Privacy Policy
Effective July 11, 2026
The short version
The free tools process files entirely on your device — your files never reach us at all. The API processes documents transiently to serve your requests and never uses them for anything else. We don't run ad trackers, we don't sell data, and we collect the minimum needed to operate accounts and billing.
1. Free tools: nothing collected
Merge, split, sign, compress, and the other free tools run in your browser. Files are opened locally, processed locally, and downloaded locally — no upload exists in the code path. We store two things in your browser's own storage (never sent to us): your theme choice and your recently used tools. Both vanish if you clear browser data.
2. API accounts: what we collect
Account data: email address, organization name and membership, and — if you sign in with Google — the verified email Google asserts. Authentication is handled by Amazon Cognito; we never see or store passwords.
Billing: handled by Stripe. We store your plan and subscription status; Stripe holds your card details — we never receive them.
Usage records: which tool was called, when, by which token, and credits consumed — the data behind your Usage page and your bill.
Audit log:administrative actions in your organization (invites, role changes), visible to your organization's admins.
3. API documents: transient processing
When you call the API with a file URL, we fetch and process the document on AWS infrastructure (US East) solely to produce your result. Intermediate files are deleted when the job completes; results are stored in organization-scoped storage so you can download them, and automatically expire on a lifecycle schedule. Your documents are never used to train models, never shared, and never read by humans except with your explicit consent for support.
4. Emails
We send transactional email only: invitations you trigger, join-request notifications, quota warnings, and payment-failure notices. Everything except mandatory billing notices can be switched off in Settings → Notifications. No marketing email, no newsletters, ever — unless you separately opt in to something that doesn't exist yet.
5. Cookies and analytics
We set no advertising or cross-site tracking cookies. Sign-in uses your browser's local storage for session tokens on our own domain. Our hosting providers (Vercel, AWS) produce standard server logs (IP, user agent, request path) used for security and debugging, retained briefly.
6. Processors we rely on
Amazon Web Services (hosting, authentication, storage, email), Vercel (web hosting), Stripe (payments), Google (optional sign-in), and LLM providers that perform OCR on document images you submit to the OCR API. Each receives only what its function requires.
7. Your rights
You can export your usage data from the dashboard, correct account details, and delete your account (and organization, if you're its Owner) from Settings — deletion removes your data from live systems promptly and from backups on their rotation schedule. For anything else: hello@paavanai.com.
8. Changes
Material changes to this policy will be announced to account holders by email before they take effect.