Privacy Policy WhiteDoc

Written by Анатолій
Updated 3 days ago

LLC "CENTREDO"
Effective Date: July 10, 2026


 

PREAMBLE

 

  • About WhiteDoc

WhiteDoc is a cloud-based service that enables individuals, organizations, and information systems to securely exchange data, perform business operations, and legally validate their agreements.

WhiteDoc is owned and developed by Limited Liability Company "CENTREDO" (EDRPOU Code 43617469, Ukraine).

For the purposes of simplicity throughout this document, on our websites, and within the system interfaces, the terms "WhiteDoc," "Platform," "Service," as well as the pronouns "We," "Us," and "Our," are fully equivalent, legally identical, and refer to LLC "CENTREDO."

  • What Does Privacy Mean to Us?

Privacy and the security of your data are fundamental principles of WhiteDoc. We do not sell personal data or disclose it to third parties for their independent use, except where expressly described in this Privacy Policy, the Data Processing Agreement (DPA), or as required by applicable law.

The minimum set of your personal data is technically necessary for us to properly provide the Service and ensure the legal validity of electronic documents.

  • Commitment to Maximum Transparency

For the convenience of our users, this Privacy Policy follows a layered approach that fully complies with internationally recognized transparency practices:

  • 💡 Plain Language: concise and easy-to-understand summaries for users of any level, explaining the essence of each section without complex legal or technical terminology.
  • ⚖️ Legal Text: official, detailed legal and technical provisions intended for regulators, legal professionals, and corporate IT auditors.

1. GENERAL PROVISIONS AND SCOPE

💡 Plain Language:

This document sets out the rules governing how the WhiteDoc Platform collects and protects your data. It applies to all users—from private individuals to representatives of large enterprises who sign thousands of documents through our Platform. Our Service is intended for adults, and we do not knowingly collect personal data relating to children.

⚖️ Legal Text:

1.1. This Privacy Policy ("Policy") defines the procedure for the collection, systematization, use, cross-border transfer, storage, and other processing of personal data by LLC "CENTREDO" during the use of the WhiteDoc cloud platform (including official websites, thematic blogs, marketing landing pages, application programming interfaces (APIs), mobile applications for iOS and Android operating systems, web applications, embeddable interface components and widgets, as well as browser extensions, plugins, and integration modules for third-party corporate information systems; collectively referred to as the "Platform" or the "Service").

1.2. We process personal data in accordance with international and national compliance standards, including the Law of Ukraine "On Personal Data Protection," the EU General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR), and the United Kingdom Data Protection Act 2018 (DPA 2018).

1.3. Protection of Minors. The Service is intended exclusively for individuals who have reached the age of majority or otherwise possess the required level of legal capacity (at least 16 or 18 years of age, depending on the applicable jurisdiction).

If our Customer submits data or uploads documents relating to minors, such Customer assumes full responsibility for obtaining parental or guardian consent in accordance with Article 8 of the GDPR.

If we discover that personal data relating to a child has been collected unintentionally, such data will be deleted within 48 hours following a request submitted to privacy@whitedoc.ua


2. ALLOCATION OF LEGAL ROLES AND RESPONSIBILITY MODELS

💡 Plain Language:

We distinguish between your account data and the data contained in your documents. Your account data is required for operating the Service and providing user support.

The content of your documents is processed automatically in accordance with the settings selected by the Customer or Platform users. We do not review document content during normal operations and do not independently determine why such data was collected or how it will be used.

⚖️ Legal Text:

In accordance with European and Ukrainian practices applicable to cloud services, the legal status of LLC "CENTREDO" varies depending on the category of information being processed.

2.1. WhiteDoc as Data Controller. The Company acts as the Data Controller with respect to registration data, authentication sessions, billing information, technical security logs, and marketing communications. We independently determine the purposes and means of processing such data and bear direct responsibility for ensuring compliance with the rights of data subjects before competent supervisory authorities.

2.2. WhiteDoc as Data Processor. With respect to User Data, including documents, attachments, structured data, metadata, comments, and any other information uploaded, created, or processed by Users while using the Platform, the Company acts exclusively as a Data Processor and processes personal data on behalf of the Customer in accordance with the Customer's documented instructions, the Agreement, and the Data Processing Agreement (DPA).

With respect to such User Data, the Customer acts as the Data Controller, independently determines the purposes and means of processing, and bears sole responsibility for the lawfulness of such processing, the existence of appropriate legal grounds, compliance with transparency requirements, retention periods, the exercise of data subject rights, and all other Controller obligations under applicable law.

