optioPDF

Privacy Policy

Effective date: 15 March 2026

This Privacy Policy describes how Cataphract (“we”, “us”, or “our”) collects, uses, and protects information when you use optioPDF at optiopdf.cataphract.dev (the “Service”). We are committed to protecting your privacy and handling your data responsibly.

1. Information We Collect

Account Information

When you register, we collect your name, email address, and organisation name. This information is used to authenticate you and administer your account.

API Usage Data

We collect metadata about API requests including timestamps, page counts, processing modes, job statuses, file sizes, and IP addresses. This data is used for billing, rate limiting, and service improvement. We do not store the content of your extracted text beyond the data retention period of your plan.

Uploaded Documents

PDF files you upload for processing are stored in encrypted cloud storage temporarily. Files are automatically deleted after processing completes or after your plan’s data retention window, whichever is shorter. We do not read, analyse, or share the content of your documents.

Technical & Log Data

We automatically collect server logs including IP addresses, browser or client type, request paths, and error information. This data is used for security, debugging, and service monitoring and is retained for a limited period.

Cookies & Local Storage

The dashboard uses a session cookie and browser local storage to keep you logged in. We do not use third-party tracking cookies or advertising cookies.

2. How We Use Your Information

  • To provide, operate, and improve the Service.
  • To authenticate users and secure accounts.
  • To process payments and send billing-related communications (when paid plans are active).
  • To enforce our Terms of Service and prevent abuse.
  • To respond to support requests and communicate service updates.
  • To comply with legal obligations.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

3. Data Sharing

We share data only in the following limited circumstances:

  • Service providers: We use Google Cloud Platform for infrastructure (compute, database, storage). Data is processed within the EU (Belgium, europe-west1 region) to support GDPR compliance.
  • Payment processor: When paid plans are active, billing is handled by LemonSqueezy as Merchant of Record. They receive the minimum information necessary to process payments.
  • Legal requirements: We may disclose data if required by law, court order, or to protect the rights and safety of users or the public.

4. Data Retention

Uploaded PDF files are deleted automatically after processing. Account data is retained while your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or compliance purposes.

5. Security

We implement industry-standard security measures including:

  • Encrypted data in transit (TLS) and at rest (AES-256).
  • Argon2id password hashing and API key hashing — we never store raw credentials.
  • RS256 JWT tokens with short expiry (15 minutes).
  • Network isolation via VPC with private database access.
  • Least-privilege IAM roles per service.

No security measure is perfect. Please report security vulnerabilities responsibly to privacy@cataphract.dev.

6. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights under GDPR:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your data (“right to be forgotten”).
  • Portability: Request your data in a structured, machine-readable format.
  • Objection: Object to certain processing of your data.
  • Withdrawal of consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at privacy@cataphract.dev. We will respond within 30 days.

7. International Transfers

We process and store data within the EU (Google Cloud europe-west1). If data is ever transferred outside the EU, we ensure appropriate safeguards are in place in compliance with GDPR Chapter V.

8. Children

The Service is not directed to children under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the effective date above and, where appropriate, by email. Continued use of the Service after changes constitute acceptance.

10. Contact

For privacy-related questions or to exercise your rights, contact us at privacy@cataphract.dev.