Privacy Policy

convertfiles.online ("we", "us", "the Service") operates this file-conversion web service. We are the data controller under the EU General Data Protection Regulation (GDPR) and equivalent laws. We operate from Georgia (the country in the Caucasus region).

For any privacy-related question or request, contact privacy@convertfiles.online.

We collect only what is needed to run the converter:

• Uploaded files. The file you submit and the converted output, while the conversion is in progress and during the retention window described below.
• Account data (optional). If you sign in with Google, we store your email address, your Google account identifier, and your display name. We do not request access to contacts, calendar, drive, or any other Google scope.
• Usage data. Per-request log entries: timestamp, source and target format, file size, processing time, anonymised IP (last octet stripped), and a rough country derived from IP — so we can detect abuse, enforce daily limits, and debug failures.
• Cookies. A short-lived session cookie when you sign in, and a daily-limit cookie for unsigned guests. No advertising or cross-site tracking cookies.

We do not collect health data, payment-card numbers (handled by our payment processor), biometric data, or special categories of personal data within the meaning of GDPR Article 9.

The 1-hour file-retention window applies to every plan, paid or free, and is enforced by an automated cleanup job that runs continuously.

• To run the conversion. Performing the contract you enter into when you submit a file (GDPR Article 6(1)(b)).
• To enforce daily limits and prevent abuse. Our legitimate interest in keeping the service free and online (Article 6(1)(f)).
• To maintain accounts. Performing the contract with signed-in users (Article 6(1)(b)).
• Legal compliance. Where we must retain certain records (Article 6(1)(c)).

We use a small number of trusted infrastructure providers ("sub-processors") to run the service. None of them receive your uploaded files for any purpose other than executing the conversion you requested:

• Cloud hosting. Provides the servers that run the converter and temporary file storage.
• Google (Sign-in). If you choose to sign in with Google, Google receives the standard OAuth handshake data — see Google's privacy policy for details.
• Paddle (payment & merchant of record). When you subscribe to Pro, Paddle (Paddle.com Market Limited and affiliates) acts as the merchant of record. They process your payment, store your card details under PCI-DSS, and handle VAT/sales-tax compliance. We receive only a transaction reference, billing email, and country (for tax calculation). See Paddle's privacy notice at paddle.com/legal/privacy.
• Error monitoring. Aggregated, scrubbed crash reports to detect and fix bugs.

We never sell personal data. We do not allow sub-processors to use your data for their own purposes.

We do not train, fine-tune, or evaluate machine-learning models on your uploaded files or converted outputs. We do not provide your files to third parties for that purpose either. The conversion pipeline uses deterministic open-source engines, not large-scale learned models.

Our servers are located in the United States and the European Union. Where personal data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses approved by the European Commission, and on additional safeguards where required.

Under GDPR and similar laws (including the UK GDPR and California Consumer Privacy Act), you have the right to:

• access the personal data we hold about you;
• correct it if it is inaccurate;
• delete it ("right to be forgotten");
• export it in a portable, machine-readable format;
• object to or restrict certain processing based on legitimate interests;
• withdraw consent at any time, where processing is based on consent;
• lodge a complaint with a supervisory authority in your jurisdiction.

Signed-in users can delete their account and all associated data with one click from the account page. Guests can email privacy@convertfiles.online; because we do not link guest conversions to identifiable individuals, we may ask you to provide enough information for us to find the relevant log entries.

We respond to verifiable requests within 30 days (GDPR) or 45 days (CCPA/CPRA, extendable once by another 45 days with notice).

If you reside in California, the California Consumer Privacy Act as amended by the CPRA gives you specific rights in addition to those listed above. This section sets out how those rights apply to convertfiles.online.

Categories of personal information we collect. In the last 12 months we have collected the following CCPA categories: identifiers (such as account email and Google account ID for signed-in users), internet or other electronic network activity (per-request logs of timestamp, format, file size, processing time), and coarse geolocation derived from your IP address (country-level, for abuse prevention and tax). We do not collect Social Security numbers, driver's licence numbers, precise geolocation, biometric information, or government identifiers.

Sale or sharing. We do not sell or share personal information within the meaning of the CCPA/CPRA, including for cross-context behavioural advertising. We have not done so in the last 12 months.

Your rights. California residents have the right to:

• know what personal information we collect and how we use it;
• request access to a copy of that information;
• request deletion;
• request correction of inaccurate information;
• limit the use and disclosure of sensitive personal information (we do not use sensitive PI for purposes that would trigger this right, but the option is available);
• opt out of any sale or sharing (not applicable, see above);
• non-discrimination for exercising these rights.

How to make a request. Email privacy@convertfiles.online. For signed-in users, confirming the request from the email address on the account is normally enough verification. For guests, because we do not link conversions to identifiable individuals by default, we may ask for enough detail (such as IP range, approximate timestamps, or the converted file types) to locate the relevant log entries. We accept requests from authorised agents who provide written authorisation signed by you.

Response time. We confirm receipt within 10 business days and respond substantively within 45 days, extendable once by another 45 days where reasonably necessary, with prior notice.

Files are transmitted over TLS. Conversions run in isolated worker processes. Stored files are accessible only by the worker processes for the duration of the retention window and are deleted by an automated job. We follow industry-standard practice for access controls, secrets management, and incident response.

No internet service can guarantee perfect security. If we become aware of a personal-data breach that is likely to result in a risk to your rights, we will notify the relevant authority and, where required, you, within the timelines set by GDPR Article 33–34.

The Service is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has signed up, contact us and we will delete the account.

When we make material changes to this Privacy Policy, we will update the "Effective" date at the top and, where the change is significant, notify signed-in users by email. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

Questions, requests, or complaints — write to privacy@convertfiles.online.