Documents are different from photos
When you upload a photo to an editing service, the worst plausible outcome of that photo persisting on their servers is embarrassing. When you upload documents — tax records, medical correspondence, contracts, bank statements, notary letters — the stakes are different. These documents contain your address, your financial history, your identity numbers, your legal relationships.
We built PaperSweep to process exactly these kinds of documents. That made the privacy question non-optional from the beginning: we had to decide what would happen to user data after processing completed. The answer we arrived at was simple: delete it.
The principle: processing, not storage
PaperSweep is a processing tool, not a storage service. The value it provides — OCR, classification, categorisation — is delivered at the moment of processing. After that, the files on our servers serve no further purpose for the user.
If they serve no purpose for the user, they should not exist.
This is the principle behind our ephemeral model: files are uploaded, processed, and then scheduled for automatic deletion. The default window is two hours — long enough to download results and review them, short enough to limit exposure. Users who want a shorter window can choose five or fifteen minutes before uploading. Those who want to delete immediately after downloading can do so with a single button on the results page.
What "deleted" means
When we say files are deleted, we mean: the uploaded PDF, the extracted OCR text, the processed output files, and the ZIP archive are all removed from our server filesystem. The job record — a small database entry that tracked that a processing job existed — is also removed.
We do not archive, anonymise and retain, aggregate into training data, or move files to cold storage before deletion. Deletion means deletion.
We are aware that "we delete your files" is a claim that is easy to make and impossible for users to verify directly. Our Data Transparency page explains in technical detail how the deletion pipeline works. We also make the deletion user-controlled — the "delete now" button on the results page triggers immediate deletion on our servers, not just a flag in a database.
Why not keep files and let users manage them?
This is the obvious alternative: store everything, give users an account, let them manage their own document library. Several document processing services work this way.
We considered it and decided against it, for three reasons.
First, stored files are a liability. Every file we retain is a file that could be exposed in a security breach, subpoenaed in a legal proceeding, or accessed inappropriately by an insider. A file that does not exist cannot be exposed. Deletion is the strongest form of data protection.
Second, accounts create friction. PaperSweep is designed to be used without creating an account — upload, process, download, done. Introducing account-based storage would fundamentally change that experience, adding a login step to every session and a password to remember indefinitely.
Third, the value of the service is in the processing, not the storage. If you want to store your documents long-term, there are services built specifically for that purpose — they do it better than a processing tool would. Our focus is the processing step: bulk OCR, categorisation, and the structured output that makes your documents findable. What you do with that output is up to you.
GDPR and the principle of data minimisation
European data protection law enshrines a principle called data minimisation: organisations should collect and retain only the personal data that is strictly necessary for the specific purpose for which it was collected. The purpose here is document processing. Once processing is complete, continued retention is no longer necessary — and under the minimisation principle, it is not justifiable.
Our two-hour default TTL is a practical implementation of this principle. We think the principle is correct on its merits, independent of the legal obligation. Shorter default TTLs would create usability problems for users who need time to download and review their results. Longer defaults would retain sensitive documents longer than necessary. Two hours is a considered balance, and the user-selectable shorter options (5 and 15 minutes) are available for users whose needs require tighter control.
What we do retain
For transparency: we do retain anonymous, aggregated usage statistics — total processing jobs, total pages processed, error rates — for the purpose of understanding how the service is used and identifying problems. These statistics contain no document content and no information that could identify an individual user or their documents.
We also retain a record of paid transactions through Stripe, as required for accounting and legal purposes. These records contain payment amounts and timestamps, but not document content.
Everything we retain is described in our Privacy Policy. If you have questions about specific data handling, our contact page is the right place to ask them.
The TTL you control
Because privacy needs vary, users can choose the deletion window before uploading:
- 5 minutes — for users who want their data off our servers almost immediately after downloading
- 15 minutes — a short window with a little more breathing room
- 2 hours — the default; comfortable for most use cases
The "delete now" button on the results page is always available regardless of which TTL you chose. It triggers immediate deletion and is confirmed by a banner — the files are gone, not flagged for later deletion.
This is not privacy theatre. The control is real, the deletion is immediate, and the design of the system reflects a genuine belief that sensitive documents should spend as little time as possible on someone else's server.