Sharedocs — Dutch Spaghetti Software Ltd
At a glance: Dutch Spaghetti Software Ltd operates Sharedocs, a document-sharing platform. We collect your email address, name, and account activity information to provide the service. We do not sell your data, serve you advertisements, or share your information with anyone except the sub-processors listed in Section 7 of this policy and, where required by law, law enforcement or regulatory authorities as described in Section 7.1. You have full rights under UK GDPR to access, correct, or delete your data at any time.
1. About Us
Sharedocs is operated by Dutch Spaghetti Software Ltd, a company registered in England and Wales.
| Company name | Dutch Spaghetti Software Ltd |
| Registered address | 5 Central Way, Oxted RH8 0LS |
| Company number | 17063741 |
| ICO registration | ZC100961 |
| Contact email | privacy@sharedocs.net |
| Website | https://sharedocs.net |
When we say "we", "us", or "our" in this policy, we mean Dutch Spaghetti Software Ltd.
This policy applies to all personal data we process in connection with the Sharedocs platform, including data collected through our website at sharedocs.net, our web application, and any emails we send to you.
2. Our Roles Under Data Protection Law
Sharedocs operates in two distinct capacities depending on whose data is being processed.
2.1 Data Controller
We act as a data controller in respect of the personal data of account holders (library owners) who register with Sharedocs. This includes the information you provide when you sign up, your billing details, and your usage of the platform. As a controller, we determine the purposes and means of processing your data and are responsible for ensuring that processing is lawful.
2.2 Data Processor
When a library owner invites collaborators to access their document library, we act as a data processor on behalf of the library owner (the controller). In this capacity, we process collaborator data — such as email addresses and access logs — on the library owner's instructions. Library owners who use Sharedocs commercially should ensure they have an appropriate lawful basis for sharing their collaborators' personal data with us, and may request a Data Processing Agreement from us at privacy@sharedocs.net.
3. Personal Data We Collect
3.1 Account Registration
When you create a Sharedocs account, we collect:
- Your email address (used as your login identifier and for communications)
- Your display name
- The date and time you accepted our Terms of Service
- Whether you have opted in to marketing communications
If you register with an email address and password:
- Your password is stored exclusively as a PBKDF2-SHA256 hash; we never store or have access to your plaintext password
- Whether you have verified your email address
If you register or sign in using Google Sign-In:
- We receive your email address, display name, and a Google account identifier (the
subclaim from your Google ID token) from Google's OAuth servers. No password is stored by Sharedocs for accounts using Google Sign-In. - Your browser communicates directly with Google's authentication servers during the sign-in flow. That interaction is governed by Google's Privacy Policy. We receive only the profile data described above once authentication is complete.
- If you later wish to sign in without Google, you can set a Sharedocs password from your account settings.
3.2 Subscription and Billing
If you purchase a paid subscription, we collect:
- Your subscription tier and status
- Your Stripe customer ID and subscription ID (references to your billing record held by Stripe)
- Billing interval (monthly or annual)
We do not store your payment card details. All payment processing is handled directly by Stripe.
3.3 Technical and Usage Data
When you use the platform, we automatically collect:
- IP addresses — used for rate limiting, security monitoring, audit logging, and (on Business-tier libraries) country-based access restrictions. IP addresses are never used for marketing or profiling.
- Browser and device information (User-Agent string) — used to identify your active sessions and display human-readable device labels in your Security Settings (for example, "Chrome on macOS").
- Session tokens — cryptographically signed tokens stored in your browser to keep you logged in.
- Activity timestamps — we record when sessions are created and last used, and when documents are viewed, downloaded, or uploaded.
3.4 Collaborator Data
If a library owner invites you as a collaborator, we hold your email address and record your acceptance of the invitation, your access history, and your IP address (for audit and token-sharing detection purposes). If you choose to create a Sharedocs account after being invited, your account data is governed by Section 3.1 above.
3.5 Communications
If you contact us via our contact form or by email, we retain the content of your message and your contact details in order to respond to you.
