LaunchDocs

Privacy

Privacy Policy

This policy explains what personal data LaunchDocs collects, why we collect it, who we share it with, and what rights you have. Written for humans — defined terms only where the GDPR requires them.

Last updated: 29 February 2026

1. Who we are

LaunchDocs ("LaunchDocs", "we", "us") provides an AI-assisted documentation, compliance, and procurement workspace for business customers. The legal entity operating the service is the LaunchDocs Ltd. acting as the data controller for personal data we collect directly from website visitors and signed-in users.

For personal data we process on behalf of a business customer (e.g. the contents of an uploaded specification, policy, or RFP), the customer is the data controller and LaunchDocs is the data processor. Those obligations are governed by our Data Processing Agreement, available at launchdocs.ai/dpa.

If you need to reach the team that handles data requests, email privacy@launchdocs.ai.

2. What personal data we collect

We collect only what we need to run the service and meet our legal obligations:

  • Account data: name, email address, hashed password, organisation name, role within the organisation, and any avatar you provide.
  • Content you upload or generate: source files (PDFs, DOCX, transcripts, screenshots), generated documentation, approvals, comments, and the version history of every edit.
  • Payment data: handled directly by Stripe. We see only the last four digits of your card, the brand, the country, your billing email, and our internal subscription identifiers. We never see or store full card numbers.
  • Operational telemetry: IP address (truncated where possible), user agent, page paths visited, timestamps, and the events recorded in our audit log (logins, exports, approval responses).
  • Support correspondence: anything you email to us or send via in-product feedback.

3. Why we process this data (GDPR Article 6 legal basis)

Each category of processing maps to a specific lawful basis under the GDPR:

  • Performing the contract (Art. 6(1)(b)): we need your account data, content, and payment information to deliver the service you signed up for.
  • Legitimate interest (Art. 6(1)(f)): we use operational telemetry and audit logging to keep the service secure, debug failures, and detect abuse. Our interest is balanced against your right to expect a safe service — we minimise retention and never sell this data.
  • Consent (Art. 6(1)(a)): analytics and marketing cookies are only set after you accept them in the cookie banner. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): we retain audit-relevant records to comply with tax, accounting, and security regulations.

4. How long we keep data

We do not keep data longer than we need to.

  • Active accounts: data is kept for the lifetime of the subscription.
  • Trial accounts inactive for 90 days: account is soft-deleted.
  • Trial accounts inactive for 180 days: all data is permanently deleted.
  • Cancelled paid accounts: all data is permanently deleted 30 days after cancellation, allowing a recovery window for accidental cancellations.
  • Audit logs: retained for 2 years to support security investigations and regulatory obligations.
  • Backups: rolling backups are retained for up to 35 days and then irreversibly destroyed.

Before automatic deletion of an inactive trial, we send a warning email 14 days in advance so you can extend the account or export your data.

5. Who we share data with (sub-processors)

We only share personal data with sub-processors that help us deliver the service. We require each one to apply appropriate technical and organisational measures and, where relevant, to be bound by Standard Contractual Clauses for transfers outside the EEA.

  • Anthropic — AI generation (USA, SCCs in place). Document source material and prompts are sent to Anthropic for AI inference. Anthropic does not train its production models on our customers' API traffic.
  • Stripe — payment processing (USA, SCCs in place).
  • Resend — transactional email (USA, SCCs in place).
  • MongoDB Atlas — primary database with encryption at rest.
  • Our cloud infrastructure provider — application hosting and storage.

The current sub-processor list is published in our Data Processing Agreement at launchdocs.ai/dpa. We notify customers 30 days before adding a new sub-processor that processes personal data on their behalf.

6. International data transfers

Some of our sub-processors are based in the United States. When personal data leaves the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, supplementary measures such as encryption in transit and at rest.

If a sub-processor is part of the EU-US Data Privacy Framework, we additionally rely on that adequacy decision. The DPA at launchdocs.ai/dpa lists the safeguard in place for each sub-processor.

7. Your rights under the GDPR

If you are based in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

  • Right of access — confirm whether we hold data about you and obtain a copy.
  • Right to rectification — correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — ask us to delete your account and all associated personal data. You can trigger this yourself in Settings → Account.
  • Right to data portability — receive your data in a structured, machine-readable format. Available in Settings → Account → Download my data.
  • Right to restrict processing — ask us to temporarily pause processing while a complaint is investigated.
  • Right to object — object to processing based on legitimate interest, including any profiling.
  • Right to withdraw consent — withdraw any consent you have given (e.g. analytics cookies).
  • Right to lodge a complaint — with your national supervisory authority. We hope you'll talk to us first.

To exercise any of these rights, email privacy@launchdocs.ai or use the self-service tools in Settings → Account. We respond within 30 days, free of charge unless requests are manifestly unfounded or excessive.

8. Cookies and similar technologies

We use only the cookies we actually need. The cookie consent banner is shown to first-time visitors detected as being in the EEA, the UK, or Switzerland.

  • Strictly necessary cookies — required for login, security, and core service functionality. These are set without consent because the service cannot function without them.
  • Analytics cookies — only set after you accept analytics in the banner. We use first-party analytics to count visits and improve usability. No data is sold or shared with advertising networks.
  • Marketing cookies — only set after you accept marketing in the banner. Used for measuring the effectiveness of the few campaigns we run.

Your cookie choice is stored in your browser as launchdocs_cookie_consent. You can change it at any time from the footer.

9. AI processing and your content

When you generate documentation, your uploaded source material and the resulting prompts are sent to Anthropic's Claude API for inference. Anthropic processes this data according to its own privacy policy, which is available at anthropic.com/privacy.

Anthropic states publicly that it does not train its production models on data received via its enterprise API. We rely on that commitment as part of our sub-processor due diligence.

Generated output is yours. We do not claim ownership of any source material you upload or any documentation we help you produce.

Because AI output is not guaranteed to be accurate, you must review every AI-generated document before using it in regulated or legally binding contexts. The LaunchDocs workspace flags AI-generated content with an "AI" badge and surfaces inferences requiring human verification.

10. How we protect your data

Personal data is encrypted in transit using TLS 1.2+ and at rest using the encryption controls of our database and storage providers. Access to production systems is restricted to a small number of LaunchDocs personnel, gated by Two-Factor Authentication and reviewed quarterly.

Our full security overview is available at launchdocs.ai/security. To report a vulnerability, email security@launchdocs.ai.

11. Contact us

If you have any questions about how LaunchDocs handles your personal data — or you'd like to exercise a right under the GDPR — email privacy@launchdocs.ai. We aim to respond within 5 working days.