PDF Expert Privacy Notice for App

Archived from 05.08.2022
The updated version of the Privacy Notice for App is available here. Please, visit this page to read the current document.

Last updated: 30 June 2021 (view archived versions)

Key Changes

PDF Expert takes care of your personal data and does everything possible to protect it. This Privacy Notice is written to help you understand what your personal data is collected, stored and used, and what happens to it when you use our App PDF Expert (“App”).

In this Privacy Notice we answer the following questions:

1. Who are we?
2. What is the Privacy Notice covered by?
3. What data do we collect and why?
4. How long do we keep your data?
5. Do we share data with third parties?
6. Do we transfer data outside the European Economic Zone?
7. What rights do I have regarding my data?
8. How do we update Privacy Notice?
9. California privacy rights
10. Do-not-track requests
11. California resident’s data protection rights
12. Education Privacy Notice. North America (FERPA)

1. Who are we?

We are Readdle Limited (PDF Expert), registered at Glandore Business Centre, Grand Canal House, 1 Grand Canal Street Upper, Dublin 4, D04 Y7R5, Ireland. Hereinafter, PDF Expert will be referred to as "we", "us" and "our".

We are the controller of personal data of our users and clients (at the moment of concluding a contract), which means that we determine what, for what purpose and how your personal data will be processed.

We are processors of personal data of our customers where the controller is our Vendor or Partner.

If you have any questions, you can contact us by sending an email to dpo@readdle.com 

You can also send us a letter at the address: Grand Canal House, 1 Grand Canal Street Upper, Dublin 4, D04 Y7R5, Ireland. 

2. What is the Privacy Notice covered by?

This Privacy Notice applies to our desktop application for macOS or our mobile application for iPhone and iPad available on App Store (“App”).

3. What data do we collect and why?

The data we process is divided into two categories: technical information and data that is provided to us by users - data subjects (For your convenience for the purposes of this Notice we divide our user into user, consumer, vendor, partner and customer).

3.1. Definitions:

1. User is a person to whom we provide our App on a free basis. 
2. Сonsumer - our user, individual, to whom we provide our App on a paid basis.
3. Vendor (legal entity)- our user to whom we provide our App on a paid basis.
4. Partner - legal entity or natural person to whom we provide our services on an individual basis.
5. Customer is an employee or other person who has accessed our App through our vendor or partner. Example: Company A bought 15 licences for employees. Controller of data of employees is Company A, while Readdle is processor.

Technical information from the App.

When you use our App following amount of data is collected automatically:

• IP address
• Incident Identifier
• CrashReporter Key
• Hardware Model
• Process
• Path
• Identifier
• Version
• Code Type
• Parent Process
• Date / Time
• iOS/Android Version
• Report Version
• Exception Type
• Exception Codes
• Crashed Thread
• and data about your interaction with the App - session ID.
• AccountsCache
• OneTimeCodes
• deviceUUID
• deviceName
• deviceModel
• locale
• timezone
• account data

Account data
is the same for all data subjects. It includes:

• receiptID - purchase_date_ms value from AppStore receipt data
• transactionID - original_transaction_id value from first subscription inApp in AppStore receipt data
• externalSubscriptionType - type of service that provides subscription/license outside Apple ecosystem (devmate, paddle, stripe)
• externalSubscriptionID - id of external subscription or license code
• receiptData - AppStore receipt data or sub subscription data from external subscription provider
• receiptCache - cached response per receipts for client application
• serviceIdentifier - id provided by service or user email
• userIdentifier - ‘email:[user_email]’
• accountData - data from sign in identity token or signInToken used by client in sign in with email
• eventData - all data from server-to-server notification
• eventType - type of the event received from Apple server or external subscription provider service

Not technical data:

• Data assigned to all data subjects: user ID, licence number, deviceUUID, subscription expiration date, availableDevices, token 
• Data provided by User: name, email, country, occupation*.
  *occupation is information about the profession and/or sphere of interests.
• Data provided by Consumer: name, email, country, occupation, payment data. 
• Data provided by Vendor: representative’s name, email address, position, company data (name, country, company type and size), phone number, company ID, product name.
• Data provided by Partner: name, email, business data / education, company ID, product name.
• Data provided by Customer: We receive next personal data: email, name.
• Data collected by Readdle: history of payment, history of requests, account data.

