request. Where requests are complex or numerous, we may extend this period by a further two months, and will notify you accordingly. Verification of identity may be required before processing the request.
7. Data Transfers
DokPath Inc. is incorporated in the United States. If you are located in the European Economic Area (EEA), your personal data will be transferred to and processed in the United States, which is a third country that does not benefit from an adequacy decision under GDPR Article 45 for all transfers.
We rely on the following transfer mechanisms to ensure an adequate level of protection:
- ▪Standard Contractual Clauses (SCCs): EU-US transfers are covered by the European Commission's Standard Contractual Clauses as adopted by Decision 2021/914 of 4 June 2021. A copy is available upon request at legal@dokpath.com.
- ▪Vercel (Sub-processor): Our hosting provider Vercel, Inc. processes data under SCCs as a sub-processor. Vercel's infrastructure is located in Europe where configured. See Vercel's DPA for details.
We conduct Transfer Impact Assessments (TIAs) before engaging new sub-processors located outside the EEA and document these assessments in our Records of Processing Activities (RoPA).
8. Zero AI Training Policy
Customer data is never used to train AI models. Full stop.
- ✓Technical documents uploaded by customers are processed exclusively within the customer's private, isolated environment.
- ✓Customer queries, responses, and interaction data are never used to train, fine-tune, or improve AI language models — including those used to power the DokPath assistant.
- ✓Document embeddings and vector representations are stored in customer-specific, isolated vector databases. They are not shared across tenants and are deleted upon contract termination.
- ✓This policy applies to all sub-processors handling AI inference. We contractually prohibit our AI model providers from using customer data for training purposes.
9. Sub-processors
We engage the following categories of sub-processors to deliver the DokPath service. All sub-processors are bound by data processing agreements that meet GDPR requirements:
| Sub-processor | Service | Location | Transfer Mechanism |
|---|---|---|---|
| Vercel, Inc. | Cloud infrastructure & hosting | USA / EU (configurable) | SCCs (Decision 2021/914) |
| AI Language Model Provider | AI inference for document Q&A | Disclosed upon contract | SCCs / DPA |
| OCR Service Provider | Document digitisation & text extraction | Disclosed upon contract | SCCs / DPA |
An up-to-date list of all sub-processors is available upon written request at legal@dokpath.com. We will notify Enterprise customers of any material changes to our sub-processor list at least 30 days in advance.
11. Children's Data
The DokPath platform is a professional B2B service intended for use by organisations and their employees. It is not directed at children under the age of 16. We do not knowingly collect personal data from individuals under 16. If you believe that a child under 16 has provided personal data to us, please contact us at privacy@dokpath.com and we will take steps to delete such data.
12. California Residents (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you additional rights:
- ▪Right to Know: You may request disclosure of the categories of personal information we collect, the sources from which it is collected, the purposes for collection, and the categories of third parties with whom it is shared.
- ▪Right to Delete: You may request deletion of personal information we have collected, subject to applicable exceptions.
- ▪Right to Correct: You may request correction of inaccurate personal information.
- ▪Right to Opt-Out of Sale: DokPath does not sell personal information, as defined under CCPA/CPRA. We do not share personal information for cross-context behavioural advertising.
- ▪Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise your CCPA rights, submit a verifiable consumer request to privacy@dokpath.com. We will respond within 45 days.
13. UK Residents
The UK General Data Protection Regulation (UK GDPR), as retained in UK law by the European Union (Withdrawal) Act 2018, applies to individuals located in the United Kingdom. Your rights are substantially equivalent to those described in Section 6 of this Policy.
Supervisory Authority: The competent supervisory authority for UK residents is the Information Commissioner's Office (ICO): ico.org.uk. You have the right to lodge a complaint with the ICO if you believe we have processed your personal data unlawfully.
UK-US Data Transfers: Transfers of personal data from the UK to the United States are covered by the International Data Transfer Agreement (IDTA), which represents the UK equivalent of the EU Standard Contractual Clauses.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will indicate the date of the last update at the top of this Policy.
For material changes — those that significantly affect your rights or how we process your personal data — we will provide at least 30 days' advance notice by email to the address associated with your account. Your continued use of the service after the effective date of a revised Policy constitutes acceptance of the updated terms.
15. Contact & Complaints
If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:
You also have the right to lodge a complaint with the competent data protection supervisory authority in your country of residence. Relevant authorities include:
- Spain: Agencia Española de Protección de Datos (AEPD) — aepd.es
- France: Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr
- Germany: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) — bfdi.bund.de
- Ireland: Data Protection Commission (DPC) — dataprotection.ie
- United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
This policy was last updated on March 3, 2026. © 2025–2026 DokPath Inc. All rights reserved.
DokPath is designed to align with EASA NPA 2025-07 draft requirements. Formal compliance assessment pending NPA finalization as AMC. DokPath is an information retrieval tool and does not constitute approved maintenance data or replace certified technician judgment.