Legal

Privacy Policy

Last modified: June 26, 2025

Welcome to SupaPDF, operated by Wibbrix (“we”, “us”, or “SupaPDF”). Your privacy is our top priority. This Privacy Policy outlines how we collect, use, share, and protect your personal information when you use our PDF tools and services at supapdf.com (the “Site”) and related tools, including our API (collectively, the “Service”).

This policy applies to personal information that identifies you or makes you identifiable. It does not cover aggregated or anonymized data, nor data processed on behalf of enterprise customers, which is governed by our Data Processing Addendum. We are committed to transparency, data minimization, and compliance with global privacy laws, including GDPR, CCPA, and Nevada regulations.


Scope of This Privacy Policy

This Privacy Policy explains how we handle personal information when you interact with the Service, whether as an individual user, a registered account holder, or an authorized user of an enterprise account. As the data controller, SupaPDF determines the purposes and means of processing your personal information as described here.

This policy does not cover information about our employees, contractors, or job applicants, nor does it apply to non-personal data like anonymized usage statistics.

Data Minimization Commitment

At SupaPDF, we adhere to the principle of data minimization, collecting only the data necessary to provide and improve the Service. When you upload a file, we temporarily store it for processing but delete it within 24 hours. We do not mine or analyze file contents for purposes beyond your requested task.

We avoid creating user profiles for marketing unless you explicitly consent, and we limit third-party data sharing to what is essential for Service delivery.

Region-Specific Disclosures

California Residents

Under the CCPA, you have rights to access, delete, or opt out of data sales. We do not sell personal information as defined by the CCPA. Requests can be submitted to [email protected].

Nevada Residents

Nevada Revised Statutes Chapter 603A allows opting out of certain data sales. We do not sell personal information per this law.

EEA, UK, and Switzerland

See the European Privacy Disclosures section below for legal bases, cookie practices, and your rights under GDPR. Your data may be transferred to countries like the United States using Standard Contractual Clauses.


1. Information We Collect and How We Use It

We collect personal information to deliver, enhance, and secure the Service. This includes data you provide directly, information from third parties, and data collected automatically.

1.1 Information You Provide

  • Registration:Name, email, and optional profile details when you sign up. Enables account creation, authentication, and personalized communication.
  • Payment:Billing details processed by Stripe. We do not store credit card numbers.
  • Uploaded files:Files are temporarily stored for processing, encrypted, and deleted within 24 hours. We do not access file contents beyond what is needed for your task.
  • Communications:Name, email, and message content when you contact us for support.
  • Feedback:Survey responses and beta testing input used to improve features.

1.2 Information from Third Parties

  • SSO:Using GitHub, Google, or similar - we receive your name and email based on your privacy settings.
  • Analytics providers:Usage insights from Posthog and Google Analytics to help improve the Service.
  • Business partners:Data from marketing platforms to optimize campaigns, always in line with this policy.

1.3 Automatically Collected Information

We use cookies and similar technologies to collect:

  • Device information: IP address, browser type, device model, operating system
  • Usage data: pages visited, links clicked, time spent, conversion frequency
  • Approximate location from IP address for server routing (e.g., nearest region)

1.4 Purposes of Use

  • Deliver the Service, including processing files and managing accounts
  • Communicate about account updates, task statuses, or support queries
  • Market our services with opt-out options
  • Analyze usage to enhance features
  • Prevent fraud, enforce our Terms, and protect our systems
  • Comply with legal obligations, such as retaining billing records for tax purposes

2. How We Share Personal Information

  • Service providers:Third parties like Stripe (payments), AWS (hosting), or Posthog (analytics) process data under strict confidentiality agreements.
  • Legal authorities:We share data to comply with laws, respond to subpoenas, or protect our rights.
  • Business transfers:In mergers or acquisitions, data may be transferred with assurances it is handled per this policy.
  • With consent:We share data publicly or with third parties if you explicitly authorize us.
  • Anonymized data:Aggregated, non-identifiable data shared for research or marketing.

We do not share uploaded files for marketing purposes or sell personal information as defined by CCPA or Nevada law.


3. Control Over Your Information

  • Email opt-out:Unsubscribe from marketing emails via the 'unsubscribe' link. Service-related emails are mandatory.
  • Account management:Update or delete your account in Settings. Deletion removes data within 72 hours.
  • File deletion:Uploaded files are deleted within 24 hours or when you manually delete them.
  • Data requests:Request access, correction, or deletion of your data at [email protected].

