Privacy Policy

1. Information We Collect

1.1 Information You Provide:

• PDF Files: When you use the Service, you upload PDF files for analysis. These files are temporarily held in storage for analysis purposes only. PDF files are permanently deleted within 7 days of upload. We do not retain your PDF files beyond this period.
• File Metadata: We extract and store technical metadata from uploaded PDFs, including but not limited to: filename (not the file content), file size, creation date, modification date, creator information, producer information, PDF version, page count, and analysis results. Only this metadata is stored, not the actual PDF file content.

1.2 Automatically Collected Information:

• Usage Data: We collect information about how you access and use the Service, including pages visited, timestamps, IP addresses, browser type and version, device information, operating system, and referring URLs.
• Analytics Data: We use Google Analytics (via Measurement Protocol) to collect aggregated usage statistics and performance metrics. No cookies or device identifiers are used. Google Analytics is configured in cookieless mode: we send only anonymous session data (page URL, page title, and a randomly generated session identifier that resets with every new browser session) from our own server to Google. No personally identifiable information is transmitted.
• Technical Data: We collect technical information such as request logs, error reports, and system performance data to maintain and improve the Service.

1.3 Account Registration Data: When you create an account (required for API access and paid plans), we collect the name and email address provided by your OAuth provider (Google or GitHub) or the email address you supply for magic-link authentication. This data is stored in our database and used solely to operate your account, authenticate your sessions, deliver transactional emails (e.g., magic links), and manage your subscription.

1.4 Payment Data: Billing and payment information is collected and processed directly by our payment processor, Stripe. We do not store your payment card details. We receive only non-sensitive billing metadata (e.g., subscription status, plan type, Stripe customer ID) from Stripe.

1.5 Information We Do Not Collect: Users of the free web interface who do not register an account are not required to provide any personally identifiable information. We do not collect phone numbers or government-issued identification numbers.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service Provision: To provide, operate, and maintain the PDF authenticity checking service, including processing uploaded files and generating analysis results.
• Service Improvement: To analyze usage patterns, diagnose technical issues, and improve the accuracy and performance of our analysis algorithms. This includes automated and anonymous re-analysis of previously uploaded files (using only file structure and metadata, never document content) to validate algorithm updates and detect false positives.
• Security: To detect, prevent, and address technical issues, security threats, fraud, or abuse of the Service.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, or governmental requests.
• Communication: To respond to your inquiries, provide customer support, and send you important notices regarding the Service.

Legal Basis for Processing (GDPR): We rely on the following legal bases under Art. 6 GDPR: (1) Performance of a contract (Art. 6(1)(b)) — processing necessary to provide the Service to registered users and paid subscribers; (2) Legitimate interests (Art. 6(1)(f)) — anonymous analytics, fraud prevention, and service security, where our interests do not override your fundamental rights; (3) Legal obligation (Art. 6(1)(c)) — retention of billing and tax records as required by Finnish accounting law; (4) Consent (Art. 6(1)(a)) — where you explicitly agree, for example by uploading a file for analysis as a non-registered user. You may withdraw consent at any time without affecting the lawfulness of prior processing.

3. Data Storage and Retention

3.1 File Storage: Uploaded PDF files are temporarily stored and are permanently deleted from all storage systems within 7 days of upload. During this retention period, files may be accessed in an automated and anonymous manner solely to verify and improve the accuracy of our detection algorithm — for example, by re-analyzing a file with an updated version of the algorithm and comparing results. We do not keep copies of your PDF files beyond this period. At no point — neither during nor after analysis — do we access, read, or review the content of your document. Our analysis is strictly limited to the technical structure of the file: metadata fields, object layout, cross-reference tables, and other structural characteristics. The substance of the document — its text, images, and any personal or confidential information it may contain — is never examined or retained.

3.2 Analysis Results Storage: Only the analysis results and extracted metadata are stored in our database. This includes technical metadata such as: filename (not the file itself), file size, creation date, modification date, creator information, producer information, PDF version, page count, detection findings, and modification verdict. These results are associated with a unique identifier and are retained to enable users to access their results via the unique URL provided after analysis. The actual PDF file content is never stored.

Retention Period: Analysis results are retained for up to 3 years from the date of analysis, after which they are automatically deleted. Account data (name, email) is retained for the duration of the account and deleted within 90 days of account closure. Billing records are retained for 6 years as required by Finnish accounting law (Kirjanpitolaki 1336/1997).

