Last Updated: 2025-11-27
Effective Date: 2025-11-27
This Privacy Policy describes how pdf7, a Delaware company ("we," "us," "our," or "pdf7"), collects, uses, discloses, and protects your personal information when you use our website, applications, and services (collectively, the "Services").
By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Services.
1. Information We Collect
1.1 Information You Provide Directly
Account Information
When you create an account, we collect:
- Email address
- Password (encrypted)
- Name (if provided)
- Profile information you choose to add
Payment Information
When you subscribe to our Services, we collect:
- Billing name and address
- Payment method details (credit card, debit card)
Note: Payment information is processed and stored by our third-party payment processor (e.g., Stripe). We do not store complete credit card numbers on our servers. We only retain the last four digits of your card, card type, and expiration date for reference purposes.
Communication Information
When you contact us, we collect:
- Email correspondence
- Support ticket content
- Feedback and survey responses
User Content
When you use our Services, we collect:
- Content you input into our AI-powered tools
- Files you upload
- Outputs generated through the Services
- Usage preferences and settings
1.2 Information from Third-Party Authentication Providers
We offer the ability to register and sign in using third-party authentication services. When you choose to authenticate through these services, we receive certain information from them as described below.
Social Login and Authentication Providers
We may offer authentication through the following third-party providers:
- Google (Google Sign-In)
- Apple (Sign in with Apple)
- Facebook (Facebook Login)
- LinkedIn (LinkedIn Sign-In)
- X (formerly Twitter)
- Phone Number / SMS Authentication
- WhatsApp Authentication
Information Received from Authentication Providers
When you authenticate using a third-party provider, we may receive the following information depending on the provider and your privacy settings with that provider:
| Provider | Information We May Receive |
|---|---|
| Email address, name, profile picture, locale, email verification status | |
| Apple | Email address (real or relay), name (if provided), user identifier |
| Microsoft | Email address (real or relay), name (if provided), user identifier |
| Email address, name, profile picture, user ID | |
| Email address, name, profile picture, headline, public profile URL | |
| X (Twitter) | Email address (if available), username, name, profile picture |
| Phone/SMS | Phone number, verification status |
| Phone number, name (if available), verification status |
Important Notes About Third-Party Authentication:
- The information we receive is determined by the third-party provider and your privacy settings with that provider
- We do not control what information these providers share with us
- We do not receive or store your passwords for these third-party services
- Your relationship with these providers is governed by their respective privacy policies and terms of service
- You can manage the information shared with us through your privacy settings on each provider's platform
- Revoking our access through the provider's settings may affect your ability to sign in to our Services
Third-Party Provider Privacy Policies: We encourage you to review the privacy policies of any authentication providers you use:
1.3 Information Collected Automatically
Usage Data
We automatically collect information about your interaction with our Services, including:
- Features used and actions taken
- Date and time of access
- Duration of sessions
- Error logs and performance data
Device and Technical Information
- IP address
- Browser type and version
- Operating system
- Device type and identifiers
- Screen resolution
- Language preferences
Authentication and Security Data
- Login timestamps and frequency
- Authentication method used
- Session identifiers
- Security events (failed logins, password resets)
- Device fingerprints for fraud prevention
Cookies and Similar Technologies
We use cookies, pixels, and similar tracking technologies to collect information. See Section 8 for more details.
1.4 Information from Third-Party Services
We may receive information about you from:
- Payment processors (transaction confirmations, fraud alerts)
- Analytics providers
- Third-party authentication services (as described in Section 1.2)
- Identity verification services (if applicable)
- Fraud prevention services
2. How We Use Your Information
We use the information we collect for the following purposes:
Service Delivery
- Provide, operate, and maintain our Services
- Process your inputs and generate AI-powered outputs
- Authenticate your identity and manage your account
- Process payments and manage subscriptions
Authentication and Security
- Verify your identity when you sign in
- Maintain secure access to your account
- Detect and prevent fraudulent or unauthorized access
- Protect against account takeover and identity theft
- Comply with authentication provider requirements
Service Improvement
- Analyze usage patterns to improve our Services
- Develop new features and functionality
- Fix bugs and troubleshoot issues
- Conduct research and analysis
Communication
- Send transactional emails (receipts, confirmations, account alerts)
- Respond to your inquiries and support requests
- Send service updates and announcements
- Send marketing communications (with your consent, where required)
Legal and Security
- Comply with legal obligations
- Enforce our Terms of Service
- Detect, prevent, and address fraud, abuse, and security issues
- Protect the rights, property, and safety of pdf7 and our users
3. AI Data Processing
3.1 How We Process Your Content
Our Services use artificial intelligence to process your inputs and generate outputs. When you use our AI-powered features:
- Your inputs are sent to our servers and may be processed by third-party AI providers (such as OpenAI, Anthropic, or similar services) to generate outputs
- Processing is done in real-time to provide the Services
- We implement technical safeguards to protect your content during processing
3.2 AI Training
We do not use your personal inputs to train our AI models without your explicit consent. Your content is processed solely to provide the Services you requested.
