GDPR Compliance Commitment
Effective Date: May 29, 2026
At heyPDF, we are dedicated to protecting user privacy and ensuring full compliance with the General Data Protection Regulation (GDPR) standards. As an online PDF processing platform, our operational model is built entirely on the concept of privacy by design and privacy by default.
1. Data Controller and Processor
heyPDF acts as the Data Processor for the document files you upload. You, as the user, remain the Data Controller. We only process your files on your direct instructions (e.g. when you click a button to merge or compress a file). We do not own, access, inspect, or share the contents of your files.
2. Core User Rights Under GDPR
Under GDPR rules, European Union residents possess specific data rights. Here is how heyPDF implements them:
Right to Erasure (To Be Forgotten)
We automate this right. Since all uploaded and output files are permanently deleted automatically after 1 hour, your data is erased completely without you having to ask.
Right of Access & Portability
You have full access to download your processed documents within their 1-hour active window. We do not store historical client documents, meaning we cannot access or hand over your records to any third party.
Data Minimization
We only request data that is strictly necessary for document conversion operations. Because no registration is required, you can process files without ever sharing your name, email, or telephone numbers.
Right to Object
You have complete control. Processing only occurs when you actively drag, configure, and click to convert/merge files. You can stop or revoke actions at any point.
3. Technical Security Measures
To guarantee data confidentiality, we employ industry-standard technical security protocols:
- Transport Encryption: All connections use SSL/TLS 1.3 certificates, preventing file intercepts.
- Storage Security: Files are buffered in secure temporary memory blocks and stored inside isolated buckets on Cloudflare R2 servers, configured with auto-expiration rules.
- Infrastructure Isolation: Processing scripts run in short-lived serverless sandbox runtimes with strict firewalls, isolated from other server components.
4. Sub-processors
We partner with reliable infrastructure providers who meet rigorous GDPR criteria:
- Vercel Inc. — Frontend hosting and serverless endpoint execution.
- Cloudflare Inc. — DNS, security layers, and secure temporary R2 storage buckets.
5. GDPR Contact
If you have questions regarding our GDPR compliance standards or wish to learn more about our technical safety protocols, feel free to email our Data Protection Officer at privacy@heypdf.com.