We ("Docomondo", "us", "we", or "our") are committed to protecting your privacy and ensuring transparency in how your personal data is collected and processed across all our services
This Privacy Policy applies to all users of the docomondo Service, which includes:
These services are collectively referred to in this Privacy Policy as “docomondo” or the “Service.”
This Privacy Policy outlines how we collect, use, store, disclose, and protect your personal data when you use our Service, and the rights you have in relation to your data. By using the Service, you agree to the terms of this Privacy Policy.
Unless otherwise defined herein, terms used in this Policy have the same meaning as those set out in our Terms and Conditions.
We attach great importance to protection and security of your personal data. We regard the protection of your private sphere and the compliance with the data protection requirements as the key matter when collecting, processing and using your personal data. Therefore, your personal data are collected, processed and used exclusively in compliance with the provisions of data protection laws.
It is important for us as a company that while using our Service you can trust that we observe data protection at all times. You should know which personal data are collected by us during your use of the Service and how we process and use them. Moreover, we would like to inform you about measures we take to protect your personal data against manipulation, loss, destruction and abuse. We do not own, sell or disclose your data to unauthorised third parties.
1. Definitions
| Personal Data (or Data) | Personal Data means any information relating to an identified or identifiable natural person (“Data Subject”), including information such as a name, identification number, location data, an online identifier, financial data, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. |
| docomondo User, User or Data Subject | A User refers to any individual who registers for or interacts with the docomondo Service in any capacity, including individual account holders, participants under organisational or team accounts, and trial users. |
| Data Controller | Panera Tec AG acts as the Data Controller of your Personal Data when you use any of the docomondo applications (DMS, Budget, or Expense), whether accessed via iOS, Android, Web, or macOS. In some cases—particularly where integrations with third-party services such as SaltEdge are involved—Panera may act as a joint controller or independent controller in accordance with applicable data protection laws. |
| Data Processor (or Service Provider) | A Data Processor is any third party that processes Personal Data on behalf of Panera in accordance with Article 28 of the GDPR. This includes cloud storage providers, email service providers, analytics partners, and other technical infrastructure providers used to deliver the docomondo Service. |
2. Collecting Personal Data
2.1 Personal Data We Do Collect
We collect and process different types of Personal Data depending on how you interact with the Docomondo Service. The nature and scope of the data collected will vary based on the specific application you use—Docomondo DMS, Docomondo Budget, or Docomondo Expense—and the platform through which you access the Service (e.g. iOS, Android, Web App, or macOS).
The following categories of Personal Data may be collected, depending on your use of the Service:
| Contact and Registration Data | Collected when you create or manage an account on any of the apps: – Name – Email address – Password or login token (where applicable) – Device language and country settings. |
| Content | The Content is uploaded by you into the Service and may or may not contain Personal Data. As explained in Section 8, your Content is securely encrypted, meaning that we cannot read it. We do, however, send it over a network, index it for searching, display it on your various devices, etc. in order to provide you with our Service. The details of the data used for the services are explained separately in section 8. Uploading Content into our Service does not change that Content's ownership or copyright status. If the Content was yours to begin with, it remains yours after you put it in the Service. Of course, if the Content wasn’t yours to begin with, putting it in the Service doesn’t make it yours. |
| Device and Usage Data | Collected automatically when you interact with the Service: – Device type and model – Operating system and version – IP address – Browser or app version – Crash logs, diagnostics, and performance data – Usage patterns, session lengths, and interaction events This data is processed via analytics providers such as Post Hog, Google Analytics, Firebase, Sentry, and Facebook Pixel. |
| Demographic and Statistical Data | Collected with your explicit consent for feature development and analytics: – Country – Date of birth – Gender Statistical data is processed in anonymised or pseudonymised form whenever possible |
| Location Data | With your explicit consent, we may collect your geolocation: – In the DMS app: to assist in tagging scanned documents. – In the Expense app: to calculate mileage reports. Location data is never collected without your prior authorisation and may be disabled at any time in your device settings. |
| Content and Document Data | If you upload or scan documents using one of the the docomondo apps: – Scanned files, uploaded documents, and associated tags – Text recognised from scanned images (OCR) OCR processing is performed either on-device using Apple VisionKit (iOS) or Google MLKit (Android), or—when using the Web App—through AWS Textract. Uploaded documents are inaccessible to Panera unless explicitly shared by you; however, certain metadata (such as tags, dates, or filters) may be processed within our cloud to support app functionality. Access to such metadata is limited to a small number of authorised employees and only from within our office network (IP whitelisted). These employees are bound by strict confidentiality obligations undersigned Non-Disclosure Agreements (NDAs). |