We may use anonymized, aggregated data that cannot be linked back to you for:
- Improving our Services
- Developing new features
- Research and analysis
3.3 Third-Party AI Providers
Our AI processing may involve third-party providers. These providers:
- Process data according to their own privacy policies and terms
- Are contractually bound to maintain confidentiality
- May retain data for their operational purposes as described in their policies
4. How We Share Your Information
We do not sell your personal information. We may share your information in the following circumstances:
4.1 Service Providers
We share information with third-party service providers who perform services on our behalf, including:
| Service Type | Purpose | Examples |
|---|---|---|
| Payment Processing | Processing subscriptions and payments | Stripe, PayPal |
| Cloud Hosting | Storing and serving our application | AWS, Google Cloud, Azure, Cloudflare |
| AI Processing | Generating AI-powered outputs | OpenAI, Anthropic, Google Gemini, etc. |
| Analytics | Understanding usage patterns | Google Analytics, Mixpanel |
| Email Services | Sending transactional and marketing emails | SendGrid, Mailchimp, Mailazy |
| Customer Support | Managing support tickets | Zendesk, Intercom, Freshdesk |
| Authentication | Verifying user identity | Auth0, Firebase Auth, MojoAuth, SSOJet |
| Identity Verification | Preventing fraud and verifying identity | Various providers |
| SMS/Phone Verification | Phone number authentication | Twilio, MessageBird, AWS |
These providers are contractually obligated to use your information only for the purposes of providing services to us and in accordance with this Privacy Policy.
4.2 Authentication Providers
When you use third-party authentication (Google, Apple, Facebook, LinkedIn, X, Phone/WhatsApp), certain information flows between us and these providers as necessary to authenticate your identity. This is governed by both this Privacy Policy and the respective provider's privacy policy.
4.3 Legal Requirements
We may disclose your information if required to do so by law or in response to:
- Valid legal processes (subpoenas, court orders, government requests)
- Requests from law enforcement agencies
- To protect our rights, privacy, safety, or property
- To protect against legal liability
4.4 Business Transfers
If pdf7 is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website of any change in ownership or uses of your personal information.
4.5 With Your Consent
We may share your information for other purposes with your explicit consent.
5. Data Retention
5.1 Retention Periods
We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.
| Data Type | Retention Period |
|---|---|
| Account Information | Duration of account + 90 days after deletion |
| Payment/Billing Records | 7 years (legal/tax requirements) |
| User Content/Inputs | Duration of account + 30 days after deletion |
| Usage Data | 24 months |
| Support Communications | 3 years |
| Marketing Preferences | Until consent withdrawn |
| Authentication Logs | 12 months |
| Security/Fraud Prevention Data | Up to 7 years |
5.2 Deletion
When you delete your account:
- Your profile and account information will be deleted within 90 days
- Your user content will be deleted within 30 days
- Certain information may be retained as required by law (billing records)
- Anonymized, aggregated data may be retained indefinitely
- Connections to third-party authentication providers will be severed, but you may need to revoke access separately through those providers
5.3 Third-Party Authentication Data
When you disconnect a third-party authentication provider or delete your account:
- We will delete the data we received from that provider
- We cannot delete data held by the third-party provider—you must manage that directly with them
- Some data may be retained for security, fraud prevention, or legal compliance
6. Data Security
We implement appropriate technical and organizational measures to protect your personal information, including:
Technical Safeguards
- Encryption of data in transit (TLS/SSL)
- Encryption of sensitive data at rest
- Secure password hashing
- Regular security assessments and penetration testing
- Multi-factor authentication support
- Secure token handling for third-party authentication
Authentication Security
- OAuth 2.0 / OpenID Connect protocols for social logins
- Secure session management
- Automatic session expiration
- Brute force protection and rate limiting
- Suspicious activity detection
Organizational Safeguards
- Access controls and authentication
- Employee training on data protection
- Incident response procedures
- Vendor security assessments
Limitations
No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. The security of your account also depends on maintaining the security of your third-party authentication accounts.
