Privacy Policy

NDM Global Inc., a Delaware corporation (“NDM”, “we”, “us”, or “our”), is committed to protecting your (“you” or “your”) privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use or access our website at docq.app and other related services, including DocQ products and services (collectively, the “Services”).

NDM Global is an ISO 27001 certified organization. Our information security management system undergoes regular independent audits to ensure that your data is handled in accordance with internationally recognized security standards.

Our Terms of Service are incorporated herein by reference. By using the Services or otherwise interacting with us, you agree to this Privacy Policy. If you do not agree, please do not access or use the Services.

We may update this Privacy Policy from time to time. When we make changes, we will revise the “Last Updated” date at the top of this page. If we make material changes, we will provide prominent notice — such as an email notification or a banner on our website — prior to the changes taking effect. We encourage you to review this Privacy Policy periodically.

3.1 Information You Provide

We collect information that you voluntarily provide, including:

• Account information — name, email address, password, company name, job title, phone number, and country when you register or submit a form.
• Billing information — payment details and billing address if you purchase paid Services (processed by our PCI-compliant payment processors; we do not store full card numbers).
• Communications — messages you send through our support channels, demo requests, or other inquiries.
• User content — documents, workflows, data, and other content you create, upload, or share through the Services.
• Survey & feedback data — responses you provide through surveys, ROI calculators, or other interactive tools.

3.2 Information Collected Automatically

When you access the Services, we automatically collect:

• Device information — device type, operating system, browser type and version, screen resolution, and unique device identifiers.
• Log data — IP address, access timestamps, referring/exit URLs, pages viewed, click patterns, and language preferences.
• Location data — approximate geographic location inferred from your IP address (we do not collect precise GPS location without your consent).
• Usage metadata — high-level, non-content information about how you interact with the Services, such as feature usage frequency and session duration.

3.3 Information from Third Parties

We may receive information about you from other users, affiliates, and third parties. If you connect third-party integrations (e.g., Salesforce, SAP, SharePoint), those services may share data with us as authorized by you. The privacy policies of those third parties govern such connections.

We use the information we collect to:

• Provide, operate, maintain, and improve the Services;
• Process transactions, send related information (e.g., purchase confirmations, invoices), and manage your account;
• Communicate with you about products, services, updates, security alerts, and administrative messages;
• Personalize your experience, including recommendations and content tailored to your preferences;
• Conduct analytics and research to understand usage patterns and improve our offerings;
• Detect, investigate, and prevent fraudulent, unauthorized, or illegal activities, and enforce our terms;
• Comply with legal obligations, respond to lawful requests, and protect our rights and the rights of others;
• With your consent, send marketing communications (you may opt out at any time);
• Provide cross-device management and consistent experiences across your devices.

We process your personal information based on one or more of the following legal grounds:

• Contract performance — processing necessary to provide the Services you have requested or to take steps prior to entering a contract.
• Legitimate interests — processing necessary for our legitimate business interests (e.g., improving the Services, fraud prevention, security), provided these interests are not overridden by your rights.
• Consent — where you have given explicit consent for a specific processing purpose (e.g., marketing communications). You may withdraw consent at any time.
• Legal obligation — processing required to comply with applicable laws, regulations, or legal proceedings.

We do not sell, rent, or share your personal information with unaffiliated entities for their own marketing purposes. We may share information in the following circumstances:

• Service providers — trusted third parties that perform services on our behalf (hosting, analytics, email delivery, payment processing, customer support). These providers are contractually obligated to protect your data and may only use it as directed by us.
• Within your organization — content you submit through the Services may be viewable by other authorized users within your organization, depending on your settings.
• Business transfers — if NDM Global is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to this Policy and applicable law.
• Legal compliance — we may disclose information when we believe in good faith that disclosure is necessary to comply with law, respond to a court order or subpoena, protect our rights, prevent fraud, or ensure user safety.
• Aggregated/de-identified data — we may share data that has been aggregated or de-identified so it can no longer be linked to you, for research, analytics, or marketing purposes.

We will attempt to notify you about legal demands for your personal data when appropriate, unless prohibited by law or court order, or when the request is an emergency.

Your information may be transferred to, stored, and processed in the United States and other countries where NDM Global or its service providers operate. These countries may have different data protection laws than your country of residence.

