RedaktPDF

Privacy Policy

Effective date: March 13, 2026

This Privacy Policy explains how RedaktPDF ("Service"), operated by Jury D'Ambros ("we", "us", "our"), collects, uses, and protects your information.

1. Information We Collect

Account Information

When you create an account, we collect your email address and, if you use OAuth, your name and profile information from the provider (Google or GitHub). We store a hashed version of your password if you use email/password authentication.

Uploaded Files

Files you upload are stored temporarily on our servers (AWS S3) for processing and are automatically deleted based on your account tier (2 hours to 30 days). When end-to-end encryption is enabled, files are encrypted in your browser before upload — our servers never see the plaintext content.

Usage Data

We collect anonymous usage metrics such as page views, feature usage, and error reports to improve the Service. These metrics are collected entirely first-party — we do not use any third-party analytics services (such as Google Analytics). We do not track you across other websites.

Cookies

We use the following cookies:

  • Session cookie: Required for authentication and maintaining your session (HTTP-only, secure, SameSite=Strict)
  • Anonymous session cookie: Used to track anonymous usage limits (expires after 24 hours of inactivity)

We do not use advertising or third-party tracking cookies. All cookies listed above are strictly necessary for the operation of the Service. Under the ePrivacy Directive (Directive 2002/58/EC), strictly necessary cookies do not require user consent.

2. How We Use Your Information

  • To provide, maintain, and improve the Service
  • To authenticate your identity and manage your account
  • To enforce usage limits based on your subscription tier
  • To send transactional emails (account verification, password reset, subscription changes)
  • To respond to support requests

We do not sell, rent, or share your personal information with third parties for marketing purposes.

3. Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

  • Account data & authentication: Contract performance (Art. 6(1)(b) GDPR) — necessary to provide the Service you signed up for
  • File processing & storage: Contract performance (Art. 6(1)(b) GDPR) — necessary to deliver the core PDF editing functionality
  • Usage metrics: Legitimate interest (Art. 6(1)(f) GDPR) — improving and maintaining the Service. You may object to this processing at any time
  • Session cookies: Strictly necessary for the operation of the Service — no consent is required under the ePrivacy Directive
  • Transactional emails: Contract performance (Art. 6(1)(b) GDPR) — necessary to communicate account-related information (verification, password resets, subscription changes)
  • Marketing emails (if applicable): Consent (Art. 6(1)(a) GDPR) — only sent with your explicit opt-in consent, which you may withdraw at any time

4. Payment Processing

Payments are processed by Paddle.com Market Limited ("Paddle"), who acts as our Merchant of Record. As Merchant of Record, Paddle acts as an independent data controller (not a data processor) for all payment and billing data it collects. When you subscribe to a paid plan, Paddle collects your payment information directly — we never see or store your credit card details. Paddle's privacy policy applies to the payment data they collect: paddle.com/legal/privacy.

5. Data Storage and Security

  • Infrastructure: Data is stored on AWS (EU region), Neon (Postgres), and Upstash (Redis)
  • Encryption in transit: All connections use TLS/HTTPS
  • Encryption at rest: Files are encrypted at rest on S3. Optionally, end-to-end encryption ensures only you can decrypt your files
  • Access control: Server access is restricted to essential personnel only

6. International Data Transfers

Your data is primarily stored and processed within the European Union (AWS EU region). However, some sub-processors may process data outside the EU/EEA:

  • Google / GitHub (OAuth): Authentication data may be processed in the United States when you choose to sign in with these providers
  • Neon (PostgreSQL): Database hosting — data is stored in the EU, but some operational processing may occur in the US
  • Upstash (Redis): Session and rate-limit data — data is stored in the EU, but some operational processing may occur in the US

Where personal data is transferred outside the EU/EEA, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and/or reliance on adequacy decisions, to ensure your data receives an equivalent level of protection.

7. Data Retention

  • Uploaded files: Automatically deleted after the tier-based retention period (2 hours to 30 days)
  • Account data: Retained as long as your account is active. You can delete your account at any time from Settings, which permanently removes all associated data
  • Usage logs: Anonymized and retained for up to 90 days

8. Your Rights (GDPR)

If you are in the European Economic Area, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate personal data
  • Erase your personal data (right to be forgotten)
  • Export your data in a portable format
  • Object to or restrict processing of your data
  • Withdraw consent at any time where processing is based on consent (Art. 6(1)(a) GDPR), without affecting the lawfulness of processing carried out prior to withdrawal
  • Lodge a complaint with a supervisory authority — in Italy, this is the Garante per la protezione dei dati personali (email: garante@gpdp.it, website: www.garanteprivacy.it)

To exercise any of these rights, contact us at privacy@redaktpdf.com. We will respond within 30 days.

9. Third-Party Services

We use the following third-party services:

  • AWS — File storage and compute (S3, Lambda, CloudFront)
  • Neon — Database hosting (PostgreSQL)
  • Upstash — Redis for session and rate-limit data
  • Paddle — Payment processing and subscription management (acts as independent data controller; see Section 4)
  • Google / GitHub — OAuth authentication (only if you choose to sign in with them)

We have data processing agreements (DPAs) in place with all sub-processors listed above, ensuring they process personal data in compliance with GDPR requirements.

10. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 14 days before they take effect.

12. Contact

For privacy-related questions or requests, contact us at privacy@redaktpdf.com.

Data Controller:

  • Jury D'Ambros
  • Address: Via Agazzi 35, 46100 Mantova MN, Italy
  • Partita IVA: 02677140200
  • Email: privacy@redaktpdf.com