In the event of any inconsistency between the provisions of this Policy and the DPA regarding the processing of User Data, the provisions of the DPA shall prevail.

2.3. Independent Controllers. All Qualified Trust Service Providers (QTSPs) integrated with the Platform, as well as the services of the State Enterprise "Diia" (Diia.Signature, Diia.Sharing) and European QES providers, act as independent Data Controllers. They independently govern authentication procedures, identity verification, certificate generation, and the provision of other electronic trust services.


3. PERSONAL DATA WE PROCESS AND LEGAL BASES

💡 Plain Language:

We process only the minimum amount of account-related personal data required for the proper functioning of the system: your email address, name, the company you represent, your telephone number, the name of your document mailbox, and your region, in order to correctly display the interface language, operate the Service, and generate invoices.

⚖️ Legal Text:

For the purpose of fulfilling accountability obligations under Article 5(2) GDPR, the processing of data for which LLC "CENTREDO" acts as the Data Controller is carried out exclusively on the basis of lawful grounds (Article 11 of the Law of Ukraine "On Personal Data Protection" / Article 6 GDPR) in accordance with the following matrix:

Data Category Purpose of Processing Legal Basis Retention Period
Authentication & User Profile Data (Email, First Name, Last Name) Account registration and administration, personalization of the user interface, document routing. Performance of the Public Offer (Contract) — Art. 6(1)(b) GDPR / Art. 11(1)(1) Law of Ukraine "On Personal Data Protection". For the duration of the service usage until the account is deleted.
Contact Phone Number Identification, authorization, and technical provision of SaaS services (including Multi-Factor Authentication - MFA); provision of service maintenance and customer support consultations. Performance of a contract / Legitimate interest of the Controller — Art. 6(1)(b), (f) GDPR. For the duration of the service usage and 2 years after the closure of support tickets.
Corporate Data & Tax Identifiers (Company Name, USREOU/EDRPOU code, or Tax ID/TIN) Business validation and KYB verification (Know Your Business), confirmation of the legal capacity of the organization or Sole Proprietor (FOP), identification of user affiliation with the workspace, accounting, and billing. Compliance with a legal obligation / Performance of a contract — Art. 6(1)(b), (c) GDPR / Art. 11(1)(1), (5) Law of Ukraine. For the duration of the contract and 3 years after its termination (pursuant to statutory tax requirements).
Billing Address Accounting and tax management, subscription таrification, financial reporting, and automated generation of invoices for accounts. Compliance with a legal obligation — Art. 6(1)(c) GDPR / Art. 11(1)(5) Law of Ukraine. 3 years (pursuant to the Tax Code of Ukraine) or up to 10 years for international financial audits.
Network & System Identifiers (IP address, activity logs, User UUID, and Account UUID) Automated recording in security logs and the Event Log (Audit Trail) to prevent cyberattacks, detect fraudulent activities, and establish an evidentiary basis for platform actions. Legitimate interest of LLC "CENTREDO" — Art. 6(1)(f) GDPR / Art. 11(1)(6) Law of Ukraine. 12 months from the moment the corresponding log entry is created.
Marketing Communications & Lead Generation (collected via contact forms: Email, phone number, company name, USREOU or Tax ID, job title, industry sector) Promotion of services, informing about platform news and product updates, targeting offers based on the business sector, conducting marketing research, and verifying corporate inquiries from Clients. Voluntary and informed consent of the data subject — Art. 6(1)(a) GDPR / Art. 11(1)(2) Law of Ukraine. Until consent is withdrawn (by clicking the "Unsubscribe" button or via a direct request from the data subject).

4. SPECIAL TECHNOLOGICAL PROVISIONS (Diia, Biometrics, Artificial Intelligence)

💡 Plain Language:

Diia.Sharing: When you share documents through Diia, WhiteDoc only facilitates the transfer of documents and data received from Diia for subsequent delivery to participants in the workflow. Authentication and consent to transfer documents take place within the Diia application. This functionality is available only to citizens of Ukraine.

No Biometrics: We do not collect or store your fingerprints or facial scans. All biometric verification (such as Face ID or Touch ID) takes place on your own devices and within third-party applications. We receive only the technical verification result.

Artificial Intelligence (AI): Our AI Assistant analyzes documents solely upon your request and only within the specific Envelope. Your documents are never used to train public AI models. Important notice: AI may produce inaccurate results; therefore, you should always verify its output.

