Privacy Policy

Last updated: 15 May 2026.

Principles

conv2pdf is built around three strict commitments:

• France hosting — the entire infrastructure runs at OVH France (Gravelines). No extra-European tier (notably United States) is involved in the processing chain.
• No result caching — generated PDF files are never kept beyond what is strictly necessary for your download (maximum 1 hour).
• Automatic deletion — an internal cron deletes all input and output files within 1 hour of creation at the latest.

Data collected

One-off conversions (Free, no account)

• Uploaded file (deleted after 1 h)
• Converted file (deleted after 1 h)
• IP address (server logs, kept 7 days for security)
• Job metadata: tool used, size, duration (kept 30 days for statistics)

User account (Pro and API)

• Email
• Active sessions (encrypted cookie, 30 days)
• Subscription plan
• Stripe customer ID (for Pro billing)
• API keys (SHA-256 hashed, never stored in clear)
• Conversion history (30 days visible, then deleted)

Legal basis

• One-off conversion: performance of the requested service (GDPR Art. 6.1.b)
• Account and subscription: contract performance (GDPR Art. 6.1.b)
• Stripe billing: legal accounting obligation (GDPR Art. 6.1.c)
• Security logs: legitimate interest, abuse prevention (GDPR Art. 6.1.f)

Sub-processors

• OVH SAS (France) — hosting
• Brevo (France) — transactional emails (sign-in magic links)
• Stripe Payments Europe Ltd (Ireland) — payment for paid Pro and API plans only. Stripe never receives the content of your converted files.

Cookies

conv2pdf uses no tracking or third-party analytics cookies. The only cookie set is conv2pdf_sid, a technical session cookie (HMAC-signed, HttpOnly, SameSite Lax) required for your sign-in. Its lifetime is 30 days.

Your rights

Under the GDPR, you have the following rights:

• Right of access to your data
• Right to rectification
• Right to erasure (instant account deletion on request)
• Right to portability
• Right to object
• Right to restriction of processing

To exercise these rights, contact contact@conv2pdf.com or use our contact form (subject "GDPR & DPA"). You may also lodge a complaint with the French data protection authority (CNIL — www.cnil.fr).

Enterprise DPA

A standard Data Processing Agreement (DPA) is provided on request to paid API customers. Contact contact@conv2pdf.com or use our contact form to obtain it.