Privacy Policy

The European General Data Protection Regulation (“GDPR”) introduces a modern set of rules for processing personal data. GDPR applies globally, not just within the European Economic Area (“EEA”). Switched On App Ltd Trading as DocuRail embraces GDPR as the benchmark for privacy and data protection efforts.

This page outlines GDPR, privacy, and data protection at DocuRail. Please also see our Privacy Policy and Terms of Use.

Why GDPR Matters

GDPR modernises privacy laws and affects organisations that collect or process data in or from Europe. If you’re based in Europe, or work with individuals in Europe, you likely need to comply. Non-compliance risks fines of up to €20,000,000 or 4% of global annual turnover.

How to Prepare

If impacted, you must comply with GDPR. DocuRail is built to support GDPR compliance. Recommended steps include:

• Review vendors and data flows, documenting what personal data you collect and where it goes.
• Review the DocuRail Data Processing Addendum (DPA) if you are a controller.
• Perform risk assessments to identify compliance gaps.
• Plan and implement GDPR compliance as an ongoing process.

Note: This is not legal advice. Consult a lawyer if unsure about your compliance.

Common Questions

What is GDPR?

GDPR (EU Regulation 2016/679) is the European privacy law effective from 25 May 2018. It aims to:

• Increase awareness of data privacy
• Give individuals more control over their personal data
• Strengthen organisational security requirements

Where and When Does GDPR Apply?

GDPR applies to all organisations in the EEA, and to non-EEA organisations that process personal data of EEA individuals. DocuRail, though UK-based, applies GDPR for all EEA customers.

What Does DocuRail Do?

DocuRail provides a SaaS platform for creating mobile and desktop business apps, capturing and storing data securely, and integrating with external systems. Customers act as Controllers; DocuRail acts as Processor, except in limited direct interactions where DocuRail is Controller.

Our GDPR Efforts

• EU Hosting: All EEA customer data is hosted in Microsoft Azure West Europe (Amsterdam) and North Europe (Dublin).
• Encryption: All data is encrypted at rest and in transit over SSL.
• DPO: A dedicated Data Protection Officer oversees compliance.
• DPA: A standard pre-signed Data Processing Addendum is available online.
• Privacy Flags: Fields can be marked as personal data, allowing anonymisation on export.
• Sub-processors: All sub-processors are vetted for security and GDPR compliance.
• Product Development: New features follow “privacy by design” and “privacy by default”.

Personal Data Processing

Data processed includes user contact information, device and connection details, geolocation, and customer-submitted data such as IP addresses. DocuRail processes only under customer instruction.

Data Retention

• Users: Deleted user data is removed or anonymised within 7 days. Deactivated accounts are archived.
• Other Data: Retention is customer-controlled.
• Backups: Kept securely for up to 60 days.
• Development/Test: When data is used, personal data is anonymised.

Access to Personal Data

Access may be given to:

• DocuRail customers (based on permissions)
• DocuRail employees and contractors (trained and bound by agreements)
• Approved sub-processors
• Third parties if required by law or to protect safety/prevent fraud

Data Storage

DocuRail hosts data in the USA, Europe, and Australia. European customers are hosted exclusively in the EEA. Exports outside the EEA only occur where legally valid and necessary (e.g. EU Standard Contractual Clauses, Privacy Shield).

Marketing and Automation

Administrator users may receive platform news or offers, with opt-out available. DocuRail does not use customer personal data for direct marketing or automated decision-making.