Privacy Policy
Last updated: 27 May 2026 · Version 2.0
1. Who we are (the data controller)
EasyPDFly at easypdfly.com is operated by I.T.FURTHER ENTERPRISE (SSM Registration No. 201703271255 / JM0818262-D), registered in Johor, Malaysia. For all data-protection enquiries, including requests under the EU GDPR, UK GDPR, Malaysian PDPA, or California CCPA, use the contact form on this site.
2. The data we collect, why, and on what legal basis
We collect only what we need to operate the Service. The table below sets out each category, the purpose, and the lawful basis under the EU GDPR (Article 6).
| Category | Purpose | Lawful basis (GDPR) |
|---|---|---|
| Uploaded files (PDFs, images, Office docs) | Process the file you requested (merge, convert, OCR, etc.) | Art 6(1)(b) — contract performance |
| Account info (email, name, hashed password) | Create + maintain your account, send service emails | Art 6(1)(b) — contract performance |
| Usage counters (jobs run, bytes processed) | Enforce plan limits, detect abuse | Art 6(1)(b) + 6(1)(f) — legitimate interest |
| Server logs (IP, request path, timestamp) | Security monitoring, debug, rate-limiting | Art 6(1)(f) — legitimate interest |
| Payment data (card last 4, billing country) | Process Pro/Ultra payments via Stripe | Art 6(1)(b) — contract performance |
| Contact-form messages | Reply to your question / complaint | Art 6(1)(b) / 6(1)(a) — consent |
| Essential cookies (session ID) | Keep you logged in | Art 6(1)(b) — contract performance |
3. What we DO NOT do
- We never use your files to train AI / machine learning models, ours or anyone else's.
- We never sell, rent, or share your files, your email, or any other personal data with marketers or data brokers.
- We do not run third-party advertising on the Service.
- We do not set marketing or cross-site tracking cookies. See our Cookies Policy for the complete list.
- We do not read or open your files for any purpose other than the tool you invoked.
4. Retention — how long we keep things
- Browser-side tools (Merge, Split, Compress, Watermark, Sign, Crop, Page Numbers, Repair, OCR, JPG↔PDF, Reorder, Rotate, etc.): files are processed entirely inside your browser. They never reach our servers.
- Server-side tools (Word/Excel/PPT↔PDF, HTML→PDF, Protect, Unlock, PDF-to-Excel/PPT OCR mode): inputs + outputs are deleted from our servers within 5 minutes of conversion.
- Drafts (Pro/Ultra only) saved from the Edit PDF tool: kept up to 30 days, then auto-purged.
- Account & subscription records: kept until you delete your account, then permanently removed.
- Server access logs: rolled off after 30 days.
- Billing records / invoices: retained for 7 years as required by Malaysian and most overseas tax law.
5. Where the data lives + international transfers
Our application servers are hosted in Singapore. Stripe processes payments in their global infrastructure (mainly EU/US). Cloudflare proxies our HTTP traffic via its global edge network. When data of EU/UK residents is transferred outside the EU/UK, we rely on Stripe's and Cloudflare's Standard Contractual Clauses (SCCs) as the legal mechanism. We do not transfer data to any subprocessor outside this list.
6. Subprocessors
The third parties below process limited data on our behalf. Each has its own privacy policy and is bound by data-processing terms.
- Contabo GmbH — virtual server hosting (Singapore region). Hosts the encrypted application + ephemeral uploads.
- Cloudflare, Inc. — DNS, CDN, TLS termination, DDoS protection. Sees request metadata only.
- Stripe, Inc. — payment processing for Pro / Ultra plans. We never see card numbers.
- Google Fonts — Inter typeface delivered from Google's CDN; sets no cookies but receives your IP.
7. Your rights
Depending on where you live you have the following rights — and we will honour all of them regardless of your jurisdiction:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct anything inaccurate.
- Erasure ("right to be forgotten") — delete your account directly from your Account page; we will also cancel any active subscription.
- Restriction — ask us to stop processing pending a dispute.
- Portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interest.
- Withdraw consent — at any time, where processing relies on consent.
- Lodge a complaint — with your local data protection authority (e.g. UK ICO, Malaysian PDPC, an EU supervisory authority).
To exercise any of these rights, use the contact form. We respond within 30 days.
8. California residents — CCPA notice
If you reside in California, the California Consumer Privacy Act gives you the right to know what personal information we collect, to delete it, and to opt-out of "sales" of personal information. We do not sell personal information, full stop. We have not sold, and do not intend to sell, any personal information in the past 12 months. To exercise CCPA rights use the contact form with subject "CCPA request".
9. Children's privacy
The Service is not intended for children under 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us personal data without parental consent, please contact us and we will delete it.
10. Security
We use industry-standard safeguards: TLS 1.2+ for all transport, bcrypt for passwords, Stripe Checkout (no card data on our servers), least-privilege server access, automatic file deletion. No system is 100 % secure; we cannot guarantee absolute protection against unauthorised access. If we ever experience a data breach affecting your personal data we will notify you within 72 hours, in line with GDPR Article 33-34.
11. Automated decision-making
We do not subject you to automated decisions that produce legal or similarly significant effects without human review.
12. Cookies & similar technologies
See our standalone Cookies Policy. We use one essential session cookie and no marketing cookies.
13. Changes to this policy
If we update this policy, we will change the "Last updated" date at the top. Material changes will be notified via the dashboard or by email at least 14 days in advance. Continued use of the Service after the new date means you accept the revised policy.
14. Contact
For any privacy-related question, request, or complaint, use the contact form. We acknowledge receipt within 3 business days and reply substantively within 30 days.