OCRWell
Get Started
Legal

Privacy Policy

The documents you send to OCRWell are yours. This policy explains exactly what we collect, what we do with it, and — most importantly — what we don't.

Last updated .

Commitment 01
We never use your data to train AI models

Documents you send to OCRWell — and the data extracted from them — are never used to train, fine-tune, evaluate, or benchmark any machine-learning model, ours or anyone else's.

Commitment 02
Documents are deleted automatically after processing

Uploaded files are removed from storage as soon as processing completes. Results are deleted five minutes after first retrieval, with a 24-hour hard limit as a safeguard.

At a glance

  • We do not use your documents or extracted data to train, fine-tune, or evaluate AI models.
  • Uploaded files are deleted from storage immediately after processing.
  • Extracted results are deleted five minutes after first retrieval, and no later than 24 hours regardless.
  • We collect only the account and billing information needed to run the service, plus operational logs.
  • Data is encrypted in transit (TLS 1.3) and at rest (AES-256 via AWS KMS, FIPS 140-2 validated HSM).
  • You can delete your account and associated metadata at any time.

Who we are

OCRWell is a product of Corrected Cloud Pty Ltd, an Australian company. When this policy refers to "we", "us", or "OCRWell", it means Corrected Cloud Pty Ltd acting as the data controller for personal information collected through the OCRWell website, API, and dashboard.

We handle personal information in accordance with the Australian Privacy Principles set out in the Privacy Act 1988 (Cth). Where GDPR or UK GDPR applies, we act as a data processor in respect of the documents you submit for processing and as a controller for account and billing data.

What we collect

We collect only what we need to run the service and bill for it.

Account information

Your name, email address, organisation name, and the API keys you create. Passwords are salted and hashed; API keys are shown once at creation and stored as hashes afterwards.

Billing information

Handled by Stripe. We receive a customer identifier, the last four digits of your card, and invoice history. We never see or store full card numbers.

Documents and results

The files you submit to the API, the structured data we return, and the job metadata needed to route a request (page count, file size, mime type, timestamps). Contents are processed in memory and in short-lived object storage — see How we handle your documents.

Operational logs

Request metadata (method, path, status code, timing, truncated user agent, source IP), error traces, and rate-limit counters. Logs do not include document contents or extracted field values. Logs are retained for 30 days for debugging and abuse prevention, then deleted.

Website analytics

Marketing pages (ocrwell.com) use privacy-respecting aggregate analytics only. No cross-site tracking cookies, no advertising pixels.

How we handle your documents

Documents submitted to the API are treated as short-lived processing artefacts, not stored content.

  • Upload: files are PUT to a pre-signed URL scoped to a single object in an encrypted S3 bucket.
  • Processing: the worker reads the file, runs OCR and extraction, and writes the result to a temporary result store.
  • Immediate deletion: as soon as processing completes, the source file is deleted from object storage.
  • Five-minute result window: results remain available for five minutes after the first successful retrieval, then are permanently deleted.
  • 24-hour safeguard: any upload, result, or intermediate artefact that somehow survives those steps — for example, because a job errored or a result was never retrieved — is removed by a 24-hour lifecycle policy.
The API is not a document store. Persist whatever you need into your own database as soon as the result comes back. The same retention rules are documented alongside the API reference under Data retention.

Use for AI training

We do not use customer content to train, fine-tune, evaluate, or benchmark machine-learning models. That applies to documents you upload, the structured data OCRWell returns, and any derived embeddings or intermediate artefacts produced during processing.

This also applies to the third-party language models OCRWell uses internally. We only use model endpoints configured with zero-retention and no-training terms, so prompts and responses are not persisted or reused by the provider for model improvement.

We improve the service by measuring aggregate, non-identifying signals — error rates, latency, schema validation outcomes — never by reading your documents.

Sub-processors

We rely on a small number of infrastructure providers to deliver the service. Each is bound by contractual data-processing terms that match the commitments in this policy.

ProviderPurposeRegion
Amazon Web ServicesCompute, storage, encryption (KMS), networkingus-west-2
StripeSubscription billing and payment processingUnited States

Security

  • All traffic is encrypted in transit with TLS 1.3; plaintext HTTP is rejected.
  • Data at rest is encrypted with AES-256 using AWS KMS keys managed in a FIPS 140-2 validated HSM.
  • API keys are shown once at creation and stored as hashes only.
  • Access to production systems is restricted to named engineers, logged, and subject to mandatory MFA.
  • Object storage buckets have no public access and require SigV4-signed requests.

The full overview — access control, network isolation, logging, vulnerability disclosure, and incident response — is on the security page.

Your rights

Depending on where you live, you may have rights to access, correct, export, or delete the personal information we hold about you, and to object to or restrict certain processing.

  • Access and portability: account details are visible and exportable from the dashboard. Email us for anything that isn't.
  • Correction: update your profile in the dashboard, or ask us to correct records you can't edit yourself.
  • Deletion: you can delete your account and we will remove associated metadata within 30 days, excluding records we are legally required to retain (e.g. tax invoices).
  • Complaint: Australian residents can lodge a complaint with the Office of the Australian Information Commissioner (oaic.gov.au). Residents of the EU, UK, or other jurisdictions can contact their local supervisory authority.

International transfers

OCRWell is hosted in AWS us-west-2 (Oregon, USA). Personal information, including documents you submit for processing, is transferred to and processed there. Where applicable, we rely on Standard Contractual Clauses or equivalent mechanisms for transfers out of the EEA, UK, and Australia.

Children

OCRWell is a developer tool and is not directed at children. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided personal information to us, please contact us and we will delete it.

Changes to this policy

We update this policy as the service evolves. Material changes will be announced by email to account owners and reflected in the "Last updated" date at the top of this page. Continuing to use OCRWell after the effective date of a change means you accept the updated terms.

Contact

Questions about this policy, or requests to exercise any of the rights described above, can be sent to privacy@ocrwell.com.

Postal address: Corrected Cloud Pty Ltd, Suite 12, Level 3, 1 Mona Vale Road, Mona Vale NSW 2103, Australia.

OCRWell

Precision-engineered document intelligence for the developers shaping the modern web.

Platform
Resources
Legal
© 2026 Corrected Cloud Pty Ltd. OCRWell is a product of Corrected Cloud Pty Ltd.
All systems operational