3.3 Usage Data: Aggregated usage statistics and analytics data may be retained for longer periods for analytical purposes, but this data is anonymized and does not identify individual users.

3.4 Data Deletion: You may request deletion of your analysis results by writing to us at [email protected]. We will process deletion requests within 30 days, subject to our legal obligations to retain certain data. Note: PDF files are automatically deleted within 7 days of upload. If deletion is requested before that, only the analysis results can be removed immediately; the file itself will be deleted within 7 days in any case.

4. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

• Service Providers: We share data with trusted third-party service providers who assist us in operating the Service. The complete list of subprocessors, the data they receive, and which processing mode each applies to is maintained at htpbe.tech/legal/subprocessors. These service providers are contractually obligated to protect your data and use it only for the purposes we specify.
• Legal Requirements: We may disclose information if required by law, court order, or governmental authority, or to protect our rights, property, or safety, or that of our users or others.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

Third-Party Privacy Policies: Our service providers have their own privacy policies. We encourage you to review their policies:

• Turso Privacy Policy: https://turso.tech/privacy-policy
• Stripe Privacy Policy: https://stripe.com/privacy
• Resend Privacy Policy: https://resend.com/legal/privacy-policy

5. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. Our service providers (Turso, Stripe, Resend, and Google) may store and process data in various locations worldwide, including the United States.

EU Users: When we transfer personal data from the European Economic Area (EEA) to countries outside the EEA, we ensure appropriate safeguards are in place, including standard contractual clauses approved by the European Commission, or we rely on adequacy decisions by the European Commission.

By using the Service, you consent to the transfer of your information to these locations.

6. Data Security

We implement appropriate technical and organizational security measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using HTTPS/TLS protocols
• Secure cloud storage with access controls
• Regular security assessments and updates
• Limited access to personal data on a need-to-know basis

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

7. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal data:

7.1 European Economic Area (EEA) Users — GDPR Rights:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data (“right to be forgotten”)
• Right to Restrict Processing: Request limitation of how we use your data
• Right to Data Portability: Request transfer of your data to another service
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent where processing is based on consent

7.2 California Users — CCPA Rights:

• Right to Know: Request information about data collection, use, and sharing
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt-out of sale of personal information (we do not sell personal information)
• Right to Non-Discrimination: Exercise your rights without discrimination

To exercise any of these rights, please contact us by email [email protected]. We will respond to your request within 30 days. You also have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

8. Cookies and Tracking Technologies

8.1 Cookies: We do not use analytics or tracking cookies. The Service sets only essential functional cookies required for authentication and security (e.g. session tokens for logged-in users). No third-party tracking cookies are placed on your device.

8.2 Analytics Without Cookies: Google Analytics is configured in cookieless mode. No _ga or similar analytics cookies are stored. Google Analytics data is collected via the Measurement Protocol: your browser sends an anonymous request to our own server, which forwards aggregated data to Google. Your browser never contacts Google directly for analytics purposes.

8.3 Cookie Controls: You can control cookies through your browser settings. Disabling cookies will not affect analytics collection, as we do not rely on cookies for that purpose.

8.4 Do Not Track: “Do Not Track” (DNT) is a browser setting that signals your preference not to be tracked across websites. Our Service does not engage in cross-site tracking or personalized tracking of individual users. Google Analytics (via Measurement Protocol) is cookieless, does not identify individual users, and does not track users across different websites. You can configure your browser to send DNT signals, but this will not further affect our anonymous analytics collection, which already complies with privacy regulations regardless of DNT settings.

9. Children’s Privacy

Our Service is not intended for children under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information.

10. Links to Third-Party Websites

Our Service may contain links to third-party websites or services that are not owned or controlled by us. We are not responsible for the privacy practices or content of these third-party sites. We encourage you to review the privacy policies of any third-party sites you visit.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Updating the “Last Updated” date at the top of this page
• Posting a notice on our Website for significant changes

Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the revised policy. We encourage you to review this Privacy Policy periodically.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [email protected].

Lead Supervisory Authority: As a Finnish-registered business, our lead supervisory authority under GDPR is the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), tietosuoja.fi. If you are located in the EEA, you also have the right to lodge a complaint with the data protection authority of your own EU member state. A list of all EU supervisory authorities can be found at https://edpb.europa.eu/about-edpb/board/members_en.