7. International Data Transfers
pdf7 is based in the United States. If you are accessing our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our servers and service providers are located.
7.1 Transfer Mechanisms
For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on:
- Standard Contractual Clauses approved by the European Commission
- Your explicit consent where applicable
- Other lawful transfer mechanisms as appropriate
7.2 Third-Party Authentication Providers
When you use third-party authentication services, your data may also be transferred internationally by those providers according to their own transfer mechanisms and privacy policies.
7.3 Adequate Protection
We ensure that any international transfers of personal data are subject to appropriate safeguards as required by applicable data protection laws.
8. Cookies and Tracking Technologies
8.1 Types of Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential Cookies | Required for basic functionality (authentication, security, session management) | Session / Persistent |
| Functional Cookies | Remember your preferences and settings | Persistent |
| Analytics Cookies | Understand how you use our Services | Persistent |
| Marketing Cookies | Deliver relevant advertisements (if applicable) | Persistent |
| Authentication Cookies | Maintain your logged-in state | Session / Persistent |
8.2 Third-Party Cookies
We may allow third-party service providers to place cookies on your device for analytics and advertising purposes. These third parties have their own privacy policies.
Authentication providers may also set cookies when you use social login features.
8.3 Managing Cookies
You can control cookies through your browser settings:
- Block all cookies
- Block third-party cookies
- Delete cookies when you close your browser
- Receive alerts before cookies are placed
Note: Disabling certain cookies may affect the functionality of our Services, including authentication features.
8.4 Do Not Track
Our Services do not currently respond to "Do Not Track" signals. However, you can manage your tracking preferences through the cookie settings described above.
9. Your Rights and Choices
9.1 Account Controls
You can access, update, or delete your account information at any time through your account dashboard:
- Update profile information
- Change password
- Manage notification preferences
- Connect or disconnect third-party authentication providers
- Download your data
- Delete your account
9.2 Authentication Provider Connections
You can manage your connected authentication providers:
- View which providers are connected to your account
- Disconnect providers (note: you must maintain at least one login method)
- Add new authentication methods
To fully revoke access, you should also remove our application from your connected apps in each provider's settings.
9.3 Communication Preferences
You can opt out of marketing communications by:
- Clicking "unsubscribe" in any marketing email
- Updating your preferences in account settings
- Contacting us at [email protected]
Note: You cannot opt out of transactional communications related to your account and subscription.
9.4 Data Portability
You may request a copy of your personal data in a structured, commonly used, machine-readable format.
10. Region-Specific Rights
10.1 European Economic Area, United Kingdom, and Switzerland (GDPR)
If you are located in the EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):
- Right to Access You have the right to request access to your personal data and obtain a copy of the information we hold about you.
- Right to Rectification You have the right to request correction of inaccurate or incomplete personal data.
- Right to Erasure ("Right to be Forgotten") You have the right to request deletion of your personal data when:
- Right to Restriction of Processing You have the right to request restriction of processing in certain circumstances.
- Right to Data Portability You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
- Right to Object You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.
- Right to Withdraw Consent Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
- Right to Lodge a Complaint You have the right to lodge a complaint with a supervisory authority in your country of residence if you believe our processing of your personal data violates applicable law.
- The data is no longer necessary for the purposes it was collected
- You withdraw consent (where processing is based on consent)
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
- Deletion is required to comply with a legal obligation
Legal Basis for Processing
We process your personal data based on the following legal grounds:
- Contract: Processing necessary to perform our contract with you (providing the Services)
- Legitimate Interests: Processing necessary for our legitimate business interests (improving Services, fraud prevention, security)
- Consent: Processing based on your consent (marketing communications, optional third-party authentication)
- Legal Obligation: Processing necessary to comply with legal requirements
Third-Party Authentication Under GDPR
When you choose to authenticate via third-party providers, this is based on your consent. You may withdraw this consent by disconnecting the provider from your account, though this may affect your ability to access our Services.
