Skip to main content
DocTranslate
Log inSign up

Data handling FAQ

Plain-language answers aligned with the open-source architecture. Refine wording with counsel for your jurisdiction.

  • Where does my PDF live?

    Original and translated PDF bytes are stored in Cloudflare R2 object storage. Metadata (filename, page count, languages, status) is stored in Cloudflare D1. The Next.js marketing site does not host your files.

  • Who can access my documents?

    Authenticated API requests scoped to your account can create presigned upload and download URLs. A separate translation HTTP service you operate receives time-limited presigned URLs so it can read the original and write the translated object. Your team should restrict network access and secrets to that service.

  • How long are files and metadata kept?

    Until you delete them, delete your account, or automated retention applies. Operators can set DOCUMENT_RETENTION_DAYS and INTEGRATION_LOG_RETENTION_DAYS on the API Worker to schedule purges of old completed or failed documents (including R2 objects) and integration delivery logs. Empty values mean no automated purge for that category.

  • How do I delete my account and files?

    Call POST /api/user/delete on your API origin with your Melody access token (Authorization: Bearer). The API removes your app profile row, related documents and billing rows, integration settings, and deletes all R2 objects under your user prefix, then removes the user in Melody Auth when S2S credentials are configured.

  • Can I export my data?

    Yes. Call GET /api/user/data-export with your access token for a JSON summary of profile, document metadata, and recent transactions. PDFs are not embedded in that JSON; download completed translations from the dashboard while your account is active.

  • Do you use my documents to train AI models?

    The DocTranslate application code does not implement model training or fine-tuning. Translation quality depends on upstream model providers configured inside your translation service (for example OpenAI). Whether a provider may use API inputs for training depends on their product tier and your contract— verify with your vendor and subprocessors list; do not claim “no training” in marketing unless counsel and technical controls support it.

  • What happens if I configure Slack or a webhook?

    You choose HTTPS endpoints. When a job completes, the API may POST a signed payload to your systems. That is an onward transfer under your responsibility; review destination security and update your privacy disclosures accordingly.

  • How is data encrypted?

    Browser and API traffic should use TLS (HTTPS) in production. R2 and D1 rely on Cloudflare platform protections at rest. Presigned URLs must be treated as secrets for the lifetime of the signature.

Privacy policy · Cookie notice · Subprocessors · Security & data handling