Privacy Policy
The short version: KeptPDF processes your documents entirely inside your own browser. We never receive, see, or store the files you work on. The only data that reaches our servers is the account and billing information described below, never your document content.
This Privacy Policy explains how KeptPDF ("we", "us") collects, uses, and protects information when you use the KeptPDF website and application at keptpdf.com (the "Service"). By using the Service, you agree to this policy.
1. Your documents never leave your device
Every PDF operation KeptPDF offers (redaction, signing, annotation, OCR, Bates numbering, merging, splitting, compression, conversion, and the rest) runs locally in your web browser using code that loads once on page visit. Your file content is never uploaded to, transmitted to, or stored on our servers. You can verify this yourself on our Verify page by watching your browser's network tab while you process a file.
2. Information we collect
Document content
None. We do not collect the files you open or the content within them.
Optional Google Drive import (Pro): if you connect Google Drive, your browser downloads the PDF from Google's API into local memory. It still never passes through KeptPDF's servers, but Google's terms and privacy policy apply to that transfer.
Account information
If you create an account, we collect your email address, which we use to send you a passwordless "magic link" to sign in and to contact you about your account.
Billing information
Payments are processed by Stripe. We do not receive or store your full card number. We store the identifiers and status Stripe returns to us (your Stripe customer ID, subscription ID, and plan status) so we can apply your plan.
Usage and product analytics
To enforce plan limits and to understand how the Service is used (which features are popular, and where to fix problems), we record minimal, first-party analytics events. An event may include: a timestamp, the event type (e.g. a page view or a tool run), the name of the tool used (e.g. "redact"), a coarse device and browser category (e.g. "desktop / Chrome"), the referring website's domain (e.g. "news.ycombinator.com"), an anonymous per-visit identifier, and, for error reports, a sanitized error message. These records are stored in our own database and shared with no third-party analytics provider. They never include file names or file content.
Anonymous rate-limiting
For visitors who are not signed in, we enforce a daily free limit using a one-way cryptographic hash of your IP address and browser type, combined with a secret salt that rotates every day (UTC). The hash cannot be reversed to identify you, and yesterday's hashes become unrecoverable once the salt rotates. The same daily hash is attached to analytics events so we can count unique networks in aggregate, never to identify a person.
Technical and log data
Like most websites, our hosting provider records standard server logs (such as IP address, request time, and user agent) for security and reliability. We use a session cookie (HTTP-only) to keep you signed in, and your browser's local storage for preferences such as theme. We also store a random, non-identifying per-visit analytics identifier in your browser's session storage, which is erased when you close the tab. Your in-app document history is stored locally in your browser (IndexedDB) and is never uploaded. If your browser sends a "Do Not Track" or Global Privacy Control (GPC) signal, we disable product analytics (anonymous error reports may still be recorded so the Service keeps working).
What we do not use
We do not use third-party advertising, third-party analytics providers, tracking pixels, cross-site trackers, or marketing cookies, and we do not sell your personal information. Our analytics are first-party only: the data described above stays in our own systems and is never sent to an outside analytics company.
3. How we use information
- To provide, maintain, and secure the Service;
- To authenticate you (magic-link sign-in) and manage your account;
- To process payments and apply your plan or credits;
- To enforce free-tier usage limits;
- To understand product usage and diagnose errors (first-party analytics);
- To respond to support requests;
- To comply with legal obligations.
4. Legal bases (EEA/UK)
Where the GDPR or UK GDPR applies, we process personal data on the bases of: performance of our contract with you (providing the Service); our legitimate interests (security, abuse prevention, improving the Service); your consent (where requested); and compliance with legal obligations.
5. Service providers (subprocessors)
We share limited data with vendors that operate the Service on our behalf. They are bound by their own privacy commitments and may not use your data for their own purposes:
- Vercel: website and application hosting (privacy policy);
- Stripe: payment processing (privacy policy);
- Resend: transactional email delivery, such as sign-in links (privacy policy);
- Neon / Vercel Postgres: database for account, usage, and first-party analytics metadata.
Optional user-directed third-party connections
When you use the optional Google Drive import (Pro feature), your browser connects directly to Google for OAuth sign-in (accounts.google.com) and to fetch the files you choose (www.googleapis.com / drive/v3). We provide a server-side token exchange endpoint only to keep our Google client secret off the client; the access token is returned to your browser and used solely by your browser for that import. We never receive or store the contents of files imported from Drive. Google may process data per its own privacy policy; this connection is entirely user-initiated and opt-in.
6. Data retention
We keep account and billing records for as long as your account is active and as needed to comply with legal, tax, and accounting requirements. Usage-metadata records are retained only as long as needed to enforce limits. Anonymous rate-limit hashes are rendered unrecoverable when the daily salt rotates. You may request deletion of your account at any time.
7. Your rights
Depending on where you live, you may have the right to access, correct, delete, or export your personal data, to object to or restrict certain processing, and to withdraw consent. If you are in the EEA, UK, or Switzerland, you also have the right to lodge a complaint with your local data-protection supervisory authority. California residents have rights under the CCPA/CPRA, including the right to know, to delete, to correct, and not to be discriminated against for exercising those rights. Note that we do not sell or "share" personal information as those terms are defined under California law. You may use an authorized agent to submit a request on your behalf. To exercise any right, email support@keptpdf.com; we may need to verify your identity first, and we will respond within the timeframe required by applicable law.
8. International transfers
We are based in the United States and our providers may process data in the United States and other countries. Where required, transfers rely on appropriate safeguards such as the Standard Contractual Clauses.
9. Children
The Service is not directed to children under 16, and we do not knowingly collect personal data from them.
10. Security
We use industry-standard measures to protect the limited data we hold, including encryption in transit, HTTP-only session cookies, and a strict Content-Security-Policy. Because your documents are never transmitted to us, the most sensitive data you handle never leaves your control. No method of transmission or storage is 100% secure, but the architecture is designed to minimize what is at risk.
11. Changes to this policy
We may update this policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you.
12. Contact
Questions about this policy or your data? Contact us at support@keptpdf.com.