Zedoc

Last updated: April 2026

Privacy Policy

This Privacy Policy explains how Applied AI AS ("we", "us", or "our") collects, uses, and protects personal data in connection with the Zedoc platform. We are committed to processing personal data lawfully and transparently in accordance with the General Data Protection Regulation (GDPR) and applicable Norwegian data protection law.

1. Data Controller

The data controller responsible for your personal data is:

Applied AI AS

Svanholmvegen 59

5970 Byrknesøy

Norway

Privacy contact: hi@zedoc.ai

2. About Zedoc

Zedoc is a B2B SaaS platform for the book publishing industry. It allows publishing professionals to create and execute AI-powered pipelines for processing book content. Zedoc processes book content (such as manuscripts, metadata, and associated files) as customer business data on behalf of our customers. We do not treat book content as personal data unless it contains personal data of identifiable individuals that our customers have explicitly provided.

3. Personal Data We Collect and Why

We only collect personal data that is necessary to provide and operate the Zedoc platform. We do not collect personal data relating to end readers or consumers of published books.

Account Data

When you register for Zedoc, we collect your name, email address, hashed password, and your organisation membership and role. This data is necessary to create and maintain your account.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) — this data is required to provide you with access to the platform.

Session Tokens

We store session tokens to authenticate your requests and maintain your login state across sessions.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

Usage and Access Logs

We collect server-side access logs including IP addresses and usage events. These are used for security monitoring, abuse prevention, and diagnosing technical issues.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — we have a legitimate interest in maintaining the security and integrity of the platform.

Cookies and Analytics

We use essential cookies required for the platform to function (such as session cookies). With your consent, we also use analytics cookies to understand how the platform and our marketing site are used. You can manage your cookie preferences at any time via the cookie banner.

Legal basis: Essential cookies — performance of a contract (Art. 6(1)(b) GDPR); analytics cookies — consent (Art. 6(1)(a) GDPR).

Marketing Communications

If you subscribe to product updates or marketing communications, we process your email address for that purpose. You may withdraw your consent at any time by clicking the unsubscribe link in any communication.

Legal basis: Consent (Art. 6(1)(a) GDPR).

Billing and Payment Data

When you purchase credits, payment processing is handled by Stripe, Inc. Stripe collects your name, email address, payment card details, and billing address to process transactions on our behalf. We do not store your full credit card details — these are held securely by Stripe.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) — this data is required to process your payments and provide the service.

4. Data Retention

  • Account data is retained for as long as your account is active, plus 30 days after account deletion to allow for recovery in case of accidental deletion.
  • Access logs and IP addresses are retained for 90 days.
  • Billing records are retained for 5 years in accordance with Norwegian accounting legislation (Bokføringsloven).

5. Hosting and Infrastructure

Zedoc is hosted on OVHCloud infrastructure located in France (European Union). All personal data is stored and processed within the EU. OVHCloud acts as a data processor on our behalf under a data processing agreement.

6. International Data Transfers

Some of our sub-processors are located outside the European Economic Area. Where personal data is transferred to third countries, we ensure appropriate safeguards are in place:

  • OpenRouter (United States) — used to route AI processing requests. No personal account data is sent to OpenRouter; only book content explicitly submitted by the user for AI processing tasks is transmitted. Transfers are safeguarded via Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Stripe (United States) — used for payment processing. Stripe processes billing data (name, email, payment card details, billing address) with EU data residency, safeguarded via Standard Contractual Clauses (SCCs).
  • Soniox — used for audio transcription. Soniox processes data in an EU datacenter and no international transfer occurs.

A full list of our sub-processors is available at zedoc.ai/legal/subprocessors. We maintain a Data Processing Agreement (DPA) for customers who require one, available at zedoc.ai/legal/dpa.

7. Sharing of Personal Data

We do not sell your personal data. We share personal data only with:

  • Sub-processors — third-party services that help us operate the platform (see Section 6 and our sub-processors page), bound by data processing agreements.
  • Legal authorities — where required by law, court order, or to protect the rights and safety of our users or the public.
  • Business transfers — in the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction, subject to the same privacy protections.

8. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. Passwords are never stored in plain text. Access to personal data is restricted to personnel who require it for their role.

9. Your Rights

Under the GDPR, you have the following rights in relation to your personal data:

  • Right of access — you may request a copy of the personal data we hold about you.
  • Right to rectification — you may ask us to correct inaccurate or incomplete data.
  • Right to erasure — you may request deletion of your personal data, subject to legal retention obligations.
  • Right to data portability — you may request your data in a structured, machine-readable format.
  • Right to restriction of processing — you may ask us to limit how we use your data in certain circumstances.
  • Right to object — you may object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint — you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no.

To exercise any of these rights, please contact us at hi@zedoc.ai. We will respond within 30 days.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will notify you by email or by displaying a notice in the platform before the changes take effect. The date at the top of this page indicates when the policy was last revised.

11. Contact

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at hi@zedoc.ai.