Privacy Policy
Last updated: March 2026
This privacy policy explains how we collect, process, and protect your personal data when you use PDF UA Kit and our website. We are committed to transparency and compliance with the EU General Data Protection Regulation (GDPR) and applicable German data protection law.
1. Data Controller
The data controller responsible for your personal data pursuant to Art. 4(7) GDPR is:
Manuel Christlieb Beim Schnarrbrunnen 4 86150 Augsburg, Germany Phone: +49 171 32 92 689 Email: [email protected]
2. Data Protection Officer
Given the size of our organization, we are not required to appoint a data protection officer pursuant to Art. 37 GDPR in conjunction with S 38 BDSG. For data protection inquiries, please contact us at [email protected].
3. Hosting and Server Logs
Our website and application are hosted by Hetzner Online GmbH, Gunzenhausen, Germany. When you access our website, the web server automatically collects and stores the following data in server log files:
- IP address
- Date and time of the request
- Requested URL and referrer URL
- Browser type and operating system
- Amount of data transferred
This data is processed on the basis of Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest lies in the stable and secure operation of our website. Server log files are deleted after 14 days unless further retention is required for security incident investigation.
4. Account Registration
When you create an account, we collect the following data:
- Name
- Email address
- Password (stored only as a salted bcrypt hash)
This data is processed on the basis of Art. 6(1)(b) GDPR (performance of contract) to provide you with access to the platform and our services.
5. Payment Processing
Payments are processed by Paddle.com Market Limited, London, United Kingdom, which acts as our Merchant of Record. When you subscribe to a paid plan, Paddle collects and processes your payment information (credit card details, billing address, etc.) directly. We do not store your full payment details.
This data is processed on the basis of Art. 6(1)(b) GDPR (performance of contract).
For more information, see Paddle's Privacy Policy.
6. PDF Processing and Document Generation
When you use PDF UA Kit to create or convert PDF documents, the data you enter (text, images, invoice data) is processed to generate your documents. Generated documents are stored in your account.
This data is processed on the basis of Art. 6(1)(b) GDPR (performance of contract).
7. Public PDF Validation
Our free PDF validation service can be used without registration. When you upload a PDF for validation, we process the following data:
- The uploaded PDF file (deleted immediately after validation)
- Your IP address
- The filename of the uploaded document
This data is processed on the basis of Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest is to provide the validation service and to prevent abuse.
8. Contact Form
When you contact us via our contact form, we collect the following data:
- Name
- Email address
- Your message
This data is processed on the basis of Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in answering inquiries). We retain contact form submissions for 6 months after the conversation has been concluded, unless further retention is required for legal reasons.
9. Newsletter
If you subscribe to our newsletter, we collect your email address via a double opt-in process. You will receive a confirmation email before being added to the mailing list.
This data is processed on the basis of Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time by clicking the unsubscribe link in any newsletter email or by contacting us at [email protected].
Newsletter emails are sent via Resend, Inc., San Francisco, USA (see Section 15 for third-country transfer details).
10. Google Analytics
We use Google Analytics 4, a web analytics service by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses cookies that are stored on your device only after you have given your consent via our cookie banner.
Legal basis: Art. 6(1)(a) GDPR (consent) in conjunction with S 25(1) TTDSG.
Google Analytics collects information such as:
- Pages visited, session duration, and interactions
- Approximate location (country/city level, IP anonymized by default in GA4)
- Device type, browser, and operating system
Data is transferred to Google LLC, USA. Google is certified under the EU-US Data Privacy Framework (DPF), providing an adequate level of data protection (Art. 45 GDPR).
Opt-out: You can withdraw your consent at any time via the cookie banner, or install the Google Analytics Opt-out Browser Add-on.
For more information, see Google's Privacy Policy.
11. Social Login (Google and GitHub OAuth)
You may register for or log in to PDF UA Kit using your Google or GitHub account. When you do so, the following data is transmitted to us by the respective provider:
- Name
- Email address
- Profile identifier
This data is processed on the basis of Art. 6(1)(a) GDPR (consent). You grant consent by initiating the login flow and authorizing data sharing on the provider's consent screen.