⚖️ Legal Text:

4.1. Diia.Sharing. During the transfer of digital copies of documents through the Diia application, the Platform acts exclusively as a transit technology Data Processor. The authentication procedure and the generation of user consent for data transfer take place autonomously within the interface of the Diia mobile application under the control of the State Enterprise "Diia" (an Independent Controller). WhiteDoc provides routing of the received data package to the Customer's designated Envelope without creating any additional internal registries. We inform you about the company requesting your documents through Diia services.

4.2. Biometrics Disclaimer. By design, the Platform does not collect, process, or store special categories of personal data within the meaning of Article 9 GDPR, including biometric data. Authentication using biometric factors (for example, Face ID or Touch ID) is performed exclusively within the secure environment of the user's operating system or third-party applications.

4.3. AI Processing Environment and Limitation of Liability. The integrated AI Assistant operates exclusively within the Envelope containing documents for which the user has initiated a request. Through integration with the Google Gemini Enterprise API, documents, metadata, and prompts are processed within an isolated runtime environment (No-Training Enterprise Mode) and are not transferred for training public or foundation Google models.

The use of AI functionality may be disabled at the account level.

The AI-generated output (AI Output) may be inaccurate or incomplete and does not constitute legal, financial, or any other professional advice. The User is solely responsible for verifying AI Output before using it in any legally significant process.


5. OFFICIAL REGISTER OF SUBPROCESSORS AND PROCEDURE FOR CHANGES

💡 Plain Language:

To ensure the uninterrupted and secure operation of the Platform, we engage external technical partners to support our servers, deliver notifications, operate AI services, and perform system analytics. We have entered into agreements with these partners to protect your data. We will notify Customers in advance whenever new Subprocessors are engaged.

⚖️ Legal Text:

For the purpose of fulfilling transparency and accountability obligations, LLC "CENTREDO" maintains and publishes a complete and up-to-date register of Subprocessors and integrated systems.

Procedure for Changes to Subprocessors. The Company undertakes to notify Customers in advance (at least 30 calendar days) of the engagement of new Subprocessors through the website, Platform interface, or email.

The Customer has the right to submit a reasoned objection based on security considerations within 14 days.

Upon receipt of a justified objection, WhiteDoc shall consider such objection in good faith and may provide additional information, propose alternative safeguards, or, where the identified risk cannot reasonably be mitigated, agree to terminate the relevant part of the Services in accordance with the Agreement.

5.1. Infrastructure, Service and Support Subprocessors

Amazon Web Services EMEA SARL (Luxembourg / USA): Primary cloud infrastructure, secure hosting of the Service, databases, storage of Customer Content, and system backups. Location: European Union: Germany (Frankfurt Region, AWS Europe).

SendPulse OÜ (Estonia, EU) / SendPulse Inc. (USA): Automated delivery service for transactional Platform notifications. Processes recipients' email addresses, user names, and system event metadata related to document workflows. Location: European Union: Germany / Netherlands (SendPulse data center infrastructure).

Google Ireland Limited (Ireland / USA):

  1. Google Gemini API (Vertex AI) for the AI Assistant within a specific Envelope;
  2. Google Places / Maps API for technical validation of official addresses during Account registration.
    Location: European Union / Global Google Infrastructure.

Zoho Corporation B.V. (Netherlands): Cloud-based Zoho Desk help desk system for receiving, registering, processing, and archiving user support tickets.
Location: European Union: Netherlands / Ireland.

HelpCrunch Corporation (USA / Ukraine): Online customer support chats, website widgets, and user feedback tools.
Location: European Union / USA (AWS Infrastructure).

AnyDesk Software GmbH (Germany): Secure remote technical access sessions for diagnosing Platform issues.
Location: European Union: Germany.

LLC "STREAM TELECOM" (Ukraine): Corporate IP telephony provider for the customer support service, processing contact telephone numbers and technical recording of voice calls.
Location: Ukraine.

Worksection (Ukraine): Internal task management system used by the development team for tracking and resolving software defects.
Location: European Union: Germany (Hetzner Data Center).

Uspacy (LLC "USPACI", Ukraine): Cloud CRM system for customer relationship management, contact database maintenance, lead generation, sales automation, and recording service interaction history. Location: Ukraine (Cloud data center infrastructure).

 

5.2. Product Analytics, Marketing Analytics and Tracking Subprocessors

Google Ireland Limited (Ireland / USA):

  1. Google Analytics 4 (GA4) for collecting and analyzing anonymized product metrics;
  2. Google Tag Manager (GTM) for technical management and deployment of scripts.
    Location: European Union / Global Google Infrastructure.

Meta Platforms Ireland Limited (Ireland, EU) / Meta Platforms, Inc. (USA): Meta Ads (Facebook Pixel / Conversions API) for tracking the effectiveness of marketing campaigns and analyzing registration conversions. Location: European Union / Global Meta Infrastructure.

