Privacy Policy

Last updated: 21 May 2026.

Principles

conv2pdf is built around three strict commitments:

• France hosting — the entire infrastructure runs at OVH France (Gravelines). No extra-European tier (notably United States) is involved in the processing chain.
• No result caching — generated PDF files are never kept beyond what is strictly necessary for your download (maximum 1 hour).
• Automatic deletion — an internal cron deletes all input and output files within 1 hour of creation at the latest.

Data collected

One-off conversions (Free, no account)

• Uploaded file (deleted after 1 h)
• Converted file (deleted after 1 h)
• IP address (server logs, kept 7 days for security)
• Job metadata: tool used, size, duration (kept 30 days for statistics)

User account (Premium and API)

• Email
• Active sessions (encrypted cookie, 30 days)
• Subscription plan
• Stripe customer ID (for Premium billing)
• API keys (SHA-256 hashed, never stored in clear)
• Conversion history (30 days visible, then deleted)

Public file sharing

When you generate a public share link via the sharing feature, conv2pdf acts as a hosting provider under French law (LCEN — loi pour la confiance dans l'économie numérique). Pursuant to decree n° 2021-1363, the following technical data is retained for 1 year from share creation:

• Source IP address of the contributor
• Source TCP port (necessary in NAT/CGNAT mobile contexts)
• Browser user-agent
• Creation timestamp

This data is stored in a dedicated audit log, separate from the content itself. It is only disclosed to judicial authorities upon formal legal request. It is never used for commercial, statistical or marketing purposes. If you do not wish this log to be generated, do not use the public sharing feature — plain conversion (without sharing) is not concerned.

Legal basis

• One-off conversion: performance of the requested service (GDPR Art. 6.1.b)
• Account and subscription: contract performance (GDPR Art. 6.1.b)
• Stripe billing: legal accounting obligation (GDPR Art. 6.1.c)
• Public sharing audit log: legal obligation (GDPR Art. 6.1.c, French LCEN Art. 6 II and decree n° 2021-1363)
• Security logs: legitimate interest, abuse prevention (GDPR Art. 6.1.f)

Sub-processors

• OVH SAS (France) — hosting
• Brevo (France) — transactional emails (sign-in magic links)
• Stripe Payments Europe Ltd (Ireland) — payment for paid Premium and API plans only. Stripe never receives the content of your converted files.

Cookies

conv2pdf uses no tracking or third-party analytics cookies. The only cookie set is conv2pdf_sid, a technical session cookie (HMAC-signed, HttpOnly, SameSite Lax) required for your sign-in. Its lifetime is 30 days.

Your rights

Under the GDPR, you have the following rights:

• Right of access to your data
• Right to rectification
• Right to erasure (instant account deletion on request)
• Right to portability
• Right to object
• Right to restriction of processing

To exercise these rights, contact contact@conv2pdf.com or use our contact form, mentioning that this is a GDPR request. You may also lodge a complaint with the French data protection authority (CNIL — www.cnil.fr).

Enterprise DPA

A standard Data Processing Agreement (DPA) is available for direct download, applicable to all paid API customers:

• conv2pdf DPA v1 (PDF, English) — translation for convenience
• conv2pdf DPA v1 (PDF, français) — legally binding version

To sign: complete your information in the "The Controller" section, sign the final block, and email the scanned signed copy to contact@conv2pdf.com. The countersigned DPA will be returned to you shortly.

For any question, amendment or custom data processing agreement (Enterprise on quote), use our contact form.