Legal

Privacy Policy

Last updated: 25 March 2026 · Version 1.0

1. Who we are

pdf-deploy ("we", "us", "our") is a software-as-a-service platform that converts web pages and websites into PDF documents. We are the data controller for personal data processed through this service.

Contact: privacy@pdf-deploy.com

2. What data we collect

Category	Data	Purpose	Retention
Account	Name, email address, hashed password	Authentication and account management	Until account deleted
Usage	URLs submitted, PDF/ZIP generation logs, API call counts, timestamps	Service delivery, rate limiting, billing, abuse prevention	90 days rolling
Billing	Subscription tier, payment status (card details held by Stripe — not us)	Subscription management	7 years (legal obligation)
Session	Session token (httpOnly cookie), IP address, user-agent	Authentication state	Session lifetime (30 days max)
Generated files	PDF and ZIP output stored in AWS S3	Download delivery	24 hours, then automatically deleted
Audit log	Account actions (login, password change, key generation, cancellation)	Security, fraud prevention, compliance	12 months
Scheduled jobs	Job configuration (URL, schedule, scope)	Automated PDF generation	Until deleted by user

3. Legal basis for processing

Contract performance — processing your account data and usage data to deliver the service you signed up for.
Legitimate interests — security monitoring, fraud prevention, product improvement, and system reliability.
Legal obligation — retaining billing records for tax and accounting purposes.
Consent — optional analytics cookies (you may withdraw consent at any time).

4. How we use your data

Delivering the PDF/ZIP generation service
Sending transactional emails (receipts, password reset, usage alerts)
Enforcing rate limits and usage quotas
Detecting and preventing abuse
Improving the service (aggregate, anonymised analytics only)
Complying with legal obligations

5. Third-party processors

Processor	Purpose	Location	Safeguard
Amazon Web Services (AWS)	Hosting, storage (S3), email (SES), database (RDS), cache (ElastiCache)	EU (eu-west-2, London)	AWS DPA / SCCs
Stripe	Payment processing and subscription management	EU/US	Stripe DPA / SCCs

We do not sell your data to any third party. We do not share your data for advertising purposes.

6. Data transfers outside the UK/EEA

All primary processing occurs in AWS eu-west-2 (London). Stripe may process payment data in the United States under Standard Contractual Clauses approved by the ICO. No other transfers outside the UK/EEA occur.

7. Your rights (UK GDPR)

Access — request a copy of all personal data we hold about you
Rectification — correct inaccurate data via your account settings
Erasure — delete your account and all associated data from your account settings
Data portability — export your data as JSON from Account → Export data
Restriction — request we stop processing your data while a dispute is resolved
Objection — object to processing based on legitimate interests
Withdraw consent — opt out of non-essential cookies at any time via the cookie banner

To exercise any right, email privacy@pdf-deploy.com. We will respond within 30 days.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. Security

Passwords are hashed with bcrypt (cost factor 12)
API keys are hashed with SHA-256 before storage
All data in transit encrypted with TLS 1.2+
Data at rest encrypted (AWS RDS, S3, ElastiCache)
TOTP two-factor authentication available for all accounts
Rate limiting and account lockout after repeated failed logins
Append-only audit log for compliance-relevant actions

9. Cookies

cust_session (essential) — authentication session token. httpOnly, Secure, SameSite=Strict. Expires 30 days.
csrf_token (essential) — CSRF protection double-submit token. Expires with session.
pdf_consent (functional) — records your cookie consent choice. Expires 1 year.

We do not use tracking, advertising, or third-party analytics cookies.

10. Children

pdf-deploy is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has registered, contact us and we will delete the account immediately.

11. Changes to this policy

We will notify registered users by email of any material changes at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision. Continued use of the service after the effective date constitutes acceptance.

12. Contact

Data controller: pdf-deploy
Email: privacy@pdf-deploy.com
For Data Processing Agreements (DPA), email us with your company name and we will respond within 2 business days.