5. Data Retention and Security

  • Uploaded files:Deleted within 24 hours or upon manual deletion.
  • Account data:Removed within 72 hours of account deletion.
  • Log data:IP addresses and usage logs kept for 180 days.
  • Billing data:Retained up to 10 years to comply with tax laws.

Our security measures include SSL encryption, secure cloud servers (AWS, OVH, Hetzner), and access controls. Files are encrypted during upload and stored in isolated environments. In case of a breach, we will notify affected users promptly per applicable laws.


7. Children's Privacy

The Service is not designed for children under 13, and we do not knowingly collect their data. If we discover such data, we delete it immediately. Contact us at [email protected] if you suspect we've collected a child's information.


8. Incident Response and Data Breach Notification

We maintain a robust incident response plan. If a breach occurs, we will:

  • Investigate promptly to assess scope and impact
  • Notify affected users within 72 hours if required by GDPR or other laws
  • Take corrective actions, such as enhancing security protocols or resetting access

Contact [email protected] to report security concerns.


9. Changes to This Privacy Policy

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated via email, site notices, or in-app alerts. The “Last Modified” date will be updated. Check this page regularly to stay informed.


10. Contact Us

Wibbrix (operating SupaPDF)

76 Healy Road, Victoria, Australia

Email: [email protected]

Our Data Protection Officer is available via DataCo GmbH at dataguard.de. For GDPR-related complaints, contact your local supervisory authority, such as the UK ICO.

4. Cookies and Tracking Technologies

We use cookies and tracking technologies to improve your experience, secure the Service, and analyze usage.

CookieTypeWhen droppedDurationPurposePrivacy notice
StripeStrictly NecessaryWhen accessing payment interface30 min / 1 yr / 2 yrDetect and prevent fraudulent paymentsStripe Cookie Settings
CloudflareStrictly NecessaryOn first site access30 min / sessionIdentify and block bots; manage trafficCloudflare Cookies
YouTubeStrictly NecessaryWhen viewing embedded videoSessionDisplay embedded videosGoogle Cookie Policy
hCaptchaStrictly NecessaryWhen responding to CAPTCHASessionVerify human usershCaptcha Privacy
PosthogAnalyticsOn service access1 yearMonitor and analyze usagePosthog Privacy
Google Analytics 4AnalyticsOn first site accessUp to 2 yearsMeasure performance and personalize ads (with consent)GA Privacy
Google AdsAdvertisingAfter interacting with our ads90 daysMeasure ad performance (with consent)Google Ads Privacy

Disable cookies via your browser settings, noting this may affect Service functionality (e.g., login or file tracking). Learn more at allaboutcookies.org.

European Privacy Disclosures

For users in the EEA, UK, or Switzerland, these disclosures provide additional details per GDPR requirements.

10.1 Legal Bases for Processing

  • Contract (Art. 6(1)(b)):For account creation, file processing, and payment processing, as outlined in our Terms of Service.
  • Legitimate interests (Art. 6(1)(f)):For service improvements, fraud prevention, and customer support.
  • Consent (Art. 6(1)(a)):For marketing emails, non-essential cookies, or AI tool data collection, which you can withdraw anytime.

10.2 Data Retention

  • Files deleted within 24 hours; account data within 72 hours of deletion
  • Telemetry data anonymized after 180 days
  • Billing data retained up to 10 years for legal compliance

10.3 International Transfers

Data may transfer to the US or Singapore for processing (e.g., AWS servers). We use Standard Contractual Clauses and other safeguards to ensure GDPR compliance.

10.4 Your Rights

Under GDPR, you have the right to:

  • Access your data and learn how it's processed
  • Rectify inaccurate or incomplete data
  • Erase data when no longer needed
  • Restrict processing in certain cases
  • Port data to another provider
  • Object to processing based on legitimate interests
  • Withdraw consent at any time

Exercise these rights by emailing [email protected]. You can also lodge complaints with your local supervisory authority.

10.5 Cookies in the EEA, UK, and Switzerland

Strictly necessary cookies (Stripe, Cloudflare) are required for Service functionality and do not require consent per Art. 6(1)(b) GDPR. Analytics and advertising cookies (Google Analytics, Google Ads) require your consent. Refusing these cookies may limit personalized features but won't affect core Service use.