gPdf
HomePlaygroundSolutionsTemplatesPricingDocs
20 languages
en English zh 中文 es Español hi हिन्दी ar العربية bn বাংলা pt Português ru Русский ja 日本語 id Bahasa Indonesia de Deutsch fr Français tr Türkçe ko 한국어 vi Tiếng Việt it Italiano pl Polski nl Nederlands th ไทย uk Українська
Sign in
HomePlaygroundSolutionsTemplatesPricingDocs Sign in
Home / Legal & trust / Privacy policy
Privacy · v2026-06.2

Privacy policy

What personal data gPdf collects, why we collect it, how long we retain it, and the rights you have under GDPR / CCPA.

Effective May 10, 2026 · Last updated June 4, 2026
Summary

gPdf collects the minimum personal data needed to operate the service — account email, API key activity logs, billing details. We do not store the contents of PDFs you generate or the JSON you submit. We do not sell or share customer data. EU data subjects can exercise their GDPR rights via the contact form on this page.

Scope

This policy describes how gPdf collects, uses and discloses personal data when you visit gpdf.com, sign up for an account, or call the gPdf API. It does not apply to data you submit as content to the API — that data is governed by the Data Processing Addendum and the security policy, and we explicitly do not store it.

Data we collect

From visitors to the marketing site

  • IP address (truncated to /24 for IPv4 and /48 for IPv6 before storage).
  • User-agent string.
  • The page you visited and the page that referred you.
  • Whether your visit was the first or a return visit (privacy-preserving fingerprint, no cross-site tracking).
  • Google Analytics 4 page-load signals on production marketing pages after the visitor has consented to analytics cookies, such as the page URL, referrer, and browser/device metadata.

We use first-party operational telemetry to understand traffic patterns. On production marketing pages, we also use Google Analytics 4 after consent to measure aggregate site usage. We do not send API request bodies, generated PDFs, account secrets, payment data, or customer document content to Google Analytics.

From customers with accounts

  • Email address (required for sign-in and important account notices).
  • Organisation name, billing address, VAT/GST ID where applicable.
  • API key labels and creation timestamps (the keys themselves are stored hashed, not as plaintext).
  • Per-request operational metadata: route hit, HTTP status, render duration. No request bodies, no PDF content.
  • Aggregate page-count totals per billing period.

From callers of the gPdf API

  • We receive whatever you send in the DocumentRequest. We hold it in isolate memory for the duration of the render and then release it. We do not log, sample, retain or train on this content.

What we don’t do

  • We do not sell personal data.
  • We do not share personal data with third parties for their marketing purposes.
  • We do not use customer-submitted document content to train models, ours or anyone else’s.
  • We do not use Google Analytics 4 on API endpoints or to send customer-submitted document content to analytics systems.

Cookies and similar technologies

We use the minimum browser storage needed to make the site work. On production marketing pages, Google Analytics 4 may also set or read analytics cookies after the visitor has opted in through the consent modal. The API service itself does not use those analytics cookies.

The complete list of what gpdf.com stores in your browser:

Name Type Purpose Lifetime
gpdf.lang First-party cookie Remembers your chosen interface language so you don’t see the locale switcher on every visit. 365 days
gpdf.banner.dismissed First-party cookie Remembers that you closed the “switch to your language” suggestion banner so it doesn’t reappear on every page. 90 days
gpdf.theme localStorage Remembers your light / dark / follow-system theme choice. Not a cookie — never sent to the server. Until you clear it
__cf_bm Third-party cookie (Cloudflare) Cloudflare bot management — distinguishes humans from automated abuse so the site stays available. Strictly necessary for site security; we do not control its contents. See Cloudflare’s cookie documentation. ~30 minutes
_ga Google Analytics 4 cookie Distinguishes consenting visitors for aggregate marketing-site usage measurement. Up to 2 years
_ga_* Google Analytics 4 cookie Maintains consented session state for a specific GA4 property. Up to 2 years

Our own first-party cookies are set with SameSite=Lax and Secure so they only travel over HTTPS and only on first-party navigations. They do not carry personal data — they hold a language code, a “1” flag, and a theme string respectively. Google Analytics 4 cookies are controlled by Google; see Google Analytics cookie usage and Google’s consent mode documentation for how Google Analytics handles consent and storage.

You can clear or block any of these at any time through your browser’s site settings. The site continues to work; you’ll see the defaults (English UI, system theme), the language-switch suggestion banner may reappear, and Google Analytics measurement may stop working for your visit.

If we add new cookies, we will update this table and bump the policy version before the new cookie ships.

Sub-processors

A current list of sub-processors (Cloudflare, Stripe, our transactional-email provider, etc.) is maintained on the DPA page. We notify customers in advance of new sub-processors via email.

Retention

Data type Retained for
Operational request metadata (no bodies) 30 days
Account billing records 7 years (tax law)
Account email + organisation name Lifetime of the account, plus 90 days after closure
Document content submitted to the API Not retained — released from memory when the request completes

Your rights

Under GDPR, CCPA and equivalent regimes:

  • You can request a copy of the personal data we hold on you.
  • You can ask us to correct or delete it.
  • You can object to processing, or ask us to restrict it.
  • You can lodge a complaint with your local supervisory authority.

Exercise these rights by using our contact form — submit from the email associated with your account. We respond within 30 days for routine requests.

International transfers

gPdf processes data in the region you select at account creation (EU, US, APAC or SA). Cross-region replication for disaster recovery is opt-in and disclosed at signup. Where a transfer crosses jurisdictions, we rely on the EU Standard Contractual Clauses or equivalent legal mechanism.

Changes

When this policy changes, we update the version string at the top of this page and notify customers via email at least 30 days before the new version takes effect (unless the change is purely editorial).

Contact

  • Privacy / GDPR enquiries: use our contact form — select “Privacy”.
  • DPO (or appointed contact for jurisdictions requiring one): use our contact form — select “DPO”.

Questions about this document? Use our contact form

All trust & legal documents
gPdf

Edge-native PDF infrastructure for invoices and shipping labels.

All systems operational

Product

  • Playground
  • Templates
  • Pricing
  • Benchmarks
  • Status

Resources

  • Solutions
  • Comparisons
  • Use cases
  • Changelog
  • Blog

Tools

  • PDF/A Validator
  • gPdf Studio

API Docs

  • Quickstart
  • API Reference
  • Render API
  • Template API
  • E-invoice API
  • Error codes
  • OpenAPI spec

Company

  • About
  • GitHub
  • Security
  • Privacy
  • DPA
  • SLA
© 2026 gPdf · Generated at the edge. · region auto