Privacy Notice

Introduction

This Privacy Notice explains how pdf-mcp ("we", "us", "our") collects, uses, and protects your personal data when you use our PDF generation API and related services. We are committed to protecting your privacy and processing your data in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

By using our services, you acknowledge that you have read and understood this Privacy Notice. If you do not agree with our practices, please do not use our services.

Data Controller

The data controller responsible for your personal data is:

Data We Collect

Account Information

When you create an account, we collect:

• Email address - Used for authentication via magic link, account notifications, and support communication
• Account identifiers - Unique identifiers generated to manage your account and API access
• API keys - Cryptographically generated keys for authenticating API requests

Usage Information

When you use our API services, we collect:

• API request logs - Timestamp, endpoint called, response status, and credit usage
• Credit transactions - Records of credit purchases, usage, and balance changes
• Technical metadata - IP address, user agent, and request headers for security and debugging

Payment Information

Payment processing is handled by Stripe. We do not store complete credit card numbers or bank account details. We receive and store:

• Last four digits of payment cards
• Card brand and expiration date
• Billing address (if provided)
• Transaction records and invoices

Document Content

Important: pdf-mcp offers flexible storage modes for generated documents:

• By default, generated PDFs are stored with managed storage and configurable retention periods
• With the storage: "memory" parameter, documents are processed in memory only and not persisted
• With Bring Your Own Bucket (BYOB), PDFs are stored directly in your own cloud storage
• You choose the storage mode that fits your requirements on a per-request basis

If you use the "Bring Your Own Bucket" (BYOB) feature, PDFs are stored in your own cloud storage infrastructure, and we retain no copies.

Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

Contract Performance (Art. 6(1)(b))

Processing necessary to provide our PDF generation services, manage your account, and fulfill credit purchases.

Legitimate Interests (Art. 6(1)(f))

Processing for fraud prevention, security monitoring, service improvement, and technical troubleshooting.

Legal Obligation (Art. 6(1)(c))

Processing required to comply with tax, accounting, and other legal requirements.

Consent (Art. 6(1)(a))

Where applicable, for optional marketing communications (you may withdraw consent at any time).

How We Use Your Data

We use your personal data for the following purposes:

• Service Delivery - To provide and maintain our PDF generation API and MCP server
• Authentication - To verify your identity and authorize API access
• Billing - To process payments, manage credits, and send invoices
• Support - To respond to your inquiries and resolve technical issues
• Security - To detect, prevent, and respond to fraud, abuse, or security incidents
• Improvement - To analyze usage patterns and improve our services (using aggregated, anonymized data)
• Communication - To send service-related notices, updates, and security alerts
• Compliance - To meet legal and regulatory obligations

Data Sharing and Transfers

Third-Party Service Providers

We share data with trusted third parties who assist in operating our services:

International Transfers

All primary data processing occurs within the European Union (Germany, Frankfurt region). Where data is transferred outside the EU (e.g., to US-based sub-processors), we ensure appropriate safeguards such as Standard Contractual Clauses (SCCs) are in place.

No Sale of Personal Data

We do not sell, rent, or trade your personal data to third parties for marketing purposes. We only share data as described in this Privacy Notice or with your explicit consent.

Data Retention

We retain your data only as long as necessary for the purposes described:

Account Data

Retained while your account is active, plus 30 days after deletion request.

API Logs

Retained for 90 days for debugging and security purposes, then permanently deleted.

Transaction Records

Retained for 7 years to comply with tax and accounting regulations.

Document Content

Retention depends on storage mode. With managed storage, retained per your retention settings. With stateless mode (storage: "memory"), processed in memory only and discarded immediately.

Your Rights

Under GDPR and applicable data protection laws, you have the following rights:

• Right of Access - Request a copy of the personal data we hold about you
• Right to Rectification - Request correction of inaccurate or incomplete data
• Right to Erasure - Request deletion of your personal data ("right to be forgotten")
• Right to Restriction - Request limitation of processing in certain circumstances
• Right to Data Portability - Receive your data in a structured, machine-readable format
• Right to Object - Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent - Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at support@pdf-mcp.io. We will respond to your request within 30 days. You also have the right to lodge a complaint with your local data protection supervisory authority.

Security Measures

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption - All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls - Strict role-based access controls limit who can access data
• API Security - API keys are hashed and stored securely; requests are rate-limited
• Infrastructure - Hosted on enterprise-grade cloud infrastructure with security certifications
• Monitoring - Continuous security monitoring and incident response procedures
• Flexible Storage - Choose managed storage, BYOB, or stateless mode (storage: "memory") for in-memory-only processing

Cookies and Tracking

Our website uses minimal cookies necessary for service operation:

Essential Cookies

Required for authentication, session management, and security. Cannot be disabled.

Analytics

We may use privacy-respecting analytics to understand site usage. No personal data is collected for analytics purposes.

We do not use third-party advertising cookies or tracking pixels. We do not participate in cross-site tracking or behavioral advertising.

Children's Privacy

Our services are not directed to children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at support@pdf-mcp.io.

Changes to This Notice

We may update this Privacy Notice from time to time to reflect changes in our practices or legal requirements. We will notify you of significant changes by:

• Posting the updated notice on our website with a new "Last updated" date
• Sending an email notification for material changes affecting your rights

We encourage you to review this Privacy Notice periodically to stay informed about how we protect your data.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Notice or our data practices, please contact our privacy team:

For general support or other inquiries, please see our Imprint page for additional contact information.