Pay your attention that during the performance of the contract we are processors to our “Customers” ( see definition at 3.1.)

Once again, briefly about what personal data we collect:

Pay your attention. We knowingly do not process personal data of users under the age of 16 without consent from legal representative(s). If you are such a user, or you are the legal representative of the user, please let us know by email dpo@readdle.com

4. How long do we keep your data?

We store personal data in the following categories:

• client’s data

We store personal data of clients for the duration of the contract and 36 months after completion.

• User

We store personal data of users for the duration of the contract and 12 months after last interaction.

• consumer

We store personal data of customers for the duration of the contract and 36 months after completion.

• vendor

We store personal data of vendors for the duration of the contract and 24 months after completion.

• partner

We store personal data of partners for the duration of the contract and 48 months after completion.

• customer

We store personal data of customers for the duration of the contract and 6 months after completion.

After the expiration of specifies period, we anonymize the data and store it for statistics and analytics purposes.

We process data based on your consent during the performance of the contract/ while your interaction with our service and 24 months after or until you withdraw your consent.

However, you can exercise your right to delete your data. In this case, your data will be deleted from our servers within 30 days of your request.

5. Do we share data with third parties?

We use your personal data to perform a contract and for communication between us and clients, customers and users. We share your personal data with our contractors in order to perform a contract. Also, we transfer your data on the following grounds:

Consent. We transfer your personal data based on your explicit consent.

Compliance with the law. We will disclose your personal data to third parties to the extent that it is necessary:

• to comply with a government request, court order, or applicable law;
• to prevent unlawful use of our website or violation of the Terms of use of our website and our policies;
• to protect against claims of third parties;
• to help prevent or investigate fraud.

Transfer to third parties: We transfer your personal data to third parties on the basis of public offer for processing on our behalf, subject to technical and organizational measures to protect your personal data. We may transfer your data to certain companies, consultants, and contractors hired to provide certain services on our behalf.

We will ask for your consent unless the transfer of data is part of performance of a contract.

6. Do we do data transfer outside the European Economic Area?

The personal data we collect is stored on servers in the US. By default, the data is stored in USA but we may need to process your personal data in another country.

There is not an adequacy decision by the European Commission in respect of the US and this means that the US is not deemed to provide an adequate level of protection for your personal data. We use adopted Standard Contractual Clauses for data protection while transfer and storage.

However, if a data transfer is required to perform a contract or to provide you services, we have the right to do so without your consent.

7. What rights do I have regarding my data?

You, as subjects of personal data, have the following rights:

• The right to access information. You can request an explanation of the processing of your personal data.
• The right to withdraw a consent. You can withdraw your consent at any time.
• The right to portability. You can request all the data that you provided to us, as well as request to transfer data to another controller.
• The right to restrict processing. You may partially or completely prohibit us from processing your personal data.
• The right to file complaints. If your request was not satisfied, you can file a complaint to the regulatory body.
• Right to be forgotten. You can send us a request to delete your personal data from our systems.

To exercise your rights, write us an email at dpo@readdle.com

If your request was not satisfied, you can file a complaint to the regulatory body, the The Data Protection Commission (DPC) by post at 21 Fitzwilliam Square, South, Dublin 2, D02 RD28, Ireland or by means of webforms.

8. How do we update Privacy Notice?

This Privacy Notice and the relationships falling under its effect are regulated by the GDPR. Existing laws and requirements for the processing of personal data are subject to change. In this case, we will publish a new version of the Privacy Notice on our website. If significant material changes are made that affect your privacy and confidentiality, we will notify you by email or display information on the website and ask for your consent if necessary.

