Skip to content
PDFMinify

Data Processing Agreement

Last updated: April 3, 2026

1. Parties and Definitions

This Data Processing Agreement ("DPA") is entered into between PDFMinify ("Processor", "we", "us") and the individual or entity using our services ("Controller", "you", "your"). This DPA supplements our Terms of Service and Privacy Policy.

"Personal Data" means any information relating to an identified or identifiable natural person contained within files uploaded to PDFMinify. "Processing" means any operation performed on Personal Data, including conversion, compression, OCR, and temporary storage.

2. Scope of Processing

PDFMinify processes files uploaded by users solely for the purpose of providing document conversion, compression, OCR, annotation, and AI analysis services. Processing occurs automatically upon file upload and is initiated exclusively by the Controller.

We do not access, read, analyze, index, or use the content of uploaded files for any purpose other than delivering the requested service. We do not train AI models on user-uploaded documents.

3. Data Types and Retention

Files uploaded for processing: Temporarily stored in encrypted cloud storage (Cloudflare R2). Automatically and permanently deleted within 30 minutes of processing completion. No human access occurs during this period.

Account data: Email address, name, and authentication tokens stored in Supabase (PostgreSQL) for the duration of the account. Deleted upon account deletion request via the user profile page.

Usage logs: Tool used, file size, processing duration, timestamps. Retained for 90 days for service improvement and abuse prevention. No file content is logged.

AI interactions: When using AI features (Chat with PDF, AI OCR), document text is sent to Google Gemini API for processing. Google does not retain this data beyond the API request lifecycle per their data processing terms.

4. Security Measures

  • All data transmitted via TLS 1.3 encryption (HTTPS enforced via HSTS with 2-year max-age)
  • Files stored in Cloudflare R2 with server-side encryption at rest
  • Download links use time-limited signed URLs (30-minute expiry)
  • Content Security Policy (CSP) headers prevent XSS and injection attacks
  • Rate limiting prevents abuse (Upstash Redis sliding window)
  • File type validation via magic bytes prevents malicious uploads
  • Row Level Security (RLS) on all database tables
  • No employee has routine access to uploaded files
  • Authentication via Supabase Auth with bcrypt password hashing
  • Audit logging of all authentication and account modification events

5. Sub-Processors

We engage the following sub-processors to deliver our services. Each operates under their own data processing agreements:

Sub-ProcessorPurposeLocation
Vercel Inc.Application hosting, serverless functionsUS (EU edge nodes)
Supabase Inc.Authentication, database, user profilesUS/EU
Cloudflare Inc.R2 file storage, CDNGlobal (EU compliant)
Google LLCGemini AI API (OCR, document analysis)US/EU
Upstash Inc.Redis (rate limiting, job queue), QStashEU (Frankfurt)
Hostinger VPSStirling-PDF document processing engineEU

6. Data Subject Rights

Under GDPR, data subjects have the right to access, rectify, erase, restrict processing, and port their data. PDFMinify supports these rights through:

  • Access & Portability: Users can export all their data in JSON format from the Profile page (/profile → Export Data)
  • Erasure: Users can delete their account and all associated data from the Profile page (/profile → Delete Account). This action is immediate and irreversible.
  • Rectification: Users can update their profile information at any time from the Profile page
  • File deletion: All uploaded files are automatically deleted within 30 minutes. No manual request is needed.

7. Data Breach Notification

In the event of a personal data breach, PDFMinify will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

8. International Transfers

Some sub-processors operate in the United States. Where Personal Data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission, or the sub-processor's participation in recognized frameworks such as the EU-US Data Privacy Framework.

9. Term and Termination

This DPA is effective for the duration of the Controller's use of PDFMinify services. Upon account deletion:

  • All account data is permanently deleted from Supabase
  • All uploaded files have already been auto-deleted (30-minute policy)
  • Usage logs are retained for 90 days for legal compliance, then permanently deleted
  • Audit logs are retained for 1 year for security and compliance purposes

10. Contact

For questions about this DPA, data processing practices, or to exercise data subject rights, contact us at:

Email: info@pdfminify.com

We aim to respond to all data protection inquiries within 30 days.