| Financial and Transactional Data (Budget and Expense Apps) | Collected only when you choose to connect bank accounts or manage budgets: – Bank account metadata – Transaction history – Budget categories and limits – Shared budget participants Only the bank account metadata and transaction history are retrieved via SaltEdge, which is authorised under PSD2 regulations. As part of this process, we transmit your verified email address to SaltEdge to enable secure session creation and access to your authorised financial data. You will be informed of this processing during onboarding. SaltEdge acts as an independent data controller for this processing and handles your data in accordance with its own Privacy Policy, available at https://www.saltedge.com/pages/privacy_policy. Budget categories and limits as well as hared budget participants are collected directly by Panera within the app environment. Panera does not store your banklogin credentials and only receives financial data that you explicitly authorise to be hared. All data transfers are encrypted. Payment data for subscription processing is handled by Stripe (for web-based payments) or by Apple App Store and Google Play Store (for in-app purchases on iOS and Android, respectively), while RevenueCat manages subscription status but does not process or handle any payments |
| Organisational and Team Data (Expense App Only) | When using the Expense app in an organisational context: – Submitted expenses, receipts, and categories – Mileage records – Approval status and comments from managers – Company email domains or team group identifiers This data is processed strictly to facilitate the employer-authorised use of the Expense functionality and may be visible to authorised team managers or finance admins within your organisation. |
| Tracking Technologies | We use tracking technologies such as cookies, SDKs, and usage beacons to monitor Service performance, user engagement, and crash behaviour. These include services provided by Google Analytics, PostHog, Firebase, Sentry, and Facebook Pixel. Please also refer to our Cookie Policy for further details about tracking on the website. |
2.2 Personal Data We Do Not Collect
We want to be fully transparent with you, and for this reason we want to disclose which Personal Data we do not collect when you use our Service.
We do not collect or process any of the following data types through the docomondo Service:
We also do not access or review the content of documents you upload to the Service, except in limited cases where you explicitly enable OCR features. In such cases:
In all cases, uploaded documents are encrypted in transit and at rest, and access is restricted in accordance with the data protection principles set out in this Policy.
2.3 Sensitive Personal Data
The following Personal Data is considered sensitive (the "Sensitive Personal Data") and is subject to specific processing conditions:
Protecting your Personal Data is of the upmost importance to us and we take this responsibility very seriously. We therefore ask you not to upload any Sensitive Personal Data into the Service.
3. How We Collect Personal Data
We collect information about you when you use our Service, including registering and taking certain actions within it.
| Means of collection | Explanation | Personal Data collected |
| Directly | ||
| Your use of the App | We keep track of certain information about you when you visit and interact with our App. | This information includes the Content and Usage Data (as defined above in Section 2 collect) |
| Your registration on the App | We collect information about you when you register on docomondo as a User. | This information includes the Contact Data and the Registration Data (as defined above in Section 2 Collect). |
| Device and connection information | We collect information about your phone, tablet, or other devices you use to access the App. | This information includes the Location Data and Usage Data (as defined above in Section 2 Collect). How much of this information we collect depends on the type and settings of the device you use to access our Service. |
| Tracking technologies | We and our third-party partners, such as our advertising and analytics partners, use tracking technologies (e.g., web beacons, device identifiers and pixels) to provide functionality and to recognise you across different services and devices. | This information includes the Tracking Data (as defined above in Section 2 Collect). For more information, please refer to our Cookie Policy. |
| Indirectly | ||
| Other partners | We receive information about you and your activities on and off the App from third-party partners, such as advertising and market research partners who provide us with information about your interest in and engagement with, our Services and online advertisements. | This information includes the Usage Data and Tracking Data (as defined above in Section 2 Collect). For more information, please refer to Section Error: Reference source not found. |
4. Legal Basis and Purposes
We process your Personal Data in accordance with the lawful bases set out under Article 6(1) of the UK General Data Protection Regulation (UK GDPR), depending on the specific context and purpose of collection. The legal bases we rely on include:
| Legal Basis | Explanation | Purpose |
| Contract | To perform our contractual obligations or take steps linked to a contract with you or your organisation. |
|
| Consent (Article 6(1) (a)) | We process data based on your explicit consent, given when you enable optional features (e.g. marketing preferences, geolocation). You can withdraw consent at any time. | Collecting demographic or statistical data (e.g., gender, date of birth). Geolocation data for specific features (e.g., mileage tracking in Expense App). Cookies and tracking for analytics and marketing. |
| Contractual Necessity (Article 6(1) (b)) | We process data when necessary to fulfil our agreement with you. | To provide access to core Service functions like account creation, document management, budgeting, and expense tracking. |
| Legal Obligation (Article 6(1) (c)) | We process data when required to comply with legal obligations. | To meet regulatory requirements such as financial reporting, audit obligations, and anti-fraud checks. |
| Legitimate Interests (Article 6(1) (f) | We process data when it's in our legitimate interests and does not override your rights. | To improve the Service, conduct user analytics, enhance security, and prevent misuse or fraud. |
| Special Categories (Article 9) | We don’t intentionally process sensitive data (e.g., health, biometrics) unless required by law or consent. | Not applicable unless explicitly permitted, like when financial data is shared for PSD2 processing via SaltEdge. |
| Public interest | To meet regulatory and public interest obligations. | To maintain records and conduct compliance checks, e.g. anti-money laundering, fraud and crime prevention. |
5. Data Retention
We will retain your Personal Data only for as long as necessary to fulfil the purposes for which it was collected, including for legal, accounting, or reporting obligations.
