GDPR Policy

1. Data Controller

PdfPeaks acts as the Data Controller for personal data collected through https://pdfpeaks.com. As Data Controller, we are responsible for determining the purposes and means of processing your personal data in compliance with the GDPR. For all data-related enquiries, please contact us via our Contact page.

2. Legal Basis for Processing

We process personal data only where we have a valid legal basis to do so. The legal bases we rely on include:

• Contractual necessity (Art. 6(1)(b)): Processing required to provide the services you have requested — such as operating your user account or processing your uploaded files.
• Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, including maintaining site security, preventing fraud, and improving the performance of our platform, where these interests are not overridden by your rights.
• Consent (Art. 6(1)(a)): Where we rely on your explicit consent — for example, for non-essential cookies or analytics. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): Processing necessary to comply with a legal obligation to which we are subject.

3. Personal Data We Process

We may process the following categories of personal data:

• Identity data: Name and email address (for registered users)
• Technical data: IP address, browser type, device information, and usage logs
• Communication data: Messages submitted via our Contact form

We do not process special categories of personal data (such as health, biometric, or political data), and we do not engage in automated decision-making or profiling.

4. Your Rights Under the GDPR

If you are located in the EEA or the United Kingdom, you have the following rights with respect to your personal data:

• Right of access (Art. 15): You may request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You may request that inaccurate or incomplete data be corrected.
• Right to erasure (Art. 17): You may request deletion of your personal data where there is no compelling reason for its continued processing.
• Right to restriction of processing (Art. 18): You may request that we restrict the processing of your data in certain circumstances.
• Right to data portability (Art. 20): You may request a copy of your data in a structured, machine-readable format for transfer to another service.
• Right to object (Art. 21): You may object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us via our Contact page. We will respond to all valid requests within 30 days. We may need to verify your identity before processing your request.

5. Data Retention

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by law. Specifically:

• Uploaded and processed files are deleted immediately after each operation.
• Account data is retained for the duration of your account's existence and deleted upon account closure.
• Server logs and technical data are typically retained for no more than 90 days.

6. International Data Transfers

Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place in accordance with GDPR requirements — including Standard Contractual Clauses (SCCs) or adequacy decisions as applicable. We do not transfer your data to third countries without appropriate protections.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, disclosure, or destruction. These include TLS/HTTPS encryption for all data in transit and restricted access controls on our server infrastructure.

8. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with the GDPR, you have the right to lodge a complaint with your local data protection authority. For EEA users, this is your national supervisory authority. For UK users, this is the Information Commissioner's Office (ICO) at ico.org.uk.

We would, however, appreciate the opportunity to address your concerns before you contact a supervisory authority. Please reach out to us first via our Contact page.

9. Updates to This Policy

We may revise this GDPR Policy periodically to reflect changes in legislation or our data practices. The most current version will always be available on this page. Significant changes will be communicated to registered users via email where appropriate.