Privacy Policy
Effective date: April 2026
Introduction
DocVault (“we,” “us,” or “our”) is a product of Honest Fox, an Australian company. We built DocVault to give Webflow builders proper file infrastructure — and that means being straightforward about how we handle your data.
This policy explains what we collect, why we collect it, and what we do with it. We’ve written it in plain language, not legalese. If something is unclear, email us at [email protected] and we’ll explain it.
What We Collect
(a) Webflow OAuth. When you connect DocVault, Webflow shares your user ID, name, email address, site IDs, and an access token. We never see your Webflow password — authentication happens directly between you and Webflow.
(b) Files you upload. Documents and assets you upload are stored in Cloudflare R2. We store associated metadata: filename, file size, MIME type, upload timestamp, and any labels you apply.
(c) Usage data. We track download counts, storage consumed, and feature usage. This is how we enforce plan limits and show you accurate usage stats in the extension.
(d) Billing information. Payments are processed by Stripe. We receive your subscription status, plan tier, and billing email. We do not receive or store your full card details — those stay with Stripe.
(e) Technical data. IP addresses, browser and client type, request timestamps, and error logs are collected for security and debugging purposes.
How We Use It
We use the data we collect to:
- Authenticate you and operate your account
- Store, serve, and manage your files via Cloudflare R2 and our CDN
- Enforce plan limits and display accurate usage information
- Process payments and manage your subscription via Stripe
- Send transactional emails (account activity, billing receipts, material policy changes) — we do not send marketing email without your explicit consent
- Monitor for abuse, investigate errors, and debug issues
- Improve the product using aggregate, anonymised usage patterns
We do not sell your personal data. We do not use your uploaded content to train AI models.
Legal Basis for Processing (GDPR)
If you are in the European Economic Area or United Kingdom, we process your data under the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the service | Contract performance |
| Billing and payments | Contract performance |
| Security and abuse prevention | Legitimate interest |
| Product improvement (aggregate) | Legitimate interest |
| Legal and tax compliance | Legal obligation |
| Marketing communications | Consent |
Third-Party Services
We work with a small number of sub-processors to operate DocVault. We do not use advertising networks, analytics SDKs, or social media tracking pixels.
| Sub-processor | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Cloudflare Inc | File storage (R2), CDN, compute (Workers), database (D1) | Global (US HQ) | cloudflare.com/privacypolicy |
| Stripe Inc | Payment processing | US | stripe.com/privacy |
| Webflow Inc | Authentication (OAuth) | US | webflow.com/legal/privacy |
Data Retention
- Account data: Retained for the life of your account, plus 30 days after closure.
- Billing records: Retained for 7 years to satisfy tax compliance requirements.
- Uploaded documents: Deleted within 30 days of a deletion request or account closure.
- Server logs: Retained for 90 days.
Your Rights
You can access, correct, delete, and export your files at any time from within the extension. You may also withdraw consent for any processing based on consent.
To exercise any of these rights, email [email protected]. We will respond within 30 days.
If you are in the EEA or UK, you have rights under GDPR/UK GDPR including access, rectification, erasure, restriction, portability, and objection. We will honour these to the best of our ability. If you have unresolved concerns, you may contact your local data protection authority (DPA).
Webflow OAuth and Token Revocation
You can disconnect DocVault from your Webflow account at any time via your Webflow account’s app settings. When you do, we immediately invalidate your access token and cease any further data collection from Webflow on your behalf.
Files you have already uploaded to DocVault remain in storage until you delete them or close your account. Revoking OAuth access does not automatically delete your stored files.
Cookies
DocVault uses minimal session cookies for authentication purposes only. We do not use third-party advertising cookies or tracking cookies of any kind.
Data Security
Files stored in Cloudflare R2 are encrypted at rest. All data in transit is protected via HTTPS. Access to your files and account data requires valid authentication tokens. We apply access controls to limit who on our team can access production data.
That said, no system is perfectly secure. We work hard to protect your data, but we cannot guarantee absolute security. If you discover a vulnerability, please report it to [email protected] — we take security reports seriously.
Breach Notification
In the event of a confirmed data breach, we will notify affected users and relevant supervisory authorities within 72 hours, in accordance with GDPR and the Australian Notifiable Data Breaches (NDB) scheme.
Australian Privacy Act
DocVault complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). The Notifiable Data Breaches scheme applies to our operations. If you wish to make a privacy complaint, you may contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
International Data Transfers
Our sub-processors Cloudflare and Stripe process data globally, including in the United States. Where required by applicable law, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards to govern international transfers of personal data.
Children
DocVault is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us at [email protected] and we will delete it promptly.
Changes to This Policy
When we update this policy, we will update the effective date at the top. For material changes, we will email active users at least 30 days before the changes take effect. Continued use of DocVault after that period constitutes acceptance of the updated policy.
Contact
Questions about this policy? Email us at [email protected].
DocVault is a product of Honest Fox. webflowdocvault.io
Last updated: April 2026