3.6 Data We Do Not Collect
We do not collect or store:
- The content of documents uploaded to libraries (documents are stored in encrypted storage and are not read or analysed by us)
- Plaintext passwords or payment card numbers
- Google account passwords or any credentials beyond the profile data described in Section 3.1
- Precise geolocation data
- Any special category data as defined by UK GDPR (for example, health, racial or ethnic origin, or biometric data)
4. How We Use Your Personal Data
The table below sets out the purposes for which we process your personal data and the lawful basis we rely on under UK GDPR.
| Purpose | Data used | Lawful basis |
|---|---|---|
| Providing and operating the Sharedocs service | Account details, subscription data, session tokens | Contract (Art. 6(1)(b) UK GDPR) |
| Processing payments and managing subscriptions | Email, Stripe customer and subscription IDs | Contract (Art. 6(1)(b) UK GDPR) |
| Sending transactional emails (e.g. verification, password reset, billing receipts) | Email address, name | Contract (Art. 6(1)(b) UK GDPR) |
| Authenticating your identity via Google Sign-In | Email address, display name, Google account identifier | Contract (Art. 6(1)(b) UK GDPR) |
| Security — rate limiting, brute-force protection, session management | IP address, device information, session data | Legitimate interests (Art. 6(1)(f) UK GDPR) |
| Audit logging of document and library events | Email address, IP address, timestamps | Legitimate interests (Art. 6(1)(f) UK GDPR) |
| Detecting misuse of anonymous access tokens | IP address | Legitimate interests (Art. 6(1)(f) UK GDPR) |
| Reporting illegal content (including child sexual abuse material) to the Internet Watch Foundation and cooperating with law enforcement and regulatory authorities | Account identifiers, IP addresses, content references, and other data necessary for the report or disclosure | Legal obligation (Art. 6(1)(c) UK GDPR); or where disclosure is voluntary to prevent serious harm, legitimate interests (Art. 6(1)(f) UK GDPR) |
| Complying with other legal obligations | Account data as required | Legal obligation (Art. 6(1)(c) UK GDPR) |
| Sending renewal reminders and product updates (where you have opted in) | Email address, name, subscription tier | Consent (Art. 6(1)(a) UK GDPR) |
| Analytics — understanding how the platform is used in aggregate | Anonymised usage events (account UUID only, no PII) | Legitimate interests (Art. 6(1)(f) UK GDPR) |
| Error tracking and platform reliability monitoring | Error stack traces, user ID, subscription tier | Legitimate interests (Art. 6(1)(f) UK GDPR) |
Where we rely on legitimate interests, we have conducted a balancing test to confirm that our interests are not overridden by your rights and interests. You may request a copy of any such assessment by contacting us at privacy@sharedocs.net.
5. Cookies and Local Storage
Sharedocs does not use third-party advertising cookies. We use a single item of browser local storage:
- sharedocs_token — your session token, a cryptographically signed JWT that keeps you logged in. It expires after 24 hours of inactivity or when you log out.
Our analytics provider (PostHog) is configured to hold event data in memory only and does not write any persistent cookies or local storage entries.
Our error tracking provider (Sentry) and database provider (Supabase) are configured to avoid writing any persistent session keys to local storage.
If you sign in using Google Sign-In, Google may set cookies during the authentication flow on its own servers. Those interactions are governed by Google's Privacy Policy.
If you have a paid subscription, Stripe may set cookies on its own hosted payment pages. Those pages are governed by Stripe's own privacy policy.
6. Your Documents
Files you upload to Sharedocs libraries are stored in a private, access-controlled storage bucket. We do not read, analyse, index, or use the content of your documents for any purpose other than delivering them to the people you authorise.
Documents are served to collaborators via short-lived, signed URLs generated on demand. They are not publicly accessible by URL.
No document content is shared with any third-party processor.
