Privacy Policy

1. Who we are

Redactum is operated by AJD Invest AS, a company registered in Norway. You can reach us at support@redactum.no. For data-protection questions specifically, legal@redactum.no.

AJD Invest AS is the data controller for personal information processed through Redactum. This policy explains what we collect, what we do with it, and the rights you have under the GDPR.

2. What we collect

We collect only what we need to run the product:

• Account information — email address and a unique user identifier issued by our auth provider when you sign up.
• Documents you upload — the PDF file and the text we extract from it for redaction. Held in server memory only, for the duration of your session (up to 30 minutes), then discarded automatically.
• Redaction instructions — the text you type to describe what should be redacted. Sent to our AI provider along with the document text.
• Payment information — handled entirely by our payment processor. We store only your customer ID and a ledger of credit grants and consumption. We never see or store card numbers.
• Usage records — an audit row per redaction job with filename, page count, credits charged, and timestamps. Retained so you (and we) can reconcile your credit usage.

3. How we use it

• To run the redaction service you’ve signed up for.
• To process and fulfill your credit purchases, and to keep an accurate record of your balance.
• To respond to support requests and fix problems.
• To prevent abuse (e.g., identifying unusual upload patterns that suggest automated scraping).

We do not use your uploaded documents or redaction instructions to train AI models, improve the service, or for any purpose other than delivering the redaction you requested.

4. How long we keep it

• Uploaded PDFs and their extracted text: up to 30 minutes in server memory, then automatically deleted. They are never written to disk.
• Account and ledger records: retained for as long as your account is active, plus the period required by applicable bookkeeping law (5 years under Norwegian bokføringsloven for transaction records).
• Support correspondence: 2 years from the last interaction.

5. Third parties we use

We rely on a small set of trusted processors to run Redactum. Each is GDPR-compliant and has a Data Processing Agreement in place with us.

• Anthropic — our AI provider. Document text and your redaction instructions are sent here so the AI can identify which spans to redact. Anthropic’s API policy states that data sent via the API is not used to train their models.
• Clerk — authentication. Stores your email and user identifier.
• Stripe — payment processing. Handles card details and charges; we only see a customer ID and payment confirmation.
• Railway — hosting and managed database. Our application and its database run on Railway’s infrastructure.

6. Your rights

Under the GDPR you have the right to:

• Request access to the personal data we hold about you.
• Ask us to correct data that’s inaccurate.
• Ask us to delete your account and associated data (we’ll comply except where retention is required by law — see section 4).
• Request a machine-readable export of your data.
• Object to or restrict our processing of your data in certain circumstances.
• Lodge a complaint with your national data-protection authority (in Norway: Datatilsynet).

To exercise any of these, email legal@redactum.no. We aim to respond within 30 days.

7. Cookies

Redactum uses only functional cookies needed to run the application — primarily your authentication session cookie issued by Clerk. We don’t use third-party tracking cookies or advertising pixels.

8. International transfers

Some of our processors (Anthropic, Stripe) are headquartered in the United States. Data transferred to them is covered by Standard Contractual Clauses under Article 46 of the GDPR.

9. Children

Redactum is a B2B product and not intended for use by people under 16. We don’t knowingly collect data from children.

10. Changes to this policy

If we change this policy materially we’ll notify active users by email at least 14 days before the change takes effect. The date at the top reflects the most recent update.