GDPR Privacy Notice - Papermerge DMS

Compliance to General Data Protection EU Regulation

Last updated 02.09.2020

Thank you for choosing to be part of our community at Papermerge DMS (“company”, “we”, “us”, or “our”). We are committed to protecting your personal information and your right to privacy. If you have any questions or concerns about our policy, or our practices with regards to your personal information, please contact us at

When you visit our website (“Site”) and use our hosted solution services, you trust us with your personal information. We take your privacy very seriously. In this privacy notice, we describe our privacy policy. We seek to explain to you in the clearest way possible what information we collect, how we use it and what rights you have in relation to it. We hope you take some time to read through it carefully, as it is important. If there are any terms in this privacy policy that you do not agree with, please discontinue use of our site and our services.

This privacy policy applies to all information collected through our website (or webpage, hosted instances which will be accessed via http://(subdomain) and/or any related services.

Please read this privacy policy carefully as it will help you make informed decisions about sharing your personal information with us.

1. What Information Do We Collect?

Personal information you disclose to us

In Short: We collect personal information that you provide to us such as email, username, name/your company name, your region and payment information you provide us during registration process. Also we store your documents (such as bills, invoices, scanned letters etc) you upload while using our hosted solution.

We collect personal information that you voluntarily provide to us when registering for hosted solution expressing an interest in obtaining information about us or our products and services. We collect documents you uploaded on hosted server. Documents storage is core of our business.

The personal information that we collect depends on the context of your interactions with us and the Sites, the choices you make and the products and features you use. The personal information we COLLECT can include the following:

Name and Contact Data. We collect your business name, email address, username, your region, your country name. Your region and country you live is required because it helps us to know where to deploy your hosted instance. Closer to your location servers provide better service.

Credentials. We do not collect passwords, password hints, and similar security information used for authentication and account access. Instead we create an account for you and send you credentials via email and we require you to change them immediately.

Payment Data. We collect data necessary to process your payment if you make purchases, such as your payment card number, and the security code associated with your payment instrument. However we do NOT store any payment information on our servers. All payment data is stored by our payment processor – - and you should review their privacy policy and contact the payment processor directly to respond to your questions.

Documents – The principle of Papermerge is convenient way of document management. With Papermerge you can digitally archive your documents in a central location, organize them and access them from anywhere. You can also remove your documents from our platform at any time or export them in a common file format and save them elsewhere. Papermerge allows you to structure the documents and recognizes all important information. With the help of Papermerge, documents can be found quickly and easily thanks to intelligent organization and search functions.

In the context of document storage and analysis, Papermerge also processes personal data. If the documents transmitted to Papermerge contain personal data of third parties, the user is responsible for obtaining the corresponding consents or only to transmit personal data if a statutory permission exists.

We do NOT give, sell, transmit, neither your documents nor derivative information from your documents to 3 rd parties. Your documents stay on our servers, and it is the core of our business to keep your documents safe and secure. Your data is yours only and our business is to guard it securely. In order to assure long term storage of your documents we make backups twice a day. Backups are encrypted using AES 256 CBC algorithm with 2048 bit X509 certificates. Encrypted backups are stored on two remote AWS S3 servers located in two distinct data centers.

Information collected from other Sources

In short: uses recapcha service provided by google (I am not robot checkbox), this service is used for protecting our website from automated bots, spam and malicious users. Recapcha service might use cookies. Please note that recapcha service is used only on our website and not on allocated host. For more information privacy policy of recapcha service please check google recapcha service privacy policy.

2. How do we use your information?

In Short: We process your information for purposes based on legitimate business interests, the fulfillment of our contract with you, compliance with our legal obligations, and/or your consent.

We use personal information collected via our Sites for a variety of business purposes described below. We process your personal information for these purposes in reliance on our legitimate business interests ("Business Purposes"), in order to enter into or perform a contract with you ("Contractual"), with your consent ("Consent"), and/or for compliance with our legal obligations ("Legal Reasons"). We indicate the specific processing grounds we rely on next to each purpose listed below.

We use the information we collect or receive:

  • To facilitate account creation and sign in process. Information you provide us during registration, such as your business name, subdomain, region, country, username, email, OCR language, localization language is used solely to create a hosted instance for you - (subdomain)

  • To send you marketing and promotional communications for Business Purposes and/or with your Consent. The email your provide will be used to send your a newsletter which might include marketing and promotional information. You may choose to unsubscribe from such newsletter in such case we won’t send you any further marketing or promotional emails.

  • To send administrative information to you [for Business Purposes, Legal Reasons and/or possibly Contractual]. We may use your personal information to send you product, service and new feature information and/or information about changes to our terms, conditions, and policies.

  • Fulfill and manage your orders [for Contractual reasons]. We may use your information to fulfill and manage your orders, payments, returns, and exchanges made through the Sites.

  • Request Feedback [for our Business Purposes and/or with your Consent]. We may use your information to request feedback and to contact you about your use of our Sites.

  • To protect our Sites [with your consent]. We may use your information in order to enable user-to-user communications with each user's consent.

  • To enable user-to-user communications [for Business Purposes and/or Legal Reasons]. We may use your information as part of our efforts to keep our Sites safe and secure (for example, for fraud monitoring and prevention).

  • To enforce our terms, conditions and policies [for Business Purposes, Legal Reasons and/or possibly Contractual].

