Privacy Policy
This Privacy Policy describes how PDFtoAll collects, uses and protects your personal data when you use the pdftoall.co website and the tools made available there (hereinafter, the "Service"). This document is drafted pursuant to articles 13 and 14 of Regulation (EU) 2016/679 (hereinafter, "GDPR").
1. Principles and privacy commitment
We process personal data in accordance with the principles set out in art. 5 of the GDPR:
- Lawfulness, fairness and transparency: we clearly inform you about which data we collect and why.
- Purpose limitation: we use data only for the purposes stated in this notice.
- Data minimization: we collect only the data strictly necessary.
- Accuracy: we are committed to keeping data up to date and correct.
- Storage limitation: we retain data only for as long as necessary.
- Integrity and confidentiality: we adopt appropriate technical and organizational measures.
- Privacy by design and by default: the Service is designed to minimize the exposure of personal data from the outset — most processing happens client-side.
2. Data we collect
2.1 Browsing and technical data
When you access the Service, our systems automatically acquire some information whose transmission is implicit in the use of Internet protocols:
- IP address and domain name of the connecting device.
- URLs of requested resources, time, HTTP method, response code, size of data exchanged.
- User agent (browser and operating system), language and time zone.
These data are used to derive aggregate statistical information and to ensure the proper operation and security of the Service. They are deleted or anonymized as soon as possible.
2.2 Contents of uploaded files
For most tools, processing happens entirely in your browser: your files are never transmitted to our servers. For tools that require third-party services (see section 4), we temporarily process only the portions of content necessary for the operation.
2.3 Voluntarily provided data
When you write to us via email or contact forms, we collect the data strictly necessary to respond: email address, possibly your name, message content.
2.4 Cookies and identifiers
See section 5. Cookies and similar technologies for the details.
3. Purposes of processing and legal bases
We process your personal data for the following purposes, each based on a specific legal basis under art. 6 GDPR:
| Purpose | Categories of data | Legal basis |
|---|---|---|
| Provision of the Service | File contents, technical data | Performance of the contract (art. 6.1.b) |
| Information security and fraud prevention | Browsing data, IP, logs | Legitimate interest (art. 6.1.f) |
| Technical cookies (theme, session preferences) | Technical identifiers | Legitimate interest / performance of the Service |
| Aggregated and anonymous statistics | Anonymized browsing data | Legitimate interest (art. 6.1.f) |
| Non-anonymized analytics cookies | Cookie identifiers | Consent (art. 6.1.a) |
| Contextual and personalized advertising | Advertising identifiers, browsing behavior | Consent (art. 6.1.a) |
| Handling of contact requests | Email, message content | Consent and legitimate interest (art. 6.1.a / 6.1.f) |
| Defense in court | Data possibly necessary | Legitimate interest (art. 6.1.f) |
4. Your files: how we handle them
PDFtoAll is designed under the privacy by design principle: the architecture of the Service is built to minimize exposure of your documents.
4.1 Client-side tools (the majority)
For most tools — Merge, Split, Compress, Rotate, Crop, Add page numbers, Extract pages, Organize, Sign, Watermark, Protect, Redact, Edit, Compare, Repair, Office↔PDF conversions, JPG↔PDF, PNG↔PDF, HTML→PDF and others — processing happens entirely in your browser using WebAssembly. Your files never leave your device: neither we nor any network intermediaries can access their contents.
4.2 Tools that use third-party services
For some operations that require computationally complex models (in particular Summarize PDF with AI and Translate PDF), the extracted text of the document is transmitted in encrypted form (HTTPS/TLS) to specialized providers, listed in section 7. We transmit only the text necessary for the operation: the original binary file, images and metadata are not transmitted.
4.3 Automatic deletion
Should an operation exceptionally require a pass through our servers, files are automatically deleted within 60 minutes of completion, regardless of whether the result has been downloaded.
5. Cookies and similar technologies
The Service uses cookies and similar technologies (web storage, device identifiers) under art. 122 of Italian Legislative Decree 196/2003 and the ePrivacy Directive 2002/58/EC.
5.1 Cookie categories
| Type | Purpose | Duration | Consent |
|---|---|---|---|
| Technical cookies | Service operation (light/dark theme, language preferences) | Session or up to 12 months | Not required |
| Aggregated analytics cookies | Anonymous measurement of Service use | Up to 12 months | Not required if anonymized |
| Non-anonymized analytics cookies | Detailed behavior analysis | Up to 24 months | Required |
| Advertising cookies | Profiling and ad personalization | Up to 24 months | Required |
5.2 Consent management
On first access a consent banner is shown allowing you to accept all cookies, reject those that are not strictly necessary, or customize your preferences. You can withdraw or change your consent at any time from your browser's cookie management page or from the banner settings.
6. Third-party advertising
The Service is funded by advertising delivered by third-party ad networks (e.g. Google AdSense). Ad networks may use cookies, tracking pixels and device identifiers to:
- Show ads relevant to the User's interests.
