Privacy Policy

Last updated: 10 April 2026

This Privacy Policy explains how Doxnex, a product of AZMORIS Group, collects, uses, and protects your personal data when you use our Document Intelligence Platform available at app.doxnex.io.

In short: We collect only what is needed to run your account, store it on servers located in the European Union (Hetzner, Germany), and never sell your data. You can request deletion at any time.

1. Data Controller

The data controller is AZMORIS Group. For any privacy-related request, contact us at [email protected].

2. Data We Collect

2.1 Account information

Email address (required for authentication)
Company name (for invoice issuance)
Full name (optional, displayed in the portal)
Interface language preference

2.2 Sign in with Google

When you choose to sign in with Google, we receive the following information from your Google account through the OAuth 2.0 protocol:

Your Google email address
Your name (as stored in your Google profile)
Your profile picture URL
Whether your email address is verified by Google

We only request the openid, email, and profile scopes. We do not access your Gmail, Drive, Calendar, Contacts, or any other Google service. We do not store your Google password.

2.3 Document data

Invoices, quotes, customer records, articles, and other documents you create are stored in your tenant space. This data is used only to deliver the service (rendering, storage, electronic invoicing compliance, PDF generation).

2.4 Technical data

IP address (for rate limiting and audit logs)
Browser user-agent (for session tracking)
Timestamps of logins and key operations

3. How We Use Your Data

Authenticate you and secure your account
Generate and store your documents
Send transactional emails (OTP login codes, payment receipts)
Comply with legal obligations (electronic invoicing regulations)
Detect abuse and enforce rate limits

We do not use your data for advertising, profiling, or automated decision making. We do not share it with third parties except strict sub-processors needed to run the service (see section 5).

4. Legal Basis (GDPR)

Contract performance — to provide you the Doxnex service
Legitimate interest — security, rate limiting, fraud prevention
Legal obligation — electronic invoicing archiving
Consent — for optional features such as Sign in with Google

5. Sub-processors

We rely on the following sub-processors to run Doxnex:

Hetzner Online GmbH (Germany) — server hosting, database, storage
Brevo (France) — transactional email delivery
Stripe (Ireland) — payment processing (for paid plans only)
Google LLC — only for users who choose Sign in with Google
B2Brouter (Spain) — Peppol and French PA transmission (opt-in)

6. Data Location and Transfers

All your personal data and documents are stored on servers located in the European Union (Hetzner, Germany). No personal data is transferred outside the EU except when you explicitly use Sign in with Google, in which case a minimal authentication exchange occurs with Google LLC under Standard Contractual Clauses.

7. Retention

Active account data: kept as long as your account is active
Invoices and accounting documents: 10 years (legal requirement)
Technical logs: 12 months maximum
Deleted accounts: purged within 30 days, except data required by law

8. Your Rights (GDPR)

Under the GDPR (Regulation EU 2016/679), you have the following rights:

Access — request a copy of your personal data
Rectification — correct inaccurate data
Erasure — delete your account and personal data (Art. 17)
Portability — export your data in a structured format
Objection — object to certain processing activities
Restriction — limit processing of your data
Complaint — lodge a complaint with your local data protection authority (CNIL in France)

To exercise any of these rights, email us at [email protected]. We respond within 30 days.

9. Security

Doxnex applies industry-standard security measures: TLS 1.3 encryption in transit, AES-256 encryption at rest, rate limiting on authentication endpoints, API key rotation, audit logging, daily automated backups, and strict tenant isolation at the database level.

10. Cookies

Doxnex uses only strictly necessary technical cookies (session and CSRF tokens). We do not use advertising, tracking, or analytics cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced by email to all active users at least 15 days before they take effect.

12. Contact

For any privacy-related question, contact [email protected].