9. California privacy rights

We make these disclosures to those visiting our websites who reside in California which supersede and replace any conflicting disclosures found elsewhere on our websites as well as reflect your privacy rights granted by the California Consumer Privacy Act (CCPA).

Opt-out of disclosure for direct marketing purposes. The California laws allow its residents to learn the identities of entities that received their personal data for marketing purposes and the categories of information disclosed. You may request such information by contacting us by e-mail dpo@readdle.com

Please be aware that this opt-out does not prohibit our disclosure of personal data for any purpose other than direct marketing. The data we process and share may include your name, address, email address, and telephone number.

Automatic gathering of information. We collect data that you provide to us online, and through websites of unaffiliated third parties.

Automatic gathering of information by third parties. When you visit our websites, third parties can collect personal data about your online activities over time and across different websites pertaining to your visit to or use of our and other websites.

10. Do-not-track requests.

California residents visiting our websites may request that we do not automatically gather and track information pertaining to their online browsing movements across the Internet. Such requests are typically made through web browser settings that control signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personal data about an individual consumer's online activities over time and across third-party websites or online services. We currently do not have the ability to honor these requests. We may modify this Notice as our abilities change.

11. California residents’ data protection rights.

The CCPA has extended California residents’ data protection rights. However, we have already guaranteed all these rights and described them precisely in this Notice as well as a means of rights exercising. Please refer below to investigate.

Right to be informed. Please find a list of personal data we collect about you and your activity, sources and business purposes of personal data collection, and third parties we may share your personal data with in Section 3 - 6 of the Notice.

Your Right of access, Data portability, and Right to delete are prescribed by Section 7 of the Notice.

You can exercise these rights any time by contacting us via email at 

Notice, the CCPA envisages some specific requirements related to the exercising of these data protection rights. Considering them we may:

• respond to your request within forty-five (45) days of receiving the request;
• provide you with personal data we collected about you no more than twice in a 12-months period (categories and specific pieces of collected personal data, business purpose and sources of collection, categories of third parties personal data is shared with);
• NOT provide you with personal data if we cannot verify your identity. You shall provide us with sufficient information allowing us to verify you as the person about whom we collected personal data. However, we do consider requests made through your Account sufficiently verified.
• NOT transmit your personal data to another entity.

Also, please be aware that we are allowed to maintain personal data after deletion request is received as permitted by the CCPA (for instance, for the purposes of detection of security incidents, repair errors, comply with legal obligations, transaction completion).

We want to draw your special attention that PDF Expert does not sell, rent, or trade your personal data to anyone.

12. Education Privacy Notice. North America - United States and Latin America (all regions excluding Brazil)

Definitions:

Personally-identifiable information (PII) is information that directly, or indirectly through linkages with other information, identifies a student.

For the purposes of this section:

School/University - is Vendor

Students, eligible students and educators are Customers.

General:

An Education account is an account created and managed by a school/university for use by students and educators. When creating this account, the school/university may provide PDF Expert with certain personal information about its students and educators, which includes a user’s name, email address, and password in most cases, but could also include secondary email, phone, and address if the school chooses to provide that information. 

We also collect information based on the use of our services - technical information and account data.

Your rights.

FERPA provides parents or eligible students the right to inspect, review and request changes to be made to education records maintained by the school. Parents or eligible students have the right to prohibit schools from disclosing directory information, in addition to PII which is already prohibited from disclosure.

Parents or eligible students also have the right to be notified annually by the school of their FERPA rights, as well as the right to obtain a copy of the school’s policy regarding educational records.

Also you have right to:

• Exercise right to review records
• Exercise right to correct information
• Refuse disclosure of directory information
• Consent to the disclosure of PII
• File a complaint about FERPA violations

Note: It is the school’s responsibility to understand, train and retrain staff on all of the rights, prohibitions and exceptions outlined by FERPA.