GDPR

EU residents have specific rights under GDPR. Here is how pdfty handles them.

Lawful basis

We process data on these bases:

• Contract: when you upload a file, we process it to deliver the requested operation
• Legitimate interest: aggregate analytics (no personal IDs) and security monitoring
• Consent: only when explicitly requested (e.g., marketing emails)

Your rights

You can exercise the following rights by emailing privacy@pdfty.com from the address on your account:

• Access: get a copy of your account data within 30 days
• Rectification: ask us to correct inaccurate data
• Deletion: ask us to delete your account and associated data (some logs retained 90 days for security)
• Portability: get your data in JSON format
• Objection: ask us to stop specific processing
• Restriction: ask us to pause processing while a dispute is resolved

We respond to all requests within 30 days, free of charge.

Files you upload

Files are deleted within 1 hour of upload. We do not back them up or use them to train any model. There is normally nothing to delete on request — they are already gone.

Where data lives

Servers are in EU data centers. We use these EU/EEA-based or DPF-listed sub-processors:

• VPS provider — EU
• Stripe (payments) — EU/US under DPF
• Resend (email) — US under DPF

Data Protection Officer

Contact our DPO at dpo@pdfty.com.

Complaints

EU residents may also lodge a complaint with their local data protection authority. We hope you contact us first — we want to fix any issue.