Privacy Policy

Last updated: May 5, 2026

1. Introduction

pdfkitt (“we”, “our”, “us”) operates the HTML-to-PDF API service at pdfkitt.dev. This Privacy Policy explains what information we collect when you use our service, how we use it, and your rights regarding that information. By using pdfkitt, you agree to the practices described here.

2. Information We Collect

Account information. When you register, we collect your email address through our authentication provider (Clerk). We do not collect your name unless you provide it voluntarily.

API keys. API keys are generated for your account and stored only as bcrypt hashes. We cannot recover a lost key — if you lose it, you must revoke it and generate a new one. The key prefix (pdfk_live_) is stored in plain text solely to allow you to identify keys in your dashboard.

Request logs. For each API call we record: timestamp, API endpoint, HTTP response code, latency in milliseconds, response size in bytes, and your IP address. We do not log the HTML content you submit for conversion.

Payment information. Billing is handled entirely by Stripe. We do not receive or store credit card numbers, bank account details, or other payment credentials. We receive only the Stripe customer ID and your subscription tier.

Usage data. We collect aggregate counts of conversions performed per account per billing period to enforce plan quotas.

3. Your HTML Content

HTML submitted to the POST /v1/convert endpoint is processed entirely in memory. It is never written to persistent storage, never logged, and never retained after the PDF response is returned. We have zero data retention for document content by design.

4. How We Use Your Information

  • To authenticate your API requests and enforce rate and quota limits.
  • To display your usage statistics and request history in the dashboard.
  • To process payments and manage your subscription.
  • To send transactional emails (billing receipts, quota warnings, API key notifications). We do not send marketing email without your consent.
  • To diagnose errors and improve service reliability using aggregated, non-identified metrics.

5. Data Retention

  • Request logs are retained for 90 days, then automatically deleted.
  • Account data (email, API key hashes) is retained until you delete your account.
  • Billing records are retained for as long as required by applicable tax law (typically 7 years).
  • HTML content is never retained — see Section 3.

6. Data Sharing

We do not sell, rent, or trade your personal information. We share data only with the following infrastructure providers, and only to the extent necessary to operate the service:

  • Stripe — payment processing and subscription management.
  • Clerk — user authentication and session management.
  • Railway — API server hosting and Postgres database.
  • Vercel — web application hosting.
  • Cloudflare — DNS, CDN, and DDoS protection.

We may disclose information if required by law or to protect the rights and safety of our users or the public.

7. Cookies and Tracking

We use session cookies set by Clerk to maintain your authenticated state on the dashboard. We do not use advertising cookies, third-party tracking pixels, or analytics that identify individual users. If you use the API without signing in to the web dashboard, no cookies are set.

8. GDPR (European Users)

If you are located in the European Economic Area, you have the right to access, correct, or delete the personal data we hold about you, to restrict or object to processing, and to data portability. The legal basis for processing is contract performance (to provide the API service) and our legitimate interest in operating a reliable service.

To exercise any of these rights, email support@pdfkitt.dev. We will respond within 30 days.

9. CCPA (California Users)

California residents have the right to know what personal information we collect, to request deletion, and to opt out of sale. We do not sell personal information. To submit a request, contact support@pdfkitt.dev.

10. Children

pdfkitt is a developer-focused API service not intended for use by persons under the age of 16. We do not knowingly collect data from minors.

11. Changes to This Policy

We may update this policy as the service evolves. Material changes will be communicated via email to registered users at least 14 days before they take effect. The “Last updated” date at the top of this page always reflects the current version.

12. Contact

Questions about this policy or data requests: support@pdfkitt.dev