Shift2PDF

Legal

Privacy Policy

Last updated: March 19, 2026

1. Overview

Shift2PDF ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and what rights you have over it.

By using Shift2PDF, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the service.

2. Data We Collect

We collect the following categories of personal data:

Account data

  • Email address (provided via Clerk authentication)
  • Authentication provider (e.g. Google, GitHub, email/password)
  • Account creation date and last login timestamp

Usage and billing data

  • Conversion job metadata: file type, input size, output size, status, timestamps
  • MB consumed per job and per billing period
  • Subscription plan, billing period start/end, next billing date
  • Top-up purchase history and MB balance
  • On-hold job counts

Technical data

  • IP address (collected by Clerk and Vercel for security and abuse prevention)
  • Browser type and version (via standard HTTP headers)
  • Session tokens (stored as secure, HTTP-only cookies)

We do not collect or store the contents of your files. Input and output files are stored temporarily in isolated AWS S3 buckets and permanently deleted after 2 hours.

3. How We Use Your Data

  • To provide and operate the Shift2PDF service
  • To authenticate your identity and manage your account
  • To process payments and manage your subscription via Polar
  • To track your MB usage and enforce plan limits
  • To send transactional emails (e.g. billing receipts, password resets)
  • To detect and prevent fraud, abuse, and security incidents
  • To comply with legal obligations (e.g. tax records, GDPR requests)
  • To improve the service through aggregated, anonymised analytics

We do not use your data for advertising, profiling, or sale to third parties.

4. File Storage & Retention

  • Input files are stored in AWS S3 with AES-256 encryption and deleted within 2 hours of upload.
  • Output PDFs are stored in AWS S3 with AES-256 encryption and deleted exactly 2 hours after conversion completes.
  • Deletion is enforced by an automated cleanup job that runs every minute.
  • Files under legal hold may be retained longer as required by law.
  • Billing metadata, audit logs, and usage records are retained for 7 years for legal and accounting purposes.

5. Data Sharing & Sub-processors

We share your data only with trusted sub-processors necessary to operate the service:

Sub-processorPurposeLocation
ClerkAuthentication & identity managementUSA (SOC 2 Type II)
PolarPayment processing & subscription managementUSA
AWS S3Encrypted file storage (temporary)USA / EU
VercelApplication hosting & edge networkGlobal
CloudConvertDOCX/PPTX conversion processingEU (Germany)
Neon / SupabasePostgreSQL database hostingUSA / EU

We do not sell, rent, or trade your personal data to any third party.

6. Cookies & Tracking

  • Session cookies: set by Clerk for authentication. These are essential and cannot be disabled.
  • CSRF tokens: used to protect form submissions.
  • Preference cookies: used to remember UI preferences. These are optional.

We do not use advertising cookies, tracking pixels, or third-party analytics that identify individual users.

7. Your Rights (GDPR & CCPA)

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: request correction of inaccurate data.
  • Right to erasure: request deletion of your account and associated data.
  • Right to restriction: request that we limit processing of your data.
  • Right to data portability: receive your data in a machine-readable format.
  • Right to object: object to processing based on legitimate interests.
  • Right to withdraw consent: where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us via our contact page. We will respond within 30 days. EU residents may also lodge a complaint with their local supervisory authority.

8. Security

  • TLS 1.2+ encryption for all data in transit
  • AES-256 server-side encryption for all files at rest
  • Isolated S3 bucket paths per user (non-guessable keys)
  • Signed, time-limited presigned URLs for file access
  • Role-based access control on all internal systems
  • Regular dependency audits and security patching

No system is 100% secure. If you discover a security vulnerability, please disclose it responsibly via our contact page.

9. Children's Privacy

Shift2PDF is not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify you by email or via an in-app notice.

11. Contact

For privacy-related questions or data subject access requests, contact us via our contact page. We aim to respond within 2 business days.