5.3. Integrations with Electronic Trust Service Providers

Qualified Trust Service Providers of Ukraine (QTSPs). The Platform provides full technical compatibility and integration with all electronic trust service providers operating in Ukraine.

European Qualified Trust Service Providers. For cross-border electronic document exchange, WhiteDoc is integrated with European trust service providers included in the EU Trusted List, including:

  • Smart-ID (SK ID Solutions, Estonia);
  • Evrotrust (Evrotrust Technologies AD, Bulgaria);
  • InfoCert (InfoCert S.p.A., Italy);
  • SimplySign (Asseco Data Systems, Poland);
  • Estonian Mobile-ID (Estonia);
  • Lithuanian Mobile-ID (Lithuania).

6. INTERNATIONAL DATA TRANSFERS AND GLOBAL COMPLIANCE

💡 Plain Language:

We store your data on AWS servers located in Germany. If it becomes necessary to transfer personal data outside Europe, we will use special international safeguard mechanisms approved by the European Commission.

⚖️ Legal Text:

6.1. Data Localization. The WhiteDoc Platform infrastructure is hosted in Germany on AWS servers, supporting compliance with GDPR requirements relating to data localization, security, and access control.

6.2. International Transfers. Where personal data is transferred outside the European Economic Area (EEA) or Ukraine, WhiteDoc implements appropriate safeguards, including the Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Article 46 GDPR.

In addition to implementing the SCCs, the Company conducts a Transfer Impact Assessment (TIA) to evaluate the legal framework of the destination country and minimize the risks of access by third parties.

6.3. Jurisdiction-Specific Provisions. Where WhiteDoc is subject to the requirements of specific jurisdictions, including the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), the UK GDPR, or other similar personal data protection laws, the Company ensures the implementation of the applicable rights of users to the extent required by the relevant legislation.

WhiteDoc does not sell users' personal data.

Where the use of analytics, advertising, or marketing technologies may constitute a "sale," "sharing," or "cross-context behavioral advertising" under the CCPA/CPRA, the Company, where legally required, provides users with accessible mechanisms to opt out of such processing, including through Cookie Consent, privacy settings, Global Privacy Control, or a "Do Not Sell or Share My Personal Information" link.

Where WhiteDoc becomes subject to the requirement under the UK GDPR to appoint a representative in the United Kingdom, the Company shall appoint such representative and publish the representative's contact details in this Policy, the Trust Center, or another publicly accessible section of its website.


7. DATA RETENTION AND DELETION POLICY

💡 Plain Language:

Your profile data, account, mailbox, documents, and other information are stored for as long as you use the Service. You may delete your profile, account, mailbox, or an Envelope containing documents.

However, there is one important rule: if you have signed or sent a document to another account, you cannot unilaterally delete that Envelope because it serves as evidence for your counterparty.

The documents will be deleted within 30 days once all participants in the workflow have agreed to their deletion.

⚖️ Legal Text:

7.1. Profile data is retained for the duration of the provision of the Service. Following a user's request to delete a profile, the Company performs irreversible anonymization or deletion of all direct and indirect personal identifiers.

7.2. Consensual Deletion of Shared Objects. Where an Envelope containing documents is associated with multiple participants from different accounts, deletion by one participant does not result in deletion of the object for the remaining participants, in order to protect their legitimate right to retain access to evidentiary records.

This restriction is consistent with the lawful exceptions to the Right to Erasure under Article 17(3) GDPR, including where processing is necessary for the performance of a contract, compliance with a legal obligation, or the establishment, exercise, or defense of legal claims of other participants.

The physical deletion of such an object from storage systems shall occur within 30 calendar days after all participants of the Envelope have provided their explicit consent to its deletion.

7.3. Backup Retention. Backup copies are retained for 30 days.

Personal data may remain temporarily stored in backup copies until completion of the automatic overwrite/deletion cycle, without any active processing or use thereof.


8. USER RIGHTS AND THE PROCEDURE FOR EXERCISING THEM

💡 Plain Language:

You have the right to obtain a copy of your personal data, correct inaccuracies, or request its deletion. The first copy is generally provided free of charge, unless otherwise required by applicable law.

For this purpose, we have established a dedicated email address: privacy@whitedoc.ua. We will process your request within 30 days. To protect against fraud, we may ask you to verify your identity using a method that is necessary and proportionate to the nature of your request.

⚖️ Legal Text:

8.1. Every data subject has the right to access, rectify, restrict processing, object to processing, data portability, and the Right to Erasure (Right to be Forgotten) in accordance with Articles 15–22 of the GDPR and Article 8 of the Law of Ukraine "On Personal Data Protection."

