Privacy Policy

1. Scope & Roles

2. Data We Collect

a) You provide to us

b) Collected automatically

3. Purposes & Legal Bases (GDPR Art. 6)

We follow GDPR principles (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality).

4. How We Use Your Files

• Automated conversion of PDFs to CSV/XLSX/JSON/Markdown.
• Quality/accuracy checks using aggregate, de-identified metrics.

Default Retention

You can delete files at any time from within the product; deletions propagate from active storage and backups per our rotation schedule.

5. Sharing & Sub-processors

We share data only as needed to operate the Service, under contracts that bind providers to confidentiality, security, and purpose limitation.

Current Sub-processors / Tools

We maintain a live list at /legal/subprocessors and will notify customers of material changes where required.

6. International Transfers

We primarily host in the United States. If personal data is transferred from the EEA/UK to countries without an adequacy decision, we use Standard Contractual Clauses (SCCs) or other lawful safeguards. Where a vendor participates in the EU-U.S. Data Privacy Framework (DPF), we rely on that participation where applicable. We conduct transfer risk assessments as required.

7. Your Rights

8. Security

We implement technical and organizational measures appropriate to the risk (GDPR Art. 32), including encryption in transit and at rest, access controls, network isolation, key management, monitoring, and incident response. We regularly review access privileges and rotate secrets. No method is 100% secure, but we continuously improve safeguards.

9. Cookies & Tracking

• Strictly necessary cookies enable login, session, and CSRF protection.
• Analytics/Performance (Mixpanel, GA4, PostHog, Sentry) are consent-based where required by ePrivacy/PECR; we avoid sending PII and minimize identifiers.
• Manage preferences via our Cookie Settings and your browser. In the EEA/UK, non-essential cookies are set only after consent.

A separate Cookie Policy with a detailed cookie table is available at /legal/cookies.

10. Marketing Communications & GPC

• We send service emails (account, billing, security). Marketing emails are sent with consent where required; you can unsubscribe any time.
• For U.S. recipients, we comply with CAN-SPAM (accurate headers, non-deceptive subjects, physical address in footer, working opt-out).
• Global Privacy Control (GPC): We recognize and honor GPC signals in applicable jurisdictions as requests to opt-out of "sale"/"sharing" and targeted advertising.

11. Data Retention

We keep personal data only as long as necessary for the purposes above or as required by law.

Defaults (unless your plan or law dictates otherwise)

12. Children

The Service is not directed to children under 16 (or higher local age). We do not knowingly collect children's data. If you believe we have, contact us for deletion.

13. Automated Decision-Making

We do not make decisions producing legal or similarly significant effects solely by automated processing. If this changes, we will disclose details and safeguards.

14. Changes to This Policy

We may update this Policy from time to time. We will post the revised version with an updated effective date and, if changes are material, notify you via email or in-app.

15. Contact

Annex A — State Privacy Addendum (U.S.)

Where applicable (e.g., CA, CO, CT, VA, UT), we honor state rights to access, delete, correct, portability, and to opt-out of targeted advertising, sale/sharing, and certain profiling. We provide Do Not Sell/Share and Limit Use of Sensitive Personal Information controls if/when our activities require them, and we honor GPC signals in applicable jurisdictions. We do not retaliate against individuals for exercising their rights.