Privacy Policy

Effective Date: 1 May 2026 | Last Updated: 1 May 2026

Our commitment: PharmaDocs AI processes pharmaceutical documents that may contain sensitive commercial data. We treat your data with the highest confidentiality standards and never sell or share it with advertisers or unrelated third parties.

1. Data Controller

The data controller for PharmaDocs AI is Ashab Group, a pharmaceutical company registered in India. For privacy enquiries, contact us at info@ashabpharma.com.

2. Data We Collect

2.1 Account Data

Full name and email address (collected at registration)
Company name, registration number, phone number, and address (collected during onboarding)
Company logo and signatory signature images (uploaded by you)
Password (stored as a bcrypt hash — we never store plain-text passwords)

2.2 Project and Document Data

STP/SPC files you upload (stored encrypted in Cloudinary)
AI-extracted pharmaceutical parameters from your documents
Generated GMP documents (DOCX/Excel files)
Master data you enter (instruments, chemicals, reference standards)

2.3 Usage and Technical Data

Number of AI calls, documents generated, and storage consumed (for billing purposes)
API request logs (endpoint, timestamp, status code) if you use the Developer API
Browser type, IP address, and session data (via authentication cookies)

3. How We Use Your Data

Purpose	Legal Basis	Retention
Deliver the Service (AI extraction, document generation)	Contract performance	Duration of account
Authentication and session management	Contract performance	Session expiry (1 hour / 30 days)
Billing and subscription management	Contract performance / Legal obligation	7 years (tax records)
Customer support	Legitimate interest	3 years after ticket closure
Security monitoring and fraud prevention	Legitimate interest	90 days
Platform analytics and improvement	Legitimate interest	Aggregated, no individual link

4. Third-Party Services

We use the following third-party services to operate the Platform:

Supabase: Authentication and database hosting (PostgreSQL). Data processed in the EU/US under Supabase's DPA.
Cloudinary: Secure file storage for uploaded STP files, generated documents, logos, and signatures.
Google Gemini AI: AI processing of document text for parameter extraction. Files are sent to Google's API for AI inference only — not retained for training by Google under our enterprise agreement.
Vercel: Application hosting and serverless function execution.

Each third-party processor is bound by appropriate data processing agreements and complies with applicable privacy regulations.

5. Cookies and Session Data

We use strictly necessary HttpOnly cookies to manage your authenticated session:

pharma_access_token: Short-lived JWT access token (1 hour expiry). HttpOnly, Secure.
pharma_refresh_token: Refresh token for seamless re-authentication (30-day expiry). HttpOnly, Secure.

We do not use advertising cookies, tracking pixels, or analytics cookies that identify individual users.

6. Your Rights

Depending on your jurisdiction, you may have the following rights:

Access: Request a copy of all personal data we hold about you
Rectification: Correct inaccurate data via your Settings page or by contacting us
Erasure: Request deletion of your account and all associated data
Portability: Request an export of your projects and documents in machine-readable format
Objection: Object to processing based on legitimate interest
Restriction: Request restriction of processing in certain circumstances

To exercise any right, email us at info@ashabpharma.com. We respond within 30 days.

7. Data Security

We implement multiple layers of security:

All data transmitted over HTTPS/TLS
Passwords hashed with bcrypt (industry-standard)
Files stored with Cloudinary's enterprise-grade encrypted storage
Database protected by Supabase Row Level Security — each company can only access its own data
API keys stored as SHA-256 hashes — the raw key is shown only once at creation
HttpOnly, Secure, SameSite=Lax cookies prevent XSS token theft

8. Data Retention and Deletion

When you delete your account, all personal data, uploaded files, and generated documents are permanently deleted within 30 days. Billing transaction records are retained for 7 years as required by tax law. Anonymised aggregated usage statistics may be retained indefinitely.

9. International Transfers

Your data may be processed in countries outside your own, including India, the United States, and the European Union, by our third-party processors listed above. All transfers are protected by appropriate safeguards (Standard Contractual Clauses, Privacy Shield equivalents, or adequacy decisions).

10. Children's Privacy

The Platform is intended for professional use by adults aged 18 and over. We do not knowingly collect data from minors. If you become aware of a minor using the Service, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy. Material changes will be communicated by email at least 14 days in advance. The "Last Updated" date at the top of this page will reflect the most recent revision.

12. Contact and Complaints

For privacy questions or complaints:

Email: info@ashabpharma.com
Website: https://www.ashabgroup.in/

If you are in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.