Papers

PRIVACY POLICY

Last Updated: November 7, 2025

1. INTRODUCTION & SUMMARY OF CHANGES

The Papers Company LLC ("Papers," "we," "us," or "our") is deeply committed to protecting your privacy and earning your trust. This Privacy Policy explains our practices for collecting, using, and protecting your information across our Services.

Summary of Key Changes in This Version: This policy has been significantly updated from the May 15, 2025 version to reflect the introduction of new features for our "My Papers" service, designed for organizational clients such as universities, tour operators, and other groups ("Organizations"). The key updates include:

  • New B2B Features: We explain the data processing related to new enterprise features like Organizations, Groups, Role-Based Access Control (RBAC), and Trip Management.
  • Data Controller vs. Processor: We clarify our role. For Individual Users, we are the data controller. For Organizational Users, the Organization is the data controller, and Papers acts as a data processor on their behalf.
  • Compliance & Auditing: We detail our collection of audit logs and consent information to help Organizations meet their compliance obligations (e.g., FERPA).
  • Updated Infrastructure Details: We provide more specific information about our cloud and AI service providers.

By using our Services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy and our Terms of Service.

2. OUR ROLE: DATA CONTROLLER VS. DATA PROCESSOR

It is crucial to understand who controls your data.

  • For Individual Users: If you use our Services for personal purposes (e.g., managing your own documents in "My Papers" outside of an organization), The Papers Company LLC is the data controller of your Personal Information.
  • For Organizational Users: If you use our Services as part of an Organization (e.g., you are a student, employee, or traveler invited by a university or tour operator), your Organization is the data controller. In this context, Papers acts as a data processor, processing your data on behalf of and at the direction of your Organization. Your Organization's privacy policies also apply to your data.

3. INFORMATION WE COLLECT

  • A. Information You Provide or That Is Provided on Your Behalf:

    • Account Registration Information: When you create an account via Google OAuth, we collect your user ID, name, email address, and the profile picture you have provided to Google.
    • "Immigration Papers" Data: Sensitive Personal Information and documents you provide for your immigration application.
    • "My Papers" Data: Digital copies of sensitive travel documents (passports, visas, etc.). In an organizational context, this information may be uploaded by you or by an Administrator from your Organization.
    • Organizational and Group Data: When an Organization uses our Services, we collect information about the Organization (name, billing details), its Groups, and associated Trips.
    • Consent Information: For Organizational Users, we may collect and track the status of digital consent (e.g., parent/guardian approval for a minor) for PII disclosure, as directed by the Organization.
    • Communications with Us: Information you provide when you contact our support team.

  • B. Information Collected Automatically:

    • Document Access Audit Logs: In the organizational context for "My Papers," we automatically generate and maintain a detailed audit log for every sensitive document. This log tracks every access, view, share, or modification, including which user performed the action and a timestamp. This log is accessible only to authorized Administrators within your Organization.
    • Usage Data and Cookies: We collect basic interaction data and use essential cookies as described in Section 4.

  • C. Information from Third Parties:

    • We collect account information from Google OAuth and publication data from Google Scholar when you authorize these connections.

4. COOKIES AND AUTHENTICATION

  • A. Our Use of Cookies: We use cookies and similar tracking technologies to operate, secure, and improve our Services. A cookie is a small text file stored on your device that helps us recognize your browser and remember information about your visit. We have categorized the cookies we use to give you clear control and understanding.

  • B. Types of Cookies We Use: We classify our cookies into the following categories:

    1. Necessary Cookies: These cookies are essential for the core functionality of our Services and cannot be disabled in our systems. They are strictly necessary to perform actions you request, such as logging into your account, maintaining your session, and ensuring the security of your connection.

    2. Functionality Cookies: These cookies allow us to provide enhanced and personalized experiences. They are used to remember choices you make and settings you configure (such as your preferred language or display preferences). This information is stored locally on your device only, and the preference data contained within these cookies is never transmitted to our servers.

    3. Analytics Cookies: These cookies help us understand how our Services are being used, which allows us to monitor performance and improve the user experience. We may use our own first-party cookies or third-party analytics services, such as Google Analytics, to collect information about user activity. The data collected is typically aggregated and helps us analyze trends, track user movements in aggregate, and gather demographic information. This data is used for statistical analysis only.

    4. Marketing Cookies: These cookies are used to track users across websites to display relevant and personalized advertisements. We want to be perfectly clear: The Papers Company does not use marketing or advertising cookies on its Services. We do not track your activity for marketing purposes, nor do we share your data with advertisers.

  • C. Your Cookie Choices: Because we use non-essential Analytics Cookies, you have control over your preferences. Upon your first visit, you will be presented with a cookie consent tool where you can choose to accept or reject non-essential cookies. You can change your preferences at any time through a link or settings panel available on our website. Please note that you cannot opt out of Necessary Cookies as they are required for the Services to function. You can also control cookies through your web browser's settings.

