Privacy Policy
Your privacy is important to us. This policy explains how we collect, use, and protect your personal data.
Last updated: April 2026
Data Controller
Ontos B.V. (operating Doc2iXBRL) is the data controller responsible for your personal data. You can contact us at:
The iXBRL Reader (public tool)
Our iXBRL Reader is a free, public tool that anyone can use without an account. When you upload a tagged iXBRL Report Package, that file is a financial report that may contain personal data of people other than you, such as directors, signatories, or auditors. This section explains how we process that data and the choices you have. Providing the optional permissions below is entirely your choice and refusing them does not affect your ability to use the Reader.
Purposes and legal basis
Running the Reader on the file you upload
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) - to read, validate, and display the contents of the Report Package you ask us to open. Without the optional permission below, your file is processed transiently and is not kept beyond the limited window described under Retention.
Storing your file to test and improve the product
Legal basis: Consent (Art. 6(1)(a) GDPR), opt-in only and switched off by default. Only if you explicitly grant this permission do we keep your uploaded file to test and improve Doc2iXBRL. You can withdraw this consent at any time.
Marketing email
Legal basis: Consent (Art. 6(1)(a) GDPR), opt-in only and switched off by default. If you choose to receive product news and marketing email, we use the email address you provide for that purpose. You can withdraw this consent at any time, as easily as you gave it.
The storage and marketing permissions are optional and separate from each other. The Reader works in full whether or not you grant them, and we record your consent choices so we can demonstrate them if asked.
Recipients and processors
We use Supabase as our processor for database and file storage. Supabase acts on our instructions under a data processing agreement and only to provide hosting and storage for the Reader.
We aim to keep primary hosting and storage in the EU. Where any processing involves a transfer outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards, as described in the 'International Data Transfers' section below.
How long we keep your upload
- Without the storage permission: your file is processed transiently and any personal data in it is purged within 30 days, subject only to limited backup retention and recovery windows.
- With the storage permission: we keep your file for a maximum of 24 months, after which it is deleted, unless you withdraw consent or request erasure sooner.
- Erasure on request: you can ask us to delete an uploaded file and the personal data in it at any time, and we will do so without undue delay.
Personal data of other people in the file
A Report Package may contain personal data about people other than the person uploading it, for example the names and signatures of directors, board members, or auditors. We process that data only to run the Reader and, where you have opted in, to test and improve the product.
When you upload a file, you confirm and warrant that you have the right to share it and to grant us permission to process it for these purposes. You are responsible for ensuring you are allowed to share any personal data the file contains.
If you are an individual named in an uploaded report and you wish to exercise your data-protection rights or request erasure of your personal data, you can contact us at contact@doc2ixbrl.com. We will act on your request even though you did not upload the file yourself.
Your rights and how to exercise them
For data processed through the Reader you have the right to access, rectification, erasure, restriction of processing, objection, and data portability. To exercise any of these rights, contact us using the details in the 'Data Controller' and 'Contact Us' sections of this policy.
Where our processing is based on consent (storing your file to improve the product, or marketing email), you can withdraw that consent at any time, as easily as you gave it. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.
You also have the right to lodge a complaint with the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens, if you believe your rights have been violated.
Data We Collect
We collect various types of information to provide and improve our service:
Personal Information
- Name and email address when you create an account
- Organization name and details
- Payment information when you subscribe (processed by our payment provider)
- Communications when you contact us
Documents and Content
- Financial documents you upload for conversion (PDF, DOCX)
- Generated iXBRL output files
Usage Data
- Log data including IP address, browser type, and access times
- Device information and identifiers
- How you interact with our service
How We Use Your Data
We process your personal data for the following purposes and legal bases:
Providing our service
Legal basis: Contract performance - to convert your documents to iXBRL format
Account management
Legal basis: Contract performance - to manage your account and subscriptions
Service improvement
Legal basis: Legitimate interest - to analyze usage and improve our service
Communication
Legal basis: Legitimate interest / Consent - to send service updates and marketing communications
AI Data Processing
Your documents are processed using AI technology to extract and map financial data. Important information about this processing:
- Document content may be shared with selected AI and OCR providers strictly as needed to extract text, analyze document structure, and suggest taxonomy mappings
- The specific providers we use may change over time. Detailed provider information, sub-processor details, and transfer safeguards are available on request
- Where processing involves providers outside the EEA, we rely on contractual and technical safeguards appropriate to the transfer
- We do not use your documents or generated output to train our own models, and product-improvement review stays off unless you or your workspace have enabled it
Data Sharing
We share your data with categories of service providers that help us operate the service:
Infrastructure, hosting, and content delivery providers
Run the web application, backend services, and secure network delivery
Authentication, database, and encrypted storage providers
Store account records, uploaded documents, and conversion results
AI and OCR providers
Support text extraction, document analysis, and taxonomy mapping
Payment and billing providers
Process payments, invoices, and related transactional records where applicable
Development and operational tooling providers
Support source code hosting, monitoring, and internal service operations
Data Retention
We retain data only as long as needed to provide the service, meet legal obligations, and support secure recovery processes:
- Account data: Retained while your account is active and generally for up to 30 days after account deletion or contract termination, unless longer retention is required by law
- Uploaded documents: Retained while your account is active and deleted within 30 days of account deletion or contract termination, subject to limited backup retention and recovery windows. You may delete individual documents through the Service
- Conversion results: Retained while your account is active and deleted on the same schedule as the related account or workspace, subject to limited backup retention
Your Rights
Under the GDPR, you have the following rights regarding your personal data:
Right of Access
Request a copy of all personal data we hold about you
Right to Rectification
Request correction of inaccurate or incomplete data
Right to Erasure
Request deletion of your personal data ('right to be forgotten')
Right to Portability
Receive your data in a structured, machine-readable format
Right to Object
Object to processing based on legitimate interests
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent
You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) if you believe your rights have been violated.
International Data Transfers
Some service providers may process data outside the European Economic Area (EEA). We aim to keep primary hosting and storage in the EU, but some limited processing or support activities may involve non-EEA transfers.
Where non-EEA transfers occur, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards and can provide further detail on request.
Security
We implement appropriate technical and organizational measures to protect your personal data:
- All data is encrypted in transit using TLS/SSL
- Data at rest is encrypted using industry-standard encryption
- Access to personal data is restricted to authorized personnel only
- Regular security assessments and monitoring are performed
Changes to This Policy
We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the 'last updated' date. We encourage you to review this policy periodically.
Contact Us
If you have any questions about this privacy policy or our data practices, please contact Ontos B.V.: