Privacy Policy

1. Who is responsible for your data

The data controller (GDPR) and data user (PDPA) is ePDF Studio, contactable at hello@epdf.my. The same address functions as our Data Protection Officer mailbox. We do not currently operate from premises in the EU; for GDPR purposes we offer the Service to EU residents on a cross-border basis and have appointed hello@epdf.my as the contact point for EU data-subject rights under Article 27 GDPR where applicable.

2. What data we collect

2.1 Account data

When you create an account we store your email address, a hashed password (we never store passwords in clear text), your display name if you provide one, the date you signed up, your current subscription tier, and an email-verification status. If you sign in via a third-party identity provider, we receive the basic profile the provider shares with us.

2.2 Billing data

Payments are processed by Stripe. We receive a Stripe customer ID, subscription ID, plan, current period end, country of payment, and the last four digits of the card. We do not receive or store full card numbers or CVCs. Stripe is the processor for the card data itself; see Stripe's privacy notice.

2.3 Content data

The core editor renders and modifies PDFs entirely in your browser. Your files are not uploaded to our servers unless you explicitly use a feature that requires it:

• Save to Cloud (Pro) — the PDF and your annotations are uploaded and stored under your account so you can re-open them from another device.
• AI cleanup — the text of a single OCR'd page is sent to a third-party large-language-model provider (Anthropic) for cleanup; the response is returned to your browser. We do not retain the page text on our servers beyond the round-trip.
• Match Style — a small image crop of a selected glyph region is sent to the same third-party AI provider so it can return a font / weight / style guess.

2.4 Usage data

Our servers automatically log request metadata (IP address, user agent, requested URL, response status, timestamp). We use this for security, debugging, abuse detection, and aggregate analytics. We do not use third-party advertising or behavioural tracking pixels.

2.5 Cookies

We use strictly necessary cookies for sign-in sessions and CSRF protection, and an optional preference cookie for the editor theme. We do not set tracking or advertising cookies, and we therefore do not display a cookie-consent banner (consent is not required under the ePrivacy Directive for strictly necessary cookies).

3. Why we use your data (purposes and legal bases)

Under Article 6 GDPR and the seven principles of the PDPA, we process personal data only for specific, declared purposes:

• Provide the Service — necessary for the performance of the contract between you and us (GDPR Art. 6(1)(b); PDPA Principle of Notice and Choice).
• Take payment and prevent fraud — performance of contract and our legitimate interest in being paid (GDPR Art. 6(1)(b), (f); PDPA Principle of Notice).
• Send transactional email (verify your address, reset your password, notify of subscription changes, security alerts) — performance of contract (GDPR Art. 6(1)(b)).
• Send product update email — only with your consent, which you can withdraw at any time via the unsubscribe link or by emailing us (GDPR Art. 6(1)(a)).
• Improve and secure the Service — our legitimate interest in running a safe, working product, balanced against your rights (GDPR Art. 6(1)(f)).
• Meet legal obligations — including tax records, responding to lawful requests from authorities, and protecting our legal rights (GDPR Art. 6(1)(c), (f)).

We do not use your data or Your Content to train any AI model.

4. Who we share data with

We share personal data only with the processors needed to run the Service, under contracts that bind them to act on our instructions and apply appropriate safeguards (GDPR Art. 28; PDPA Security Principle):

• Stripe, Inc. — payments. United States.
• MongoDB Atlas — primary database and file storage for Save to Cloud. Region chosen at our discretion; currently a region within the European Union or Asia-Pacific.
• Anthropic, PBC — AI cleanup and Match Style features. United States. Page text or small image crops are sent only when you trigger the feature.
• Our transactional email provider — sends verification, password-reset, and billing-state emails on our behalf.
• Hosting and CDN — serves the application and static assets.
• Law enforcement and regulators — only where required by valid legal process or to protect rights, life, or safety.

We do not sell or rent personal data to anyone.

5. International transfers

Some of our processors (Stripe, Anthropic) are based outside Malaysia, the EU, and the UK. When personal data is transferred across borders we rely on:

• For transfers from the EU/UK: the European Commission's Standard Contractual Clauses (or the UK's International Data Transfer Agreement / Addendum) under Article 46 GDPR, plus any supplementary measures we identify as necessary in a transfer impact assessment.
• For transfers from Malaysia: the conditions in PDPA s.129, including processor obligations equivalent to those imposed by the PDPA and your consent where applicable.

6. How long we keep your data

• Account data — for the life of your account. After you close your account, we delete or anonymise account data within 30 days, except where retention is required for legal or accounting reasons (typically up to 7 years under Malaysian tax law).
• Files stored via Save to Cloud — until you delete them or close your account, then up to 30 days in backups before final deletion.
• Transactional email logs — up to 12 months.
• Security and request logs — up to 12 months.
• Billing records — up to 7 years to meet tax and accounting obligations in Malaysia and elsewhere.

7. Your rights

Subject to the conditions and exceptions of applicable law, you have the right to:

• Access the personal data we hold about you and receive a copy (PDPA s.30 / GDPR Art. 15).
• Rectify data that is inaccurate or incomplete (PDPA s.34 / GDPR Art. 16).
• Erase your data ("right to be forgotten") where the legal basis for processing no longer applies (GDPR Art. 17; analogous under PDPA).
• Restrict or object to processing that we base on legitimate interest, including direct marketing (GDPR Arts. 18 and 21; PDPA s.42 right to prevent processing).
• Withdraw consent at any time where we rely on consent (PDPA s.38 / GDPR Art. 7(3)). Withdrawal does not affect the lawfulness of processing before withdrawal.
• Data portability for data you provided to us, in a structured, machine-readable format (GDPR Art. 20).
• Lodge a complaint with a supervisory authority. In Malaysia: the Personal Data Protection Department (JPDP). In the EU: the supervisory authority in your country of residence (see edpb.europa.eu). In the UK: the Information Commissioner's Office.

To exercise these rights, email hello@epdf.my. We aim to respond within 21 days (PDPA) and never later than 30 days (GDPR). We may need to verify your identity before acting on a request.

8. Automated decisions

We do not make decisions that produce legal or similarly significant effects about you using fully automated means (GDPR Art. 22). Spam and abuse detection use automated signals but a human reviews any account action.

9. Security

We apply industry-standard technical and organisational measures to protect your data: TLS in transit, encryption-at-rest for backups, principle-of-least-privilege access for staff, audit logging, regular dependency updates, and isolated environments for production. No system is perfectly secure; if we ever suffer a personal-data breach that is likely to result in risk to your rights we will notify you and the relevant supervisory authority within 72 hours, in accordance with GDPR Art. 33-34 and the PDPA breach-notification obligation effective from June 2025.

10. Children

ePDF Studio is not directed at children under 16 (or the local minimum age for digital consent, whichever is higher). We do not knowingly collect personal data from children. If you believe a child has provided us data, please contact hello@epdf.my and we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when. For material changes we will give registered users reasonable notice (typically at least 30 days) by email or in-product before the change takes effect. Continued use of the Service after the effective date is your acceptance of the updated policy.

12. Contact

Privacy questions, data-subject requests, or to invoke any of your rights: hello@epdf.my.