Retention periods will vary based on the type of data and the purpose for which it was collected. Generally, we retain Personal Data for the following periods:
We will retain your Personal Data only for as long as necessary to fulfil the purposes for which it was collected, including for legal, accounting, or reporting obligations.
If you have any questions about the retention of your Personal Data or wish to exercise your rights, please contact us at privacy@panera.com
6. Storage And Data Transfers
Your Personal Data is stored either locally on your personal device, within the docomondo cloud infrastructure (the "docomondo Cloud"), or—for users of the DMS App—on your personal iCloud or Google Drive account, depending on your selected configuration. We may also use carefully selected, data privacy-compliant Service Providers (as defined in Section 10) located in Liechtenstein, Switzerland, European Union and the United States.
In particular, authentication and account management data may be processed by Clerk, a U.S.-based service provider that stores all data exclusively in the United States. Clerk is certified under the EU-U.S.Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework (collectively,10
the “DPF”), which the European Commission and UK Government have recognised as providing an adequate level of protection for personal data pursuant to Article 45 of the EU and UK GDPR. Clerk’s certification may be reviewed at: https://clerk.com/legal/dpf. For more information on Clerk’s data processing obligations, see its Data Processing Agreement: https://clerk.com/legal/dpa.
In addition to DPF-certified providers, for other transfers of Personal Data outside the EEA or UK—particularly to countries not subject to an adequacy decision—we implement appropriate safeguards, including Standard Contractual Clauses (SCCs) issued pursuant to the European Commission’s decisions of 27 December 2004 (2004/915/EC), 5 February 2010 (C(2010) 593), and 4 June 2021 (EU2021/914), as well as the UK’s International Data Transfer Addendum to the SCCs. Where required, these safeguards are supplemented by Transfer Impact Assessments (TIAs) in compliance with the CJEU's Schrems II ruling (C-311/18). As a data controller, we ensure that all data processors engaged to store or process Personal Data on our behalf are bound by written data processing agreements under Article 28 of the UK and EU GDPR and provide sufficient guarantees to implement appropriate technical and organizational measures
We take all steps reasonably necessary to ensure that your Personal Data is treated securely and in accordance with applicable data protection laws, and that no transfer of your Personal Data takes place to any organisation or country unless adequate safeguards are in place.
7. Data Disclosure
We may disclose your Personal Data in the good faith belief that such action is necessary to:
We will ensure that any third-party recipients of your Personal Data are subject to appropriate safeguards, such as data processing agreements under UK GDPR Article 28, and are only permitted to use your data for the specified legal purposes.
8. Data Security
We take reasonable technical and organizational security measures that we deem appropriate in order to protect your stored data against manipulation, loss, or unauthorised third-party access. Our security measures are continually adapted to technological developments.