To exercise your GDPR rights, please contact us at [email protected] or [email protected].
10.2 California (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know You have the right to request information about:
- Right to Delete You have the right to request deletion of your personal information, subject to certain exceptions.
- Right to Correct You have the right to request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing You have the right to opt out of the sale or sharing of your personal information. We do not sell your personal information.
- Right to Limit Use of Sensitive Personal Information You have the right to limit the use and disclosure of sensitive personal information.
- Right to Non-Discrimination You have the right not to receive discriminatory treatment for exercising your CCPA/CPRA rights.
- Categories of personal information collected
- Specific pieces of personal information collected
- Categories of sources from which information is collected
- Purposes for collecting or selling personal information
- Categories of third parties with whom information is shared
Categories of Personal Information Collected (Past 12 Months)
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, IP address, phone number, social media identifiers | Yes |
| Commercial Information | Subscription history, transaction records | Yes |
| Internet/Network Activity | Browsing history, usage data, authentication logs | Yes |
| Geolocation Data | General location from IP address | Yes |
| Professional Information | Company name (if provided) | Yes |
| Inferences | Preferences derived from usage | Yes |
Verification
To protect your privacy, we may need to verify your identity before responding to your request. We may ask you to provide information that matches our records.
To exercise your CCPA/CPRA rights, please contact us at [email protected] or [email protected].
10.3 Other Jurisdictions
If you are located in other jurisdictions with data protection laws (including Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act, etc.), you may have similar rights under applicable local laws. Please contact us to exercise your rights.
11. Third-Party Authentication Disclaimer
11.1 No Control Over Third-Party Providers
We use third-party authentication providers for your convenience. However:
- We do not control these providers or their data practices
- We are not responsible for the availability, security, or functionality of these services
- We cannot guarantee the accuracy or completeness of information received from these providers
- Changes to these providers' terms, features, or data sharing practices may affect our Services
11.2 Your Responsibility
When using third-party authentication, you are responsible for:
- Maintaining the security of your accounts with these providers
- Reviewing and understanding the privacy policies and terms of these providers
- Managing your privacy settings with each provider
- Revoking access through the provider's settings if you no longer want to use their authentication
11.3 Provider Outages and Changes
We are not liable for:
- Outages or unavailability of third-party authentication providers
- Changes to authentication provider APIs or features
- Data breaches at third-party authentication providers
- Termination of your account with a third-party provider
- Loss of access to our Services due to issues with third-party authentication
11.4 Account Security
If you believe your account or any connected authentication provider has been compromised:
- Immediately change your passwords
- Revoke access to our application from the provider's settings
- Contact us at [email protected]
- Contact the affected authentication provider
12. Children's Privacy
Our Services are not intended for individuals under the age of 18 (or under 16 in the European Union). We do not knowingly collect personal information from children.
If we learn that we have collected personal information from a child without verification of parental consent, we will take steps to delete that information promptly.
If you believe we may have collected information from a child, please contact us immediately at [email protected].
13. Third-Party Links and Services
Our Services may contain links to third-party websites, services, or applications. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices.
We encourage you to review the privacy policies of any third-party services you access through our Services, including authentication providers.
14. Automated Decision-Making
14.1 How We Use Automated Processing
We may use automated systems for:
- Fraud detection and prevention
- Account security monitoring
- Usage limit enforcement
- Content moderation
- Service optimization
14.2 Your Rights
If you are subject to a decision based solely on automated processing that significantly affects you, you may have the right to:
- Request human review of the decision
- Express your point of view
- Contest the decision
To exercise these rights, contact us at [email protected].
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons.
Notification of Changes
- We will post the updated Privacy Policy on this page with a new "Last Updated" date
- For material changes, we will notify you by email and/or prominent notice on our Services before the changes become effective
- Your continued use of the Services after the effective date constitutes acceptance of the updated Privacy Policy
We encourage you to review this Privacy Policy periodically.
16. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email: [email protected]
Privacy-Specific Inquiries: [email protected]
Response Time We aim to respond to all inquiries within 30 days. For GDPR and CCPA requests, we will respond within the timeframes required by applicable law.