Data Processing Agreement
Last updated: April 7, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between TrackPDF ("Processor", "we", "us") and the customer using TrackPDF ("Controller", "you") for the processing of personal data in connection with the TrackPDF service.
1. Parties & Roles
- Controller: The customer who uploads documents and configures email gating, analytics, and lead capture settings. The Controller determines the purposes and means of processing personal data.
- Processor: TrackPDF (operated by BitDoc). We process personal data only on the Controller's behalf and according to the Controller's instructions.
2. Scope of Processing
TrackPDF processes personal data for the following purposes:
- Document hosting and delivery
- Email-based lead capture (when enabled by the Controller)
- Document view analytics and engagement tracking
- Email notifications to the Controller about document activity
- Account management and authentication
3. Categories of Data
| Category | Data Subjects | Data Elements |
|---|---|---|
| Account data | Controller (users) | Email address, password hash, plan tier |
| Lead data | Document viewers | Email address, name (if provided) |
| Analytics data | Document viewers | IP address, page views, time spent, browser/device info |
| Payment data | Controller (users) | Payment method (processed by Stripe, not stored by TrackPDF) |
4. Sub-Processors
We use the following sub-processors. The Controller authorizes the use of these sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | United States |
| Stripe | Payment processing | United States |
| Resend | Transactional email delivery | United States |
| Railway | Application hosting | United States |
| Brandfetch | Brand data lookup (logos, colors) | European Union |
We will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.
5. Security Measures
We implement appropriate technical and organizational measures to protect personal data:
- Encryption at rest: All data stored in Supabase is encrypted at rest using AES-256.
- Encryption in transit: All data transmitted between users, our servers, and sub-processors is encrypted via TLS 1.2+.
- Access controls: Database access requires service role keys. Row-level security (RLS) policies enforce data isolation between users.
- Authentication: User authentication via Supabase Auth with bcrypt password hashing and JWT tokens.
- CSRF protection: Origin-based CSRF validation on all state-changing requests.
- Rate limiting: Per-IP rate limiting on all API endpoints to prevent abuse.
- Security headers: HSTS, X-Frame-Options, CSP, and other security headers on all responses.
6. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach (per GDPR Article 33).
- Provide the Controller with sufficient information to meet their own breach reporting obligations.
- Take immediate steps to contain and remediate the breach.
- Document the breach, including its effects and the remedial actions taken.
7. Data Deletion & Return
Upon termination of the service or at the Controller's request:
- The Controller can export all their data at any time via the "Export My Data" feature (JSON format, GDPR Article 20 compliant).
- The Controller can delete their account and all associated data immediately via the account deletion feature.
- Upon account deletion, we permanently delete all personal data, documents, leads, and analytics. No recovery is possible.
- Sub-processors are instructed to delete personal data in accordance with their own data retention policies.
8. Audit Rights
The Controller has the right to audit our compliance with this DPA. We will:
- Make available all information necessary to demonstrate compliance.
- Allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.
- Audits may be conducted with reasonable notice during normal business hours, no more than once per year.
9. International Data Transfers
All primary sub-processors are based in the United States. For transfers of personal data from the EU/EEA to the US, we rely on:
- The EU-US Data Privacy Framework (where applicable).
- Standard Contractual Clauses (SCCs) as adopted by the European Commission.
Brandfetch, our brand data lookup sub-processor, is based in the European Union and does not require additional transfer mechanisms for EU data.
10. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. The Processor shall be liable for damage caused by processing only where it has not complied with obligations specifically directed to processors under GDPR, or where it has acted outside of or contrary to the Controller's lawful instructions.
11. Contact
For questions about this DPA or to request a signed copy, contact us at privacy@trackpdf.co.