Privacy Policy

Effective Date: June 30, 2026 Last Updated: June 30, 2026

Welcome to PDFExpert (https://pdfexpert.xyz). We provide modern, browser-based PDF and image manipulation tools. This Enterprise Privacy Policy outlines our data processing practices, strict commitment to client-side data security, and your privacy rights under global regulations.

1. Client-Side Processing Guarantee

                Zero-Upload Architecture
                PDFExpert operates entirely within your web browser. Your files never leave your device.
            

We engineered PDFExpert prioritizing your absolute privacy. When you merge, split, rotate, watermark, extract, or convert files on our platform, the processing occurs directly in your local environment using client-side JavaScript. Specifically:

No Server-Side Processing: Your files are never transmitted over the internet to our servers.
No Cloud Storage: We do not utilize cloud buckets, databases, or temporary server storage for your documents.
Browser Memory Only: Files are parsed securely in your browser's local memory (RAM). Once you close your browser tab, the files instantly and permanently disappear from memory.
No Employee Access: Because no files are uploaded, it is physically impossible for PDFExpert employees, contractors, or third parties to access, intercept, or view your documents.
Strict Local Context: The website cannot read any files on your computer unless you explicitly select them via the secure operating system file picker.

2. Information We Do NOT Collect

In accordance with the principle of data minimization, we strictly avoid collecting sensitive user information. We absolutely do not collect, process, or store:

File Contents: The text, images, metadata, annotations, or structured data inside your PDFs or image files.
Personal Identity Data: Names, physical addresses, email addresses, phone numbers, or account credentials (as our service operates securely without requiring user accounts).
Payment Information: Financial data or credit card numbers, as our core tools are free to use.

3. Information We Collect

To ensure website security, operational stability, and monetization, we collect strictly limited metadata. This data is segregated from your file processing:

Technical Web Hosting Logs: When you access the website, our standard hosting infrastructure automatically receives basic network requests. This includes your IP address, browser type (User-Agent), referring URL, date/time stamp, and requested pages. This is standard for all internet traffic and is used solely for DDoS prevention and routing.
Advertising & Consent Data: Information collected via cookies by our advertising partners (such as Google AdSense) to serve advertisements and manage your consent preferences.

4. Cookies Policy

We use cookies and similar local storage technologies to manage your preferences and display advertisements. In compliance with the ePrivacy Directive, we classify our cookies as follows:

Category	Purpose	Type / Duration
Strictly Necessary	Required for the website to function (e.g., security protocols, content delivery routing). Cannot be disabled.	Session & Persistent
Functional	Browser Local Storage used exclusively to remember your UI preferences (e.g., Dark Mode). Kept solely on your device.	Local Storage (Device only)
Consent & Advertising	Used by third-party vendors (Google) to serve ads, track ad performance, and remember your privacy consent choices.	Persistent (Subject to Consent)

Managing Your Cookies

You have full control over non-essential cookies. You can revoke consent at any time via the consent banner link in our footer, or configure your web browser to block third-party cookies.

6. Third-Party Services

We limit external integrations strictly to essential infrastructure and monetization providers. We do not invent or use unnecessary third-party tracking. Our current integrations are limited to:

Web Hosting Infrastructure: To serve the static HTML, CSS, and JavaScript files that make up our application to your browser securely.
Google AdSense: For serving advertisements as described in Section 5.

These providers only have access to standard HTTP request data (like IP addresses) necessary to deliver their specific services and are prohibited from accessing your locally processed files.

7. Data Security Measures

Our security model is built on client-side execution, but we implement robust enterprise-grade security headers to protect the delivery of our code:

HTTPS & TLS Encryption: All website traffic is forced over secure, encrypted Transport Layer Security (TLS) connections, preventing Man-in-the-Middle (MitM) attacks during code delivery.
Browser Sandboxing: Our JavaScript executes strictly within the secure boundaries of your modern web browser's sandbox environment.
Content Security Policy (CSP): We utilize strict CSP headers to mitigate Cross-Site Scripting (XSS) and data injection attacks.
X-Content-Type-Options: Configured to `nosniff` to prevent MIME-type confusion attacks.
Referrer-Policy & Permissions-Policy: Implemented to restrict the sharing of URL referrers and to deny the application access to unnecessary device APIs (like cameras or microphones).
Frame Protection (X-Frame-Options): Configured to prevent our site from being embedded maliciously in iframes (Clickjacking protection).

8. Data Retention

Document Data: 0 seconds. File data exists exclusively in your device's volatile memory (RAM) and is purged instantly when the process completes or the browser closes.
Server Logs: Standard infrastructure logs (IP addresses) are rotated automatically and permanently deleted within 14 to 30 days.
Consent Data: Managed strictly by the CMP platform according to your regional legal requirements (typically valid for 6 to 12 months before reprompting).

9. Global Privacy Compliance

GDPR & UK GDPR (European Union & United Kingdom)

We process limited personal data (IP addresses and ad cookies) as a Data Controller. Because we do not upload files, we are not a Data Processor of your documents. Processing of ad cookies relies on your explicit consent. Processing of security logs relies on our legitimate interest to protect our infrastructure. You hold the right to Access, Rectification, Erasure, Restriction, and Data Portability. To exercise the right to erasure, simply clear your browser's cookies and local storage.

CCPA / CPRA (California Residents)

We do not "sell" your personal information in the traditional sense, nor do we collect identifiable files. However, sharing data with Google AdSense for targeted advertising may constitute "sharing" under the CPRA. You possess the Right to Know, Right to Delete, Right to Correct, and the Right to Opt-Out of Cross-Context Behavioral Advertising via our consent banner or global privacy controls.

LGPD (Brazil) & PIPEDA (Canada)

In accordance with the Lei Geral de Proteção de Dados (LGPD) and the Personal Information Protection and Electronic Documents Act (PIPEDA), we apply strict data minimization principles. We do not collect or transfer your documents, and any advertising data processing is governed by informed consent where required.

10. Children's Privacy (COPPA)

PDFExpert strictly complies with the Children's Online Privacy Protection Act (COPPA) and international equivalents. Our services are not directed at, nor do we knowingly collect or solicit personal information from, children under the age of 13 (or 16 in the EU/UK). If you believe we have inadvertently collected information from a minor, please contact us immediately for deletion.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in global privacy legislation, technical updates, or AdSense policy modifications. The "Last Updated" date at the top of this document will reflect the most current version. We encourage users to review this page periodically.

12. Contact Information

If you have any questions, concerns, or legal inquiries regarding our privacy practices, please contact our privacy compliance team:

Website: https://pdfexpert.xyz
Email: privacy@pdfexpert.xyz