We ensure that all third-party providers (data processors) with whom we share your Personal Data implement adequate technical and organizational security measures, as required und We also take internal data privacy very seriously. Our employees and the Service Providers that we retain are required to maintain secrecy and to comply with applicable data protection legislation. In addition, they are granted access to Personal Data only insofar as this is necessary for them to carry out their respective tasks or mandate. Please be advised that uploaded documents are encrypted in transit and at rest, regardless of where they are stored. For the Docomondo DMS App, users may choose to store documents on their personal iCloud, Google Drive, local device storage, or the Docomondo Cloud. By contrast, data from the Budget and Expense apps is always stored securely on the Docomondo Cloud. When documents are stored on iCloud, Google Drive, or locally on the device, we have no access to the uploaded documents in any form
When stored on the Docomondo Cloud, a very limited number of authorized employees may access this data only with the user’s explicit consent, and solely from within our office network via IP whitelist restrictions. These employees are bound by strict confidentiality and have signed Non-Disclosure Agreements (NDAs).
In order to enable full-text search functionality within the Web App, OCR data from uploaded documents is processed and stored securely. This data is processed and stored securely to enable full-text search. It is accessed automatically by the system and only individually accessed by authorised employees with user consent and under strict NDA.
For users who exclusively use the mobile app and opt to store documents outside the Docomondo Cloud, no OCR data or document content is stored or accessible to Panera. If you decide to use the mobile app only, no information contained in the documents you have scanned (the ‘scanned documents’) will be recorded. This means that absolutely nobody but you can access this data.
The following table of technical and organizational measures describes the steps we have taken to protect your Personal Data:
| Measure | Details | Concrete actions |
| Confidential | ||
| Physical access control | No unauthorised access to our facilities. | Keys/magnetic chip cards |
| Electronic access control | No unauthorised use of the Data processing and Data storage systems. |
|
| Internal access contro | No unauthorised reading, copying, changes or deletions of Personal Data within the system. |
|
| Integrity | ||
| Data transfer control | No unauthorised Reading, Copying, Changes or Deletions of Data with electronic transfer or transport. |
|
| Data entry control | Verification whether and by whom personal data is entered into a Data Processing System, is changed or deleted. | Timestamp-based logging is implemented. As only one authorised staff member currently has access, user- specific tracking is not required but will be implemented as user base expands. Confidentiality and accountability are contractually ensured. |
| Availability and resilience | ||
| Availability control | Prevention of accidental or wilful destruction or loss. |
|
| Contract control | No third-party data processing as per Article 28 GDPR without appropriate safeguards. |
|
| Data Protection policies | The processing of Personal Data is guided by binding confidentiality obligations and will be formalised through internal policies | Currently, employees with access to Personal Data are bound by Non- Disclosure Agreements (NDAs). |
The security of your Personal Data is important to us but remember that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security. We hereby notify you of the danger emanating from viruses or other harmful software (malware) or from hacking, phishing or other comparable attacks. We recommend that you use antivirus software, a spam filter, and other software to protect your system (e.g., a firewall) and to keep them up to date. We reject any and all liability for manipulations of your IT system by unauthorized parties in connection with accessing our Service.
9. Data Protection Right
Under the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR), you have several rights regarding your Personal Data, which we summarise below. We will respond to your request without undue delay and, in any event, within one calendar month of receipt. Please note that we may ask you to verify your identity before responding to such requests. These rights are intended to give you greater control over your Personal Data, and we are fully committed to upholding them in all applicable jurisdictions
| Right to access (Article 15 UK/EU GDPR) | You have the right to request a copy of your Personal Data held by us and confirm how we are processing it. |
| Right to Rectification (Article 16 UK/EU GDPR) | You have the right to ask us to correct our records if you believe they contain incorrect or incomplete information about you. |
| Right to Withdraw Consent (Article 7 UK/EU GDPR) | If you have provided your consent to the collection, processing and transfer of your Personal Data, you have the right to fully or partly withdraw your consent. This includes cases where you wish to opt out from marketing messages. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you originally consented unless there is another Legal Basis for the processing. To stop receiving emails from us, please click on the "unsubscribe" link in the email you received from us. |
| Right to Erasure (Article 17 UK/EU GDPR) | Also known as the "right to be forgotten," you have the right to request that we delete your Personal Data when it is no longer necessary for the purposes it was collected or if you withdraw your consent. |
| Right to Restriction of Processing (Article 18 UK/EU GDPR) | You have the right to request the restriction of our processing of your Personal Data where you believe it to be inaccurate, our processing is unlawful, or where we no longer need to process it for the initial Purpose, but where we are not able to delete it due to a legal obligation or because you do not want us to delete it. |
| Right to Data Portability (Article 20 UK/EU GDPR) | You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format (e.g., CSV, Excel) and to transmit this data to another data controller without hindrance, where the processing is based on your consent or contractual necessity. We will respond to this request within one month. This right applies only to data you have provided to us directly (e.g., through account creation or service usage) and when the processing is carried out by automated means). |
| Right to Object (Article 21) | You have the right to object to the processing of your Personal Data, including for direct marketing purposes, or where we are processing your data based on legitimate interests or public tasks. |
| Right to lodge a complaint with a supervisory authority | You have the right of appeal to a data protection supervisory authority if you believe that the processing of your Personal Data violates data protection law. |
If you wish to exercise any of these rights, please contact us at privacy@docomondo.com
We will respond to your request within one month. In case your request is complex or numerous, we may extend this period by an additional two months. If an extension is needed, we will notify you within the first month of receiving your request.
