GDPR Compliance Commitment

Effective Date: May 29, 2026

At heyPDF, we are dedicated to protecting user privacy and ensuring full compliance with the General Data Protection Regulation (GDPR) standards. As an online PDF processing platform, our operational model is built entirely on the concept of privacy by design and privacy by default.

1. Data Controller and Processor

heyPDF acts as the Data Processor for the document files you upload. You, as the user, remain the Data Controller. We only process your files on your direct instructions (e.g. when you click a button to merge or compress a file). We do not own, access, inspect, or share the contents of your files.

2. Core User Rights Under GDPR

Under GDPR rules, European Union residents possess specific data rights. Here is how heyPDF implements them:

Right to Erasure (To Be Forgotten)

We automate this right. Since all uploaded and output files are permanently deleted automatically after 1 hour, your data is erased completely without you having to ask.

Right of Access & Portability

You have full access to download your processed documents within their 1-hour active window. We do not store historical client documents, meaning we cannot access or hand over your records to any third party.

Data Minimization

We only request data that is strictly necessary for document conversion operations. Because no registration is required, you can process files without ever sharing your name, email, or telephone numbers.

Right to Object

You have complete control. Processing only occurs when you actively drag, configure, and click to convert/merge files. You can stop or revoke actions at any point.

3. Technical Security Measures

To guarantee data confidentiality, we employ industry-standard technical security protocols:

  • Transport Encryption: All connections use SSL/TLS 1.3 certificates, preventing file intercepts.
  • Storage Security: Files are buffered in secure temporary memory blocks and stored inside isolated buckets on Cloudflare R2 servers, configured with auto-expiration rules.
  • Infrastructure Isolation: Processing scripts run in short-lived serverless sandbox runtimes with strict firewalls, isolated from other server components.

4. Sub-processors

We partner with reliable infrastructure providers who meet rigorous GDPR criteria:

  • Vercel Inc. — Frontend hosting and serverless endpoint execution.
  • Cloudflare Inc. — DNS, security layers, and secure temporary R2 storage buckets.

5. GDPR Contact

If you have questions regarding our GDPR compliance standards or wish to learn more about our technical safety protocols, feel free to email our Data Protection Officer at privacy@heypdf.com.