Data is transferred to:
- Google LLC, USA — certified under the EU-US Data Privacy Framework
- GitHub, Inc. (Microsoft), USA — certified under the EU-US Data Privacy Framework
For more information, see the privacy policies of Google and GitHub.
12. Essential Cookies and Session Management
We use technically necessary cookies for the following purposes:
- Session cookie (
pdfuakit_session): Maintains your login session. Duration: until browser is closed or session expires. - CSRF token (
XSRF-TOKEN): Protects against cross-site request forgery attacks. Duration: session. - Cookie consent (
cookie-consent): Stores your cookie preference. Duration: persistent (localStorage).
These cookies are set on the basis of S 25(2) TTDSG (strictly necessary cookies) and do not require consent.
13. Two-Factor Authentication
If you enable two-factor authentication (2FA), we store encrypted recovery codes and TOTP secrets associated with your account. This data is processed on the basis of Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (legitimate interest in account security).
14. Team Invitations
When you invite a person to join your team, you provide us with their email address. We send them an invitation email on your behalf.
This data is processed on the basis of Art. 6(1)(f) GDPR (legitimate interest). Our legitimate interest — and yours — is to enable collaborative use of the platform.
15. Third-Country Transfers
Some of the services we use involve the transfer of personal data to the United States of America (a country outside the European Economic Area):
| Service | Provider | Country | Safeguard |
|---|---|---|---|
| Transactional email | Resend, Inc. | USA | EU-US Data Privacy Framework |
| Web analytics | Google LLC (Google Analytics) | USA | EU-US Data Privacy Framework |
| Social login | Google LLC (OAuth) | USA | EU-US Data Privacy Framework |
| Social login | GitHub, Inc. (Microsoft) | USA | EU-US Data Privacy Framework |
All listed US providers are certified under the EU-US Data Privacy Framework (DPF), which was granted adequacy by the European Commission on 10 July 2023 (Art. 45 GDPR). Should the DPF cease to apply, we will ensure appropriate safeguards are in place, such as EU Standard Contractual Clauses (Art. 46(2)(c) GDPR).
Our primary infrastructure (servers, databases) is located exclusively in Germany (Hetzner Online GmbH).
16. Data Retention
We retain personal data for the following periods:
| Data Category | Retention Period |
|---|---|
| Account data | Duration of the contract + 30 days |
| Billing and invoice data | 10 years (S 147 AO, S 257 HGB) |
| Uploaded PDFs (validation) | Deleted immediately after processing |
| Generated documents | Duration of the contract + 30 days |
| Contact form submissions | 6 months after conclusion of conversation |
| Server log files | 14 days |
| Newsletter subscription data | Until consent is withdrawn |
| Google Analytics data | 14 months (configured in GA4) |
17. Your Rights
Under the GDPR, you have the following rights:
- Right of access (Art. 15 GDPR) — obtain confirmation and a copy of your personal data
- Right to rectification (Art. 16 GDPR) — correct inaccurate data
- Right to erasure (Art. 17 GDPR) — request deletion of your data
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR) — receive your data in a structured, machine-readable format
- Right to object (Art. 21 GDPR) — object to processing based on legitimate interests
- Right to withdraw consent (Art. 7(3) GDPR) — withdraw any consent you have given at any time, without affecting the lawfulness of processing based on consent before its withdrawal
To exercise any of these rights, please contact us at [email protected].
Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. The competent supervisory authority is:
Bayerisches Landesamt fuer Datenschutzaufsicht (BayLDA) Promenade 18 91522 Ansbach, Germany https://www.lda.bayern.de
18. Automated Decision-Making
We do not use automated decision-making, including profiling, as referred to in Art. 22(1) and (4) GDPR.
19. Obligation to Provide Data
The provision of personal data for account registration and payment processing is required for the performance of the contract. Without this data, we cannot provide our services. The provision of data for Google Analytics and newsletter subscription is voluntary and based on your consent.
20. Changes to This Privacy Policy
We may update this privacy policy from time to time. The current version is always available at /en/privacy. We will notify registered users of material changes by email.