  • D. Authentication Security: We secure your account and session using strong, modern cryptographic standards. Your authentication credentials are encrypted using EdDSA (Edwards-curve Digital Signature Algorithm) or, for some older accounts, RS256. Both methods are highly secure industry standards designed to protect your account integrity.

5. DATA STORAGE, PROCESSING, AND INFRASTRUCTURE

  • A. Cloud Service Providers: We partner with Cloudflare and Google Cloud Platform (GCP) to provide secure and reliable Services.
  • B. Data Residency (Physical Location):
    • Account, User Profile, and "My Papers" Data: Stored and processed in Cloudflare's Western North America (WNAM) region.
    • "Immigration Papers" Data: Stored and processed in GCP's us-central-1 region (Iowa, USA).
  • C. Data Transmission: Data is securely transmitted to you from these locations via global edge networks.
  • D. Generative AI Sub-processors: We use OpenAI, Anthropic, and Google to power our generative AI features. This processing is solely for service delivery. Per their policies as of this date, your data is not used for training their models.

6. HOW WE USE YOUR INFORMATION

  • To Provide and Maintain the Services: Our primary use of your data is to deliver the features you and your Organization use, including document storage, AI-powered drafting, and trip management.
  • To Enforce Access Controls (For Organizations): We use role and group information to ensure that users within an Organization can only access the data they are authorized to see, as defined by their Administrator.
  • To Facilitate Auditing and Compliance (For Organizations): We process data to generate audit logs and track consent, providing Organizations with the tools they need to meet their security and regulatory obligations (such as FERPA).
  • To Communicate with You: We use your email for essential service-related communications only.
  • To Ensure Security and Prevent Abuse: We analyze service usage patterns to protect against fraud and abuse.

7. OUR DATA ACCESS PRINCIPLES & PRACTICES

Your trust is paramount. We have strict internal policies governing access to user data.

  • A. Principle of No Access: Our default policy is that we do not access the content of the data you provide for any purpose. Your documents and personal information are for your use only.
  • B. Data Encryption: Your data is encrypted at rest and in transit. Personally identifiable information (PII) is also encrypted within our system logs.
  • C. Fraud & Abuse Analysis: In cases of suspected fraud or abuse, we will only analyze service usage metadata (e.g., frequency of API calls, data volume patterns). This analysis does not involve inspecting your PII or the content of your documents.
  • D. Limited and Audited Exceptions for Access: Access to your data by our personnel is strictly prohibited, except in extraordinary scenarios such as complying with a legally binding order or with your explicit authorization for a support request.

8. HOW WE SHARE YOUR INFORMATION

We do not sell your Personal Information. We only share it in the following circumstances:

  • Within Your Organization (For Organizational Users): If you are an Organizational User, your Personal Information and documents are accessible to authorized Administrators and users within your Organization based on the roles and permissions they have set. For example, a Trip Administrator will be able to see the documents of participants on their trip.
  • With Service Providers & Sub-processors: We share information with our cloud and AI providers (listed in Section 5) who process data on our behalf to help us deliver the Services.
  • At Your Direction (For Individual Users): We share your information when you explicitly instruct us to, for example, by using the "Assist by Attorney" feature.
  • For Legal Reasons: If required by a valid legal process.
  • During a Business Transfer: In the event of a merger or acquisition.

9. YOUR DATA RIGHTS AND CHOICES

Your rights depend on whether you are an Individual User or an Organizational User.

  • A. For Individual Users (Data Controller: Papers):

    • You have full control over your Personal Information. You can access, correct, and delete your data at any time through your account settings. Deleting data results in its permanent removal from our active systems.

  • B. For Organizational Users (Data Controller: Your Organization):

    • Your Organization controls your data. Any requests to access, correct, delete, or restrict the processing of your Personal Information must be directed to the Administrator of your Organization.
    • We will process such requests upon receiving a verifiable instruction from your Organization's Administrator. If you contact us directly, we will direct you to your Administrator.

10. OUR COMMITMENT TO COMPLIANCE (FERPA)

For our educational clients, Papers provides services as a "School Official" with a "legitimate educational interest" under the Family Educational Rights and Privacy Act (FERPA). We provide the tools (such as Role-Based Access Control and audit logs) to help educational institutions meet their FERPA obligations. The institution, as the data controller, is ultimately responsible for ensuring its use of the Services is FERPA compliant.

11. CHILDREN'S PRIVACY

Our Services are not intended for individuals under 18 to sign up for directly. In the organizational context, if an Organization collects information from minors (e.g., students under 18), it is the Organization's responsibility to obtain necessary parental/guardian consent in compliance with applicable laws, such as the Children's Online Privacy Protection Act (COPPA).

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy to reflect changes in our practices. If we make material changes, we will notify you prominently before the change becomes effective.

13. CONTACT US

If you have any questions about this Privacy Policy, please contact us:

The Papers Company LLC
4041 Roosevelt Way NE
Seattle, WA 98105
Email: [email protected]