Privacy Policy

This Privacy Policy explains how OCRQueen collects, uses, stores, and protects information when you use our website, dashboard, playground, APIs, documentation, billing flows, and related services.

OCRQueen is built for developers and organizations processing documents through an extraction API. Uploaded documents may contain sensitive business, technical, legal, educational, or personal information, so we treat customer content as confidential by default.

Account information: name, email address, avatar URL, OAuth provider identity, plan tier, billing status, and authentication/session metadata.

API and usage information: API key prefixes, request metadata, job status, file name, file size, MIME type, page counts, extraction options, cost/usage events, timestamps, webhook delivery status, and error records.

Customer content: documents you upload for extraction, extracted JSON/Markdown results, images or figures extracted from documents, and metadata needed to process, debug, retain, or delete those files according to your settings.

Technical information: IP address, user agent, device/browser information, referrer, logs, rate-limit events, security audit events, and diagnostic telemetry.

Billing information: billing identifiers, plan details, invoices, checkout/portal session metadata, and payment status. Payment card details are handled by our payment processor and are not stored by OCRQueen.

To provide the service: authenticate users, process uploaded documents, return extraction results, deliver webhooks, meter usage, enforce quotas, and maintain API reliability.

To secure the platform: detect abuse, prevent unauthorized access, validate sessions, audit login/logout events, investigate suspicious activity, and protect customer data.

To improve OCRQueen: analyze aggregate usage, debug failures, improve extraction quality, calibrate costs, and prioritize product work. We do not use customer documents to train third-party foundation models.

To communicate with you: send service messages, respond to support requests, provide billing notices, and share important product or policy updates.

Source files and extracted content are governed by two independent retention windows, both controllable per request. Source files default to a 24-hour lifetime in object storage (configurable 0–168 hours via options.retain_hours). Extracted results (markdown + structured JSON) default to a matching 24-hour lifetime in our database (configurable 0–168 hours via options.result_retain_hours). Set both to 0 and use a webhook for ephemeral processing.

You can erase a job on demand via POST /v1/jobs/{id}/purge. This deletes the source bytes and clears the extracted result; the job row remains as a billing tombstone carrying only the fields required for invoicing and tax records (job id, customer id, page count, file size in bytes, status, timestamps). Tombstones contain no document content, no filename, no hash.

If you configure Bring Your Own Storage for output artifacts, extracted images and page renders are written to your bucket and OCRQueen never touches them again — including on purge. Source-side BYOS (uploading directly to your bucket) is on the roadmap; until then the source file is uploaded to OCRQueen-managed storage and deleted per retain_hours.

The full retention contract — what we keep, for how long, and how to make it disappear sooner — lives in our public docs at /docs/data-retention.

OCRQueen may use third-party infrastructure, storage, billing, observability, and AI providers to operate the service. We share only the information needed for those providers to perform services for OCRQueen.

Some extraction workflows may send page images, figures, or document regions to AI providers for OCR, diagram understanding, image description, or similar processing. We avoid sending more content than necessary for the requested extraction profile.

We require subprocessors to protect data appropriately for their role. We do not sell customer content or permit customer documents to be used for advertising.

We use transport encryption, access controls, signed session cookies, server-side sessions, API key hashing, scoped API keys, audit logging, retention controls, and separation between browser-visible demo data and server-side API secrets.

No system can be guaranteed perfectly secure. If you believe you have found a vulnerability or accidental exposure, contact us immediately at support@ocrqueen.com.

You can control document retention options when submitting extraction jobs, rotate or revoke API keys, log out of active browser sessions, and contact us to request account or data deletion.

Depending on your location, you may have rights to access, correct, export, delete, or restrict processing of personal information. We will respond to valid requests according to applicable law.

OCRQueen may process and store information in countries different from where you or your users are located. Where required, we use appropriate safeguards for international data transfers.

We may update this Privacy Policy as OCRQueen evolves. If changes are material, we will provide reasonable notice through the website, dashboard, email, or another appropriate channel.