Privacy Policy

Karim Epple ("we", "us", "our") operates xorapdf.com and is the data controller responsible for your personal data as defined under the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable privacy laws worldwide.

We collect only the minimum data necessary to provide our services:

• Technical access data: IP address, browser type, operating system, time of access, pages visited (server logs, collected automatically)
• Email address: only if you voluntarily provide it during a download or newsletter sign-up
• PDF files: files you upload for processing — processed entirely in your browser; never transmitted to or stored on our servers
• Payment data: for paid features only — handled exclusively by our payment provider Stripe; we never store card or bank details
• Usage data: anonymized behavioral data via Google Analytics / AdSense (only with your consent)

• To provide and operate the PDF tools on xorapdf.com
• To send newsletters and product updates (only with your explicit consent)
• To process payments for paid features
• To analyze and improve our service using anonymized data
• To display advertising via Google AdSense (only with your consent)
• To comply with legal obligations
• To ensure the security and stable operation of our platform

Under the GDPR and UK GDPR, we process your data on the following legal grounds:

• Art. 6(1)(a) GDPR – Consent: newsletter sign-up, optional cookies, advertising tracking
• Art. 6(1)(b) GDPR – Contract: processing paid transactions
• Art. 6(1)(c) GDPR – Legal obligation: compliance with applicable laws
• Art. 6(1)(f) GDPR – Legitimate interests: server logs for security and fraud prevention

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

Server logs are automatically deleted after a maximum of 7 days. Email addresses are stored until you unsubscribe or request deletion.

We use cookies to operate our website and — with your consent — for analytics and advertising purposes.

• Essential cookies: Required for the technical operation of the site (session management). No consent needed.
• Analytics cookies: Google Analytics for anonymized usage measurement. Requires consent.
• Advertising cookies: Google AdSense for personalized ads. Requires consent.

You can manage or withdraw your cookie preferences at any time via our cookie banner or your browser settings.

This website uses Google AdSense and Google Analytics, services provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

These services are only activated after you have given your explicit consent via our cookie banner. Google may transfer data to servers in the United States. Such transfers are covered by the EU–US Data Privacy Framework and Standard Contractual Clauses.

For more information: policies.google.com/privacy

If you provide your email address during a download and actively check the consent checkbox, we will store your address and use it to send occasional newsletters, product updates, and PDF tips.

• Consent is given by actively ticking a checkbox — no pre-checked opt-in
• Emails are sent via Brevo (formerly Sendinblue), servers located in the EU
• You can unsubscribe at any time via the one-click unsubscribe link in every email
• Your email address will be deleted within 30 days of unsubscribing

For paid features, payments are processed by Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland.

All payment data (credit card, SEPA, PayPal) is processed exclusively by Stripe. We never have access to your full payment details. Stripe is PCI-DSS certified. Learn more at stripe.com/privacy

Some of our service providers may be located outside the European Economic Area (EEA). We ensure appropriate safeguards are in place for all international transfers:

Depending on your location, you have the following rights regarding your personal data:

To exercise any of these rights, contact us at: vicezgfx@gmail.com. We will respond within 30 days as required by law.

EU supervisory authority: Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg (LfDI), www.baden-wuerttemberg.datenschutz.de

If you are a resident of California, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You may request information about the categories and specific pieces of personal data we have collected about you.
• Right to Delete: You may request deletion of your personal data, subject to certain exceptions.
• Right to Opt-Out: We do not sell your personal data. If this changes, we will provide a 'Do Not Sell or Share My Personal Information' link.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
• Right to Correct: You may request correction of inaccurate personal information.

To exercise your California rights, contact us at: vicezgfx@gmail.com

• Server logs: deleted automatically after 7 days
• Email addresses: retained until you unsubscribe or request deletion, then deleted within 30 days
• PDF files: never stored — processed locally in your browser only
• Payment records: retained for 10 years as required by German tax law (§ 147 AO)

We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, loss, or destruction:

• SSL/TLS encryption for all data transmission (HTTPS)
• Client-side PDF processing — your files are never uploaded to our servers
• Encrypted database connections (Supabase)
• Strict access controls on all personal data
• Regular security reviews and updates

xorapdf.com is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us at vicezgfx@gmail.com and we will delete it promptly.

We reserve the right to update this Privacy Policy to reflect changes in our services or legal requirements. The current version is always available at xorapdf.com/privacy. The date of the last update is shown at the top of this page. Continued use of our service after changes constitutes acceptance of the updated policy.

We aim to respond to all privacy-related requests within 30 days as required by applicable law.