gPdf render/edge
Privacy v2026-05

Privacy policy

What personal data gPdf collects, why we collect it, how long we retain it, and the rights you have under GDPR / CCPA.

Effective Last updated
Summary

gPdf collects the minimum personal data needed to operate the service — account email, API key activity logs, billing details. We do not store the contents of PDFs you generate or the JSON you submit. We do not sell or share customer data. EU data subjects can exercise their GDPR rights via the contact form on this page.

Scope

This policy describes how gPdf collects, uses and discloses personal data when you visit gpdf.com, sign up for an account, or call the gPdf API. It does not apply to data you submit as content to the API — that data is governed by the Data Processing Addendum and the security policy, and we explicitly do not store it.

Data we collect

From visitors to the marketing site

  • IP address (truncated to /24 for IPv4 and /48 for IPv6 before storage).
  • User-agent string.
  • The page you visited and the page that referred you.
  • Whether your visit was the first or a return visit (privacy-preserving fingerprint, no cross-site tracking).

We use this to understand traffic patterns. We do not use cookies for advertising, and we do not run third-party advertising scripts on gpdf.com.

From customers with accounts

  • Email address (required for sign-in and important account notices).
  • Organisation name, billing address, VAT/GST ID where applicable.
  • API key labels and creation timestamps (the keys themselves are stored hashed, not as plaintext).
  • Per-request operational metadata: route hit, HTTP status, render duration. No request bodies, no PDF content.
  • Aggregate page-count totals per billing period.

From callers of the gPdf API

  • We receive whatever you send in the DocumentRequest. We hold it in isolate memory for the duration of the render and then release it. We do not log, sample, retain or train on this content.

What we don’t do

  • We do not sell personal data.
  • We do not share personal data with third parties for their marketing purposes.
  • We do not use customer-submitted document content to train models, ours or anyone else’s.
  • We do not run advertising or behavioural-tracking scripts on gpdf.com.

Sub-processors

A current list of sub-processors (Cloudflare, Stripe, our transactional-email provider, etc.) is maintained on the DPA page. We notify customers in advance of new sub-processors via email.

Retention

Data typeRetained for
Operational request metadata (no bodies)30 days
Account billing records7 years (tax law)
Account email + organisation nameLifetime of the account, plus 90 days after closure
Document content submitted to the APINot retained — released from memory when the request completes

Your rights

Under GDPR, CCPA and equivalent regimes:

  • You can request a copy of the personal data we hold on you.
  • You can ask us to correct or delete it.
  • You can object to processing, or ask us to restrict it.
  • You can lodge a complaint with your local supervisory authority.

Exercise these rights by using our contact form — submit from the email associated with your account. We respond within 30 days for routine requests.

International transfers

gPdf processes data in the region you select at account creation (EU, US, APAC or SA). Cross-region replication for disaster recovery is opt-in and disclosed at signup. Where a transfer crosses jurisdictions, we rely on the EU Standard Contractual Clauses or equivalent legal mechanism.

Changes

When this policy changes, we update the version string at the top of this page and notify customers via email at least 30 days before the new version takes effect (unless the change is purely editorial).

Contact