Data Processing Agreement

Version 1.0 · June 12, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service and applies automatically whenever you use Luminari Doc to process documents that contain personal data. It is what GDPR Article 28 requires to exist between you and us — written to be read. Need a countersigned copy for your records or your own clients? Email hello@luminaridoc.com and you'll have a signed PDF within two business days.

1. Parties and roles

Controller: you, the customer (or the company on whose behalf you use the Service).
Processor: Slim Labbane Dit Kalti, sole proprietor, operating Luminari Doc ("we"). Contact: hello@luminaridoc.com.

This DPA covers the personal data contained in documents you upload. For your own account data (your email address, login, billing), we are the controller — that processing is described in the Privacy Policy.

2. Subject matter, nature and purpose

We process documents you upload for one purpose only: generating the analysis you requested. The processing consists of: receiving the document over an encrypted connection, extracting its text in memory (the original file is never written to disk), where needed performing OCR on scanned documents, submitting the text to our AI subprocessor on EU servers, and delivering the resulting analysis to your dashboard.

3. Duration

This DPA applies for as long as you hold an account. The data itself lives far shorter — see Section 8.

4. Categories of data and data subjects

Whatever personal data your business documents happen to contain — typically names, contact details, roles, and financial or contractual information of your clients, counterparties, employees, or other persons referenced in the documents. You control what you upload; Section 4 of the Terms excludes certain high-stakes uses entirely.

5. Your instructions

We process documents only on your documented instructions. Your instructions are: the act of uploading a document, the analysis type you select, and any focus note or analysis profile you apply. We never process uploaded documents for any other purpose — no training, no profiling, no secondary use of any kind. If we believe an instruction conflicts with the GDPR, we will tell you instead of executing it.

6. Confidentiality and security

Technical and organisational measures, stated plainly:

• All transfers encrypted in transit (TLS).
• Original files never written to disk — text extraction happens in memory.
• Analyses encrypted at rest (AES-256-GCM). Honestly framed: this protects the database if stolen, not against a full compromise of the running server.
• Documents processed in isolation under unguessable identifiers; no cross-customer state.
• Access to production systems limited to the Operator, key-only SSH, EU-located servers exclusively.
• Passwords hashed with argon2id; optional two-factor authentication on every account.

Every person authorised to process data (today: the Operator alone) is bound to confidentiality.

7. Subprocessors

You authorise the following subprocessors — the complete list, identical to the one in our Privacy Policy:

Subprocessor	Location	Role
Hetzner Online GmbH	Germany (Falkenstein)	Hosting — receives and processes documents for the duration of analysis
Mistral AI	France (EU servers)	AI analysis and OCR of document text. Paid API tier; model training on API data contractually excluded and additionally disabled on our account
Scaleway	France	Transactional email (notifications carry your email address and the document's filename — never its content)
Heinlein Hosting GmbH (mailbox.org)	Germany	Business mailbox — only processes what you choose to email us

Paddle (UK), our merchant of record, is an independent controller for billing — not a subprocessor of document data. No US company touches your documents at any step.

We will announce any change to this list on this page and by email to subscribers at least 14 days in advance. If you object to a new subprocessor, you may terminate and receive a pro-rata refund of any unused prepaid period.

8. Retention, deletion, return

• Original files: never stored. Discarded in memory immediately after text extraction.
• Extracted text: deleted the instant the analysis is generated; an independent automated sweep enforces a hard 24-hour maximum regardless.
• Analyses: encrypted, auto-deleted after 30 days — or instantly when you press Delete. They are yours to download before then.
• Account deletion erases all of the above immediately. There is nothing to "return" at the end of processing because nothing of your documents survives it — the analysis in your dashboard is the only artifact, and you control it.

9. Assistance

Taking into account the nature of processing, we assist you with data-subject requests (access, erasure, etc.) and with your security and breach-notification obligations under GDPR Articles 32–36. Given our deletion schedule, the honest answer to most data-subject requests is that the data no longer exists; we will confirm this in writing when you need it.

10. Personal data breaches

If we become aware of a personal data breach affecting your documents, we will notify you by email without undue delay and no later than 48 hours after becoming aware, with what we know: nature of the breach, data concerned, likely consequences, and measures taken.

11. Audit and information

We make available the information necessary to demonstrate compliance with Article 28: this DPA, our Privacy Policy, subprocessor DPAs, and written answers to reasonable audit questionnaires within 10 business days. On-site or remote technical audits can be arranged by agreement, at your cost, no more than once per year unless a breach has occurred.

12. Transfers

Document data is processed exclusively within the EU/EEA. We will not transfer it outside the EU/EEA. (Billing data is handled by Paddle (UK) as an independent controller, under the UK adequacy decision.)

13. Liability and governing law

Liability under this DPA follows Section 9 of the Terms of Service. This DPA is governed by the laws of the Netherlands, consistent with the Terms.

14. Changes

Material changes to this DPA will be announced on this page and by email at least 14 days in advance. The version and date at the top tell you what you're reading.