PDFOrca

Privacy Policy

How PDFOrca protects your files and personal data.

Last updated: June 16, 2026

1-hour deletion

Auto-deleted within 1 hour

No tracking

We never sell your data

Encrypted transfer

TLS 1.2+ end to end

1. Who we are

PDFOrca ("we", "our", "us") is a free online toolkit for PDF processing operated from India. This policy explains what data we collect, why we collect it, and how we protect it. We comply with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and align with global standards including the EU's General Data Protection Regulation (GDPR).

2. Files you upload

Processing only: When you use a tool (merge, split, compress, OCR, AI summary, etc.), your file is sent to our servers, processed in temporary memory or a temporary directory, and the result is returned to you. We never use your files for training models, advertising, or any purpose beyond fulfilling your request.

Automatic deletion: A background sweeper deletes processed files and any temporary artifacts within 1 hour. There is no "delete file" button because there is nothing left to delete after that window.

No backups of your files: Uploaded files are never written to our database, never backed up, and never replicated to third parties.

3. Account data (if you sign up)

An account is optional. If you create one, we store:

  • Email address (used for login and password reset)
  • Hashed password (bcrypt — we never see your real password)
  • Optional profile name
  • Activity history (which tools you used and when, never the file contents)

Account data is stored in MongoDB Atlas (managed cloud database) with encryption at rest. You can delete your account at any time from your dashboard settings; deletion is permanent and removes all associated activity history.

4. AI tools

Our AI summarization, key points, and title generation features send your document's extracted text to Groq Cloud (an LLM provider) for analysis. Groq does not retain prompts beyond the duration needed to compute a response. The document file itself is never sent to Groq — only the extracted plain text. If our cloud LLM is unavailable, we fall back to a local model running on our servers, which keeps the data entirely within our infrastructure.

5. Cookies and analytics

We use a small number of essential cookies for login session management and language preference. We use privacy-friendly analytics (no personal identifiers, no cross-site tracking) to understand which tools are popular and improve them. We use Google AdSense to display advertisements, which may use cookies to serve ads based on your prior visits. You can opt out of personalized ads at any time via Google's Ad Settings (https://adssettings.google.com). See our Cookie Policy for details.

6. Third parties we work with

  • MongoDB Atlas — account database (data stored at rest)
  • Groq Cloud — AI text analysis (transient, no retention)
  • Cloudflare — CDN, DDoS protection, DNS
  • Sentry — error monitoring (no file contents, only stack traces)
  • Hetzner Cloud — server hosting
  • Razorpay (future) — payment processing for paid plans
  • Google AdSense — advertising (may use cookies for ad personalization)

Each of these providers has their own privacy commitments. We choose providers that don't resell data and offer GDPR-compliant data processing agreements.

7. Children

PDFOrca is not intended for users under 18 in jurisdictions where minors require parental consent. Under India's DPDP Act, processing children's personal data requires verifiable parental consent. If you believe a child has created an account, contact us and we will remove it.

8. Your rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or outdated data
  • Delete your account and associated history
  • Export your activity data in a machine-readable format
  • Withdraw consent for non-essential processing at any time

To exercise any of these rights, email us at privacy@pdforca.com. We respond within 30 days as required under the DPDP Act.

9. Data location and transfers

Our primary servers are located in Europe (Hetzner, Falkenstein/Germany). MongoDB Atlas data is hosted in a region of your choice during signup. By using the service, you consent to your data being processed in these locations, which provide adequate protections under GDPR and DPDP Act.

10. Security

We use industry-standard security: TLS 1.2+ for all data in transit, bcrypt for passwords, JWT for session management with short expiry, rate limiting against abuse, and a least-privilege server architecture. Despite our best efforts, no online service is 100% secure; we will notify affected users within 72 hours of any confirmed breach.

11. Changes to this policy

If we change this policy materially, we will email registered users and display a banner on the site. Continued use after the change date constitutes acceptance.

12. Contact us

Privacy questions: privacy@pdforca.com

Response time: within 30 days

This policy is offered in English and Hindi. The English version is the canonical legal text; the Hindi translation is provided for convenience.