7. Third-Party Processors
We share personal data with the following sub-processors to deliver the Sharedocs service. All processors are contractually required to process data only on our instructions and to maintain appropriate security measures.
| Processor | Data shared | Purpose | Location |
|---|---|---|---|
| Stripe | Email address, name, payment method details | Subscription billing and payment processing | USA (EU SCCs in place) |
| Resend | Email addresses and message content | Transactional email delivery | USA (EU SCCs in place) |
| Supabase | All account and usage data | Database, storage, and serverless compute | EU (Frankfurt, eu-central-1) |
| Netlify | Web request logs, IP addresses | Frontend hosting and content delivery | USA (EU SCCs in place) |
| Cloudflare | Domain names, IP addresses | Custom domain DNS, SSL, and DDoS protection | USA (EU SCCs in place) |
| Google (OAuth) | Email address, display name, Google account identifier | Account authentication via Google Sign-In | USA (EU SCCs in place) |
| ipinfo.io | IP addresses | Country-based access restrictions (Business-tier libraries only) | USA (EU SCCs in place) |
| PostHog | Anonymised usage events (UUID only, no PII) | Product analytics | EU (EU Cloud) |
| Sentry | Error stack traces, user ID, email, subscription tier | Error tracking and platform monitoring | USA (EU SCCs in place) |
Note on Google: Google acts as both a processor (handling authentication on our behalf) and an independent data controller for your Google account and the authentication interaction itself. Their handling of your data during sign-in is governed by Google's Privacy Policy and is separate from this policy.
Standard Contractual Clauses (SCCs) are the mechanism used for transfers to processors outside the UK/EEA, providing equivalent protection to UK GDPR requirements.
No raw document content is shared with any of the above processors.
7.1 Legal and Regulatory Disclosures
In addition to the sub-processors listed above, we may disclose personal data to the following categories of recipients where required or permitted by law. These recipients are not sub-processors acting on our instructions — they are independent recipients to whom disclosure is made under a legal obligation or in the exercise of a legitimate interest to prevent serious harm.
Internet Watch Foundation (IWF)
Where we identify or receive a credible report of child sexual abuse material (CSAM) hosted on the platform, we are required under the Protection of Children Act 1978 and related legislation to report it to the IWF. Such a report may include account identifiers, IP addresses, and content references sufficient to identify the material. The lawful basis for this disclosure is legal obligation (Art. 6(1)(c) UK GDPR).
Law enforcement authorities
This includes the National Crime Agency (NCA), UK police forces, and any other competent authority in the UK or, where applicable, overseas. We will disclose personal data to law enforcement where:
- we receive a valid legal process requiring disclosure (such as a court order, production order, or statutory notice);
- we are under a legal duty to report (for example, in connection with CSAM or terrorism-related content); or
- we reasonably believe disclosure is necessary to prevent serious harm or an imminent threat to the safety of any person, and legitimate interests override the data subject's privacy interests in the circumstances.
The lawful basis is legal obligation (Art. 6(1)(c) UK GDPR) for mandatory disclosures, and legitimate interests (Art. 6(1)(f) UK GDPR) for voluntary disclosures made to prevent serious harm.
Regulatory authorities
This includes the Information Commissioner's Office (ICO) and any other competent regulatory body. We will cooperate with regulatory investigations and comply with any notices or orders issued by a supervisory authority. The lawful basis is legal obligation (Art. 6(1)(c) UK GDPR).
In all cases we will disclose the minimum personal data necessary for the purpose of the disclosure. Where we are not legally prohibited from doing so (for example, where a disclosure is not subject to a non-disclosure order), we will endeavour to notify the affected account holder before complying with a disclosure request, unless doing so could prejudice an investigation or where the nature of the report makes notification inappropriate.