Where we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Data processing agreements with our sub-processors;
• Our ISO 27001 certification, which provides an internationally recognized framework for information security management.

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Factors we consider include:

• The duration of our relationship with you and the Services you use;
• Legal obligations that require retention (e.g., tax, accounting, regulatory requirements);
• Whether retention is advisable for our legal position (e.g., statutes of limitations, litigation, regulatory investigations);
• Disaster recovery and business continuity needs.

When personal information is no longer required, we will securely delete or anonymize it in accordance with our data retention policies and ISO 27001 procedures.

We take the security of your information seriously. As an ISO 27001 certified organization, we implement comprehensive administrative, physical, and technical safeguards, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
• Regular independent security audits and penetration testing;
• Role-based access controls and the principle of least privilege;
• Employee security awareness training and background checks;
• Incident response procedures with defined escalation paths;
• Continuous monitoring, logging, and anomaly detection.

While no system is completely secure, we are committed to protecting your data using industry best practices. If you discover a security concern, please report it using our contact form, selecting “Security Concern” as the subject.

Depending on your location and applicable law, you may have the following rights regarding your personal information:

• Access — request a copy of the personal information we hold about you.
• Correction — request correction of inaccurate or incomplete personal information.
• Deletion — request deletion of your personal information, subject to certain legal exceptions.
• Portability — request your personal information in a structured, commonly used, machine-readable format.
• Restriction — request that we restrict processing of your personal information in certain circumstances.
• Objection — object to processing based on our legitimate interests or for direct marketing purposes.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us using the information in the “Contact Us” section below. We will respond within the timeframe required by applicable law (generally 30 days, extendable where permitted). We may verify your identity before processing your request.

Marketing opt-out: You may opt out of marketing communications at any time by clicking the “unsubscribe” link in any marketing email, or by contacting us directly. Please note that you may still receive transactional or service-related communications.

This section provides additional information for California consumers pursuant to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA”).

Under the CCPA, “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to you. It does not include aggregated or de-identified information.

As a California resident, you have the right to:

• Right to Know — request disclosure of the categories and specific pieces of personal information we have collected, the purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete — request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct — request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing — we do not sell your personal information as defined under the CCPA, nor do we share it for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information — request limits on how we use sensitive personal information, where applicable.
• Right to Non-Discrimination — we will not discriminate against you for exercising any CCPA rights.

To make a request, contact us as described in the “Contact Us” section. You may designate an authorized agent to act on your behalf; we may require written authorization and identity verification.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) and equivalent local laws:

• The rights described in Section 10 above (access, correction, deletion, portability, restriction, objection, and withdrawal of consent).
• The right to lodge a complaint with your local supervisory authority if you believe your data has been processed unlawfully.

Data controller: NDM Global Inc., a Delaware corporation, is the data controller for personal information processed through the Services.

Sub-processors: We maintain a list of sub-processors involved in processing your data. For a current list, please contact our Data Protection Officer.

Transfer safeguards: For transfers of personal data outside the EEA/UK, we rely on Standard Contractual Clauses and supplementary measures as described in Section 7 above.

We use cookies and similar technologies to operate, secure, and improve the Services. For full details, please see our Cookie Policy. Below is a summary of the types of cookies we use:

You can manage cookie preferences through your browser settings. Disabling certain cookies may limit your ability to use some features of the Services.

We honor the Global Privacy Control (GPC) signal. When we detect a GPC signal from your browser, we treat it as a valid opt-out of the sale or sharing of your personal information under applicable state privacy laws, including the CCPA.

Some browsers also offer a “Do Not Track” (DNT) signal. Because there is no universally accepted standard for how to respond to DNT signals, we do not currently respond to DNT specifically, but we do honor GPC as described above.

The Services may contain links to third-party websites, tools, or integrations. We are not responsible for the privacy practices or content of those third parties. We encourage you to review their privacy policies before providing any personal information.

The Services are not directed to individuals under the age of 16, and we do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without appropriate parental or guardian consent, we will take steps to delete such information promptly. If you believe we may have collected information from a child, please contact us immediately.

Our Data Protection Officer oversees our compliance with applicable data protection laws. You can reach our DPO with questions related to data protection and privacy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please get in touch. Your message will be routed to the appropriate team based on the subject you select.