Privacy Policy

1. Information We Collect

When you use TrackPDF, we collect information you provide directly: your email address when creating an account, PDF files you upload, and any settings you configure. We also collect usage data including IP addresses, browser information, and page view analytics for documents you share.

When viewers access a gated document, we collect their email address on behalf of the document owner. This email is provided voluntarily by the viewer before they access the document.

2. How We Use Your Information

We use your information to provide the TrackPDF service: hosting your documents, generating analytics, capturing leads, and sending email notifications. We do not sell your personal information to third parties.

3. Data Storage & Security

Your files and data are stored securely using Supabase infrastructure with encryption at rest and in transit. Documents are stored in private cloud storage buckets that require signed URLs for access. We retain your data as long as your account is active or as needed to provide services.

4. Lead Data & Data Controller Roles

When you enable email gating on a document, we collect email addresses from viewers on your behalf. In this context:

• You (the document owner) are the data controller for leads captured through your documents. You decide what data to collect and how to use it.
• TrackPDF is the data processor, handling data according to your instructions (storing leads, sending notifications).

Viewers are informed that their email is being collected via a privacy notice on the email gate, with a link to this policy.

5. Data Retention

We retain your data according to the following timelines:

• Account data (email, password hash, plan): retained until you delete your account. Deletion is immediate and permanent.
• Uploaded documents: retained while your account is active or until you delete the document.
• Lead data (captured emails): retained until the document owner deletes the lead, the lead requests deletion, or the document expires. Lead data for expired documents is retained for 90 days post-expiry, then automatically deleted.
• Analytics data (page views, time spent, IP addresses): retained for up to 2 years, then automatically purged. Aggregate, non-personally-identifiable analytics are retained indefinitely.
• Deletion request logs: we retain a record (date and hashed identifier) of completed deletion requests for 5 years for compliance purposes. No personal data is stored in these logs.
• Email notification logs: retained for 90 days for troubleshooting, then deleted.

6. Data Processing & Sub-Processors

We use the following third-party services to provide TrackPDF:

• Supabase (database, authentication, file storage) — US — processes account data, documents, analytics, and leads.
• Resend (email delivery) — US — processes email addresses for transactional emails (notifications, magic links, receipts).
• Stripe (payment processing) — US — processes email and payment information for paid subscriptions.
• Railway (hosting) — US — processes all request data as our infrastructure provider.
• Brandfetch (brand data lookup) — EU — processes company domain names to retrieve brand assets (logos, colors).

Each sub-processor is bound by their own privacy policies and data processing agreements. For details, see our Data Processing Agreement.

7. How to Request Deletion

We provide multiple ways to delete your data:

• Account holders: Go to Dashboard → Settings → Delete Account. This immediately and permanently deletes your account, all documents, all leads, all analytics, and cancels any active subscription.
• Document owners: You can delete individual leads from the analytics page for each document.
• Document viewers (leads): Email privacy@trackpdf.co to request deletion of your data. We will process your request within 30 days (GDPR) or 45 days (CCPA).

8. Your Rights Under GDPR (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

• Right to access: You can request a copy of all personal data we hold about you. Account holders can use the "Export My Data" button in Settings.
• Right to rectification: You can request that we correct any inaccurate personal data.
• Right to erasure: You can request that we delete your personal data. Account holders can self-service this via Settings. We will comply within 30 days.
• Right to data portability: You can request your data in a structured, machine-readable format (JSON or CSV). Use the "Export My Data" feature in Settings.
• Right to restrict processing: You can request that we limit how we use your data.
• Right to object: You can object to processing based on legitimate interests.

To exercise any of these rights, email us at privacy@trackpdf.co. We will respond within 30 days.

9. Your Rights Under CCPA (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA/CPRA):

• Right to know: You can request details about the personal information we collect, use, and share.
• Right to delete: You can request that we delete your personal information. We will respond within 45 days.
• Right to opt-out of sale: We do not sell your personal information. If this changes, you will be able to opt out.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise any of these rights, email us at privacy@trackpdf.co.

10. Global Privacy Control (GPC)

We honor Global Privacy Control signals. When we detect a GPC signal (Sec-GPC: 1) from your browser, we treat it as a valid opt-out of data sale and sharing under CCPA/CPRA. Since we do not sell or share your personal information with third parties, honoring GPC requires no changes to our processing — your data is already protected.

11. Cookies & Local Storage

TrackPDF uses the following client-side storage:

• localStorage (trackpdf_token, trackpdf_user): Stores your authentication session so you stay logged in. Required for the service to work. Cleared when you log out.
• localStorage (trackpdf_docs): Stores document admin codes for anonymous uploads so you can access your analytics later. You can clear this at any time.
• localStorage (trackpdf_gate_*): Remembers that you already entered your email for a gated document, so you don't have to enter it again. You can clear this at any time.

We do not use third-party tracking cookies. We do not use advertising cookies. We do not use analytics services like Google Analytics.

To opt out: clear your browser's local storage for trackpdf.co, or use your browser's private/incognito mode.

12. Contact

For privacy questions, data requests, or concerns, contact us at privacy@trackpdf.co.

For enterprise data processing agreements, see our DPA page.