If you are dissatisfied with our response, you have the right to lodge a complaint with relevant data protection supervisory authority. In the United Kingdom, this is the Information Commissioner’s Office(ICO). If you are located in the European Union, you may contact the Data Protection Authority (DPA) in your country of residence, a list of which is available via the European Data Protection Board (EDPB) at https://edpb.europa.eu.
10. Service Providers
We may employ third party companies and individuals to facilitate the operation of our Service ("Service Providers"). These Service Providers assist us with essential business functions, including but not limited to:
These Service Providers process your Personal Data solely to perform their designated functions on our behalf and are contractually obligated to maintain the confidentiality and security of your data in accordance with Article 28 of the UK GDPR and EU GDPR. Where applicable, we implement appropriate safeguards, such as Standard Contractual Clauses, to ensure adequate protection in the case of international data transfers
| App | Provided by |
| Functional Services Providers | |
| React Native | |
| Google ML Kit | |
| iOS 13 Native OCR | |
| Mac OS Catalina Project Catalyst | |
| Hetzner | |
| Vercel | |
| PlanetScale | |
| Axiom | |
| Amazon Web Services (AWS) | |
| Account Management Providers | |
| Stripe Integration | |
| Revenue Cat | |
| Amazon Web Services | |
| Typescript | |
| Intercom | |
| Clerk | |
| Typescript | |
| Analytics Services Providers | |
| Google Tag Manager | |
| Firebase | You can opt out via email. |
| Google Analytics | |
| Sentry | |
| PostHog | |
| Facebook Pixel | |
| Open Banking Integration Providers | |
| SaltEdge |
All listed providers process Personal Data only to the extent necessary to provide their services on our behalf and are bound by data processing agreements in accordance with Article 28 UK/EU GDPR.
Data Transfers Outside the UK/EEA:
Some of our Service Providers may be located outside the United Kingdom and European Economic Area (EEA). In these cases, we will take appropriate measures to ensure that your Personal Data remains protected in compliance with UK GDPR Articles 44-50. This includes implementing Standard Contractual Clauses (SCCs) or Privacy Shield certifications (where applicable), as well as ensuring that the third parties comply with all data protection laws and safeguard your privacy. If you have any concerns about the Service Providers we use, or would like more detailed information about how we ensure the protection of your Personal Data, please contact us at privacy@docomondo.com.
11. Links To Third-party Apps And Sites
Our Service may contain links to sites or apps that are not operated by us. If you click a third-party link, you will be directed to that third party’s site or app.
We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.
12. Children’s Privacy
Our Website does not address anyone under the age of 18 ("Children").
We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your Child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children without verification of parental consent, we take steps to remove that information from our servers.
13. Changes to This Privacy Policy
We may update our Privacy Policy from time to time.
We will notify you via email and/or a prominent notice on our Website, prior to the change becoming effective and update the effective date at the top of this Privacy Policy, but we encourage you to review this Privacy Policy periodically for any changes.
Changes to this Privacy Policy are effective when they are posted on this page.
14. Language Availability and Legal Interpretation
This Privacy Policy may be provided in multiple languages for the convenience of users across different jurisdictions. In the event of any inconsistency, ambiguity, or conflict between a translated version and the original English version, the English version shall prevail and be deemed the authoritative and legally binding version. We recommend referring to the English version for the most accurate and complete understanding of your rights and our obligations.
If you have any questions regarding the interpretation of this Privacy Policy or require further clarification, please contact us at privacy@docomondo.com.
15. Contact Us
If you have any questions about this Privacy Policy, please contact us at
Panera Tec AG
Im Besch 21
9494 Schaan
Liechtenstein
privacy@docomondo.com
.svg){kind=icon}