8. How Long We Keep Your Data
We retain personal data only for as long as necessary for the purposes set out in this policy.
| Data type | Retention period |
|---|---|
| Account information (email, name, password hash or Google identifier) | Until account deletion is requested |
| Active session tokens | 24 hours (extended on active use via sliding refresh) |
| Session records (device, IP, last active) | Deleted daily once expired; revoked sessions retained for 7 days then deleted |
| Rate-limiting records (IP address, action) | 1 hour |
| Collaborator invitation tokens | 7 days from creation |
| Anonymous access tokens | 14 days (auto-renewed while collaborator is active) |
| Password reset tokens | 1 hour |
| Email verification tokens | 24 hours |
| Audit log entries | Retained for the lifetime of the library; deleted when the library is deleted |
| Terms of Service agreement records | Retained indefinitely as an immutable compliance record |
| Document exports (encrypted ZIP files) | 7 days from creation |
| Platform contact messages | Until the message is closed and we have no further legal or operational need to retain it |
| Stripe billing records | As required by applicable tax and financial regulations (typically 7 years) |
When an account is deleted, we cascade-delete all associated libraries, documents (including storage files), collaborators, audit logs, and subscription records.
9. Your Rights
Under UK GDPR you have the following rights in relation to your personal data. We will respond to all valid requests within one month. If a request is complex or we receive a large number of requests, we may extend this period by up to two further months and will notify you accordingly.
Right of Access — You have the right to request a copy of the personal data we hold about you and information about how we use it.
Right to Rectification — You have the right to request that we correct inaccurate personal data or complete incomplete data. You can update your display name and email address directly from your account settings.
Right to Erasure — You have the right to request that we delete your personal data where there is no compelling reason for us to continue processing it. Note that we may be required to retain certain data for legal or regulatory purposes (for example, financial records).
Right to Restrict Processing — You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while a dispute about accuracy is resolved.
Right to Data Portability — You have the right to receive the personal data you have provided to us in a structured, commonly used, machine-readable format, and to transmit it to another controller. You can export your document libraries at any time from within the platform (Professional and Business tiers) as an AES-256 encrypted ZIP archive.
Right to Object — You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is for legal claims.
Right to Withdraw Consent — Where processing is based on your consent (for example, marketing emails), you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. You can withdraw consent for marketing communications by clicking the unsubscribe link in any marketing email or by contacting us.
Right Not to Be Subject to Automated Decision-Making — We do not make any decisions about you solely by automated means that have legal or similarly significant effects.
How to Exercise Your Rights
To exercise any of the above rights, please contact us at privacy@sharedocs.net. We may need to verify your identity before processing your request. There is no charge for exercising your rights unless a request is manifestly unfounded or excessive.
10. Security
We take the security of your personal data seriously. Our technical measures include:
- Passwords stored as PBKDF2-SHA256 hashes with 100,000 iterations and a random salt — we cannot retrieve your password (accounts using Google Sign-In have no password stored with us)
- All data transmitted over HTTPS/TLS
- Session tokens cryptographically signed and validated on every authenticated request
- Per-device session tracking with the ability to revoke individual sessions remotely
- Two-factor authentication (TOTP) available on all paid accounts
- All database tables protected by restrictive Row-Level Security policies — no direct client access to the database is possible
- Documents stored in a private storage bucket and served only via short-lived signed URLs
- Rate limiting on all authentication endpoints to protect against brute-force attacks
No method of transmission over the internet or electronic storage is 100% secure. If you discover a security vulnerability, please report it responsibly to security@sharedocs.net.
11. Children
Sharedocs is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@sharedocs.net and we will delete it promptly.
12. Changes to This Policy
We may update this privacy policy from time to time. When we make material changes, we will notify you by email (if you have an account with us) and update the version date at the top of this document. Your continued use of Sharedocs after a change takes effect constitutes your acknowledgement of the updated policy.
Previous versions of this policy are available on request by contacting privacy@sharedocs.net.
13. Complaints
If you have a concern about how we handle your personal data, we would always prefer to hear from you first so we can try to resolve it. Please contact us at privacy@sharedocs.net.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority:
| Website | https://ico.org.uk |
| Helpline | 0303 123 1113 |
| Address | Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF |
14. Contact Us
For any questions about this privacy policy or about how we handle your personal data, please contact us:
| privacy@sharedocs.net | |
| Post | Dutch Spaghetti Software Ltd, 5 Central Way, Oxted RH8 0LS |