  • To respond to legal requests and prevent harm [for Legal Reasons]. If we receive a subpoena or other legal request, we may need to inspect the data we hold to determine how to respond.

3. Will Your Information Be Shared With Anyone?

In Short: No. We only share information with your consent, to comply with laws, to protect your rights, or to fulfill business obligations.

Our business is registered in Germany and it complies to German legislation. Germany has very strict laws regarding individual privacy and private data protection.

We only share and disclose your information in the following situations:

  • Compliance with Laws. We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process.

  • Vital Interests and Legal Rights We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person and illegal activities, or as evidence in litigation in which we are involved.

  • Business Partners As mentioned before, we rent our servers from In that context we store documents you upload on Linode is known for their good privacy policies. You may want to review their privacy policy as well. Encrypted backups (with AES 256 CBC) are stored on AWS S3 servers.

4. Do We Use Cookies Technologies?

In Short: We use cookies only to enable technological features like sign in, sign out, html forms which without cookies won’t be possible. We do NOT use cookies to track your identity.

Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Policy.

5. Is Your Information Transferred Internationally?

We may transfer, store, and process your information in countries other than your own.

Your Papermerge host servers will be deployed on servers located in region you choose during registration process. In order to ensure safety and long term storage of your data - we may transfer encrypted backups of your data to different regional servers. Please note that NO 3rd party, partner or company may access user or process data stored in backups because backups are encrypted using highly secure AES 256 CBC algorithm.

If you are a resident in the European Economic Area, then these countries may not have data protection or other laws as comprehensive as those in your country. We will however take all necessary measures to protect your personal information in accordance with this privacy policy and applicable law.

European Commission's Standard Contractual Clauses. Such measures implementing the European Commission's Standard Contractual Clauses for transfers of personal information between our group companies and between us and our third-party providers, which require all such recipients to protect personal information that they process from the EEA in accordance with European data protection laws.

6. What Is Our Stance On Third-party Websites?

In Short: We are not responsible for the safety of any information that you share with third-party providers who advertise, but are not affiliated with, our websites.

The Sites may contain advertisements from third parties that are not affiliated with us and which may link to other websites, online services or mobile applications. We cannot guarantee the safety and privacy of data you provide to any third parties. Any data collected by third parties is not covered by this privacy. We are not responsible for the content or privacy and security practices and policies of any third parties, including other websites, services or applications that may be linked to or from the Sites. You should review the policies of such third parties and contact them directly to respond to your questions.

7. How Long Do We Keep Your Information?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this privacy policy (on average 3 months) unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy policy, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements). No purpose in this policy will require us keeping your personal information for longer than 3 months past the termination of your account.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

8. How Do We Keep Your Information Safe?

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. However, please also remember that we cannot guarantee that the internet itself is 100% secure. Although we will do our best to protect your personal information, transmission of personal information to and from our Sites is at your own risk. You should only access the services within a secure environment.

9. Do We Collect Information From Minors?

In Short: We do not knowingly collect data from or market to children under 18 years of age.

We do not knowingly solicit data from or market to children under 18 years of age. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you becomeaware of any data we have collected from children under age 18, please contact us at

10. What Are Your Privacy Rights?

In Short: In some regions, such as the European Economic Area, you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time.

In some regions (like the European Economic Area), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information, (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; and (iv) if applicable, to data portability. In certain circumstances, you may also have the right to object to the processing of your personal information. To make such a request, please send us an email at We will contact you immediately to provide further details how you can receive all your data.

If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of the processing before its withdrawal.

If you are resident in the European Economic Area and you believe we are unlawfully processing your personal information, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here:

Account Information

You may at any time review or change the information in your account or terminate your account by:

  • Logging into your account settings and updating your account

  • Contacting us using the contact information provided below

Cookies and similar technologies: Most Web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this will affect our service as as features like sign in, sign out or HTML ser forms rely on cookies technology to function properly

Opting out of email marketing: You can unsubscribe from our marketing email list at any time by clicking on the unsubscribe link in the emails that we send or by contacting us using the details provided below. You will then be removed from the marketing email list – however, we will still need to send you service-related emails that are necessary for the administration and use of your account. You can also opt-out by:

  • Noting your preferences at the time you register your account with the Sites.

  • Logging into your account settings and updating your preferences.

  • Contacting us using the contact information provided below.

11. Do California Residents Have Specific Privacy Rights?

In Short: Yes, if you are a resident of California, you are granted specific rights regarding access to your personal information.

California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request by following email:

12. Do We Make Updates To This Policy?

In Short: Yes, we will update this policy as necessary to stay compliant with relevant laws.

We may update this privacy policy from time to time. The updated version will be indicated by an updated “Revised” date and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy policy, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy policy frequently to be informed of how we are protecting your information.

13. How Can You Contact Us About This Policy?

If you have questions or comments about this policy, email us at

If you are a resident in the European Economic Area, the "data controller" of your personal information is Eugen Ciur. You can contact them directly regarding the processing of your information by Papermerge DMS, by email at

If you have any further questions or comments about us or our policies, email us at or contact us by post at:

Eugen Ciur
Löwenberger str 4,
10315 Berlin

Hosted Solution

We offer affordable plans for 59,- / Month to enable you to focus on your own business and let us handle the installation, maintenance and secure data protection of your Papermerge instance.