- Measure the effectiveness of advertising campaigns.
- Limit the frequency of exposure of a single ad.
- Detect and prevent fraudulent activity.
Such processing only takes place with your explicit prior consent, collected through the cookie banner. Ad networks act as independent controllers of the data collected through their tools: we invite you to consult their respective privacy policies:
- Google AdSense: https://policies.google.com/technologies/ads
- Google Privacy Policy: https://policies.google.com/privacy
7. Third-party services
To deliver the Service we rely on specialized providers. The main ones are:
| Provider | Service | Data transmitted |
|---|---|---|
| Pollinations.AI | Summary generation through language models | Text extracted from the PDF |
| Translated S.r.l. (MyMemory) | Multilingual machine translation | Text extracted from the PDF, source and target languages |
| Google Ireland Limited (Fonts, Material Symbols) | Loading of fonts and icons | IP address, user agent |
| Google Ireland Limited (AdSense) | Advertising delivery | Advertising identifiers, browsing data |
We may also disclose your data to judicial and police authorities when required by law or when necessary to ascertain, exercise or defend a right in court.
8. Transfers of data outside the EU
Some of our providers (in particular ad networks and AI providers) may also process data outside the European Economic Area, primarily in the United States. In these cases we ensure that the transfer takes place in accordance with Chapter V of the GDPR through:
- Adequacy decision of the European Commission (e.g. EU-US Data Privacy Framework, where the provider adheres to it).
- Standard Contractual Clauses (SCC) approved by the European Commission.
- Supplementary technical and organizational measures (encryption, pseudonymization) where necessary.
9. Data retention
We retain personal data for the time strictly necessary to achieve the purposes for which they were collected:
| Category | Retention period |
|---|---|
| File contents (client-side operations) | Only for the duration of the browser session; never stored on our servers |
| File contents (server-side operations, exceptional) | Maximum 60 minutes after processing |
| Browsing data and technical logs | Maximum 6 months (except for crime investigations or authority requests) |
| Technical cookies | Session or up to 12 months |
| Advertising cookies (with consent) | Maximum 24 months |
| Contact emails and support tickets | Up to 24 months from resolution of the request |
10. Your rights as a data subject
As a data subject under the GDPR, you have the right to exercise at any time:
- Right of access (art. 15): obtain confirmation and a copy of the data concerning you.
- Right to rectification (art. 16): correct inaccurate or incomplete data.
- Right to erasure (art. 17, "right to be forgotten"): obtain the deletion of data.
- Right to restriction of processing (art. 18).
- Right to data portability (art. 20): receive the data in a structured, machine-readable format.
- Right to object (art. 21): object to processing based on legitimate interest.
- Right not to be subject to automated decisions (art. 22).
- Right to withdraw consent (art. 7.3): withdraw at any time consents given, without affecting the lawfulness of prior processing.
To exercise any of these rights, write to privacy@pdftoall.co, specifying the right you intend to exercise. We commit to responding within 30 days under art. 12.3 GDPR, extendable by an additional 60 days in case of particular complexity. To ensure that the request actually comes from the data subject, we may ask for elements proving identity.
11. Complaint to the supervisory authority
If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the competent supervisory authority:
- Italy: Garante per la protezione dei dati personali — www.garanteprivacy.it.
- Other EU countries: the authority of your country of residence, work or place of the alleged violation (full list at edpb.europa.eu).
12. Processing of minors' data
The Service is intended for an audience over 16 years old (or the minimum age required by applicable law in your country). We do not intentionally collect personal data from minors below that age. Parents or guardians who believe that a minor under their responsibility has provided data to the Service can contact us at privacy@pdftoall.co to request its deletion.
13. Data security
We adopt appropriate technical and organizational measures to ensure the security of personal data, under art. 32 GDPR:
- Encryption in transit: all communications take place over up-to-date HTTPS/TLS.
- Privacy by design: most processing happens client-side.
- Access controls to backend systems reserved for authorized personnel.
- Continuous security updates of software and dependencies.
- Pseudonymization and minimization of technical logs.
- Continuous monitoring to detect and prevent breaches.
In case of a personal data breach posing a risk to your rights and freedoms, we commit to notifying the supervisory authority within 72 hours (art. 33 GDPR) and to communicating it to data subjects without undue delay (art. 34 GDPR) when the risk is high.
14. Changes to this policy
We reserve the right to modify this Privacy Policy to align it with the evolution of the Service, applicable law or industry best practices. Changes will be published on this page with the indication of the date of last update. For substantial changes, adequate notice will be given through a clearly visible notice on the Service before they take effect. We invite you to consult this page periodically.
15. Contacts
For any question or request regarding the processing of your personal data you can contact us at the following email addresses:
- Privacy and personal data: privacy@pdftoall.co
- General: info@pdftoall.co