8.2. Procedure for Submitting Requests. All requests shall be sent to the dedicated email address of the Compliance and Data Protection Service: privacy@whitedoc.ua

For the purpose of protecting against social engineering attacks, the Compliance Service may perform additional authentication or cryptographic verification of the identity of the requester where such measures are necessary and proportionate to the nature of the request.

8.3. Response Time. Requests shall be processed within 30 calendar days following successful identity verification.

8.4. Right to Lodge a Complaint. Users have the right to lodge a complaint with the competent personal data protection authority (in Ukraine—the Ukrainian Parliament Commissioner for Human Rights; within the European Union—the competent local Supervisory Authority; in the United Kingdom—the Information Commissioner's Office (ICO)).

8.5. Where a request from a data subject relates to User Data for which WhiteDoc acts as a Data Processor, the Company may forward such request to the relevant Customer acting as the Data Controller, or act in accordance with the Customer's documented instructions, unless otherwise required by applicable law.


9. INFORMATION SECURITY AND INCIDENT RESPONSE

💡 Plain Language:

Our information security practices are certified in accordance with the international ISO 27001 standard. We encrypt all data transmissions, and our development team does not have access to your documents during normal operations. If a security incident or personal data breach occurs, we will notify you in the cases and within the timeframes required by applicable law.

⚖️ Legal Text:

9.1. The Information Security Management System (ISMS) of LLC "CENTREDO" is officially certified in accordance with the international standard ISO/IEC 27001:2022.

  • Certification Body: Swiss Approval North America
  • Certificate Registration Number: 372-02-270-00296

9.2. Security Measures

Encryption.

All Data in Motion is protected using TLS 1.2/1.3 with RSA 2048-bit keys.

Zero Trust and Least Privilege Principles.
The internal development team of LLC "CENTREDO" has no direct access to the production environment.
Access is granted only to specifically authorized personnel through AWS IAM and solely where required for critical operational purposes. Such access is additionally protected through secure VPN tunneling, hardware binding of the engineer's workstation to unique SSH keys, and comprehensive activity logging through AWS CloudTrail.

User Authentication.
Email address and password (in accordance with the configured password policy), Single Sign-On (SSO), OAuth (Google, Microsoft, Apple).

Login Verification.
Activation of Multi-Factor Authentication (MFA) or configuration of your Single Sign-On (SSO).

Access Management.
Document access restrictions, account settings access restrictions, role-based access control (RBAC), and IP Firewall.

Audit Trail.
Every action performed within an Envelope or an Account is recorded in the system audit log together with the timestamp, IP address, and Platform identifiers.

9.3. Incident Notification

Where a confirmed security incident may result in a breach of the confidentiality, integrity, or availability of personal data, WhiteDoc shall take appropriate measures to contain, assess, and remediate the consequences of such incident.

Where WhiteDoc acts as a Data Processor, the Company shall notify the relevant Customer acting as the Data Controller without undue delay after becoming aware of the incident.

Where WhiteDoc acts as a Data Controller, the Company shall notify the competent supervisory authority and/or the affected data subjects in the cases and within the timeframes required by applicable law, including Articles 33 and 34 of the GDPR.


10. COOKIES AND CHANGES TO THIS POLICY

💡 Plain Language:

We use cookies to ensure that the system remembers that you have signed in to your account and functions reliably.

Marketing cookies are used in accordance with your consent preferences and applicable legal requirements.

This Policy may be updated from time to time. However, we will notify you of any material changes by email or through your personal account within the Platform.

⚖️ Legal Text:

10.1. The Platform uses cookies to maintain authentication sessions, ensure interface stability, and provide security.

Non-essential cookies are used in accordance with the user's consent preferences and the requirements of applicable law.

Detailed information is available in our separate Cookie Policy.

10.2. The Company may periodically update this Policy due to changes in applicable legislation or expansion of the Platform's functionality. The latest revision date is always available at the beginning of this document. Where material changes are made, Users will be notified in advance by email or through the Service interface.


11. OFFICIAL CONTACT DETAILS AND CONTROLLER INFORMATION

Legal Entity Name: LLC "CENTREDO"

EDRPOU Code: 43617469

ITN Code: 436174626585

D‑U‑N‑S Number: 537809077

Registered Address: 7A Mykoly Vasylenka Street, Kyiv, 03124, Ukraine

Email for Personal Data Requests: privacy@whitedoc.ua

Customer Support: help@whitedoc.ua

Did this answer your question?