PDF Expert Privacy Notice for App
Last updated: August 5, 2022 (view archived versions)
Key changes to the Privacy
In Readdle, we respect your privacy, so we are informing you about changes in our Privacy Notice.
These updates became effective on 5 August, 2022. Here are some of the notable changes. We:
- made the document better organised and easier for you to read and understand;
- added information about the account;
- changed 5 data subjects’ categories to 2: Free User and Paying User;
- added information about the personal data we process in connection with the subscriptions to PDF Expert Premium;
- changed the scope of personal data we process;
- added the information about our security measures;
- clarified the information about data subjects’ rights as US citizens;
- described how we convert your files now with Convert API.
Please, read the document carefully here. If you have any doubts or questions, you can contact our DPO at dpo@readdle.com.
We are Readdle Limited ("Readdle" or "we"), and we provide you with our application "PDF Expert" ("App" or "PDF Expert") under the Terms of Service.
We understand you care about your privacy, and we appreciate the trust you place in us. To justify that trust, we embed the latest data security standards, improve our awareness of privacy matters, and comply with the General Data Protection Regulation and other privacy laws.
This Privacy Notice describes how your personal data is collected, stored, and used and what happens when you use PDF Expert.
We do not collect, track or store any personal data over what we need to provide and improve our products and services.
For us, you can be:
| Data subject | Description |
|---|---|
| User | any natural person or legal entity who uses the App. |
| Free User | User that uses the App with certain functionality limits on a free basis. |
| Paying User | User that uses the App on a paid basis or via trial of the paid version. |
Table of content
- Purpose and scope of this Privacy Notice
- Who we are
- Personal data in PDF Expert
- Age limitation
- Term of storage
- Data transfer outside the European Economic Area
- Data sharing with third parties
- Security measures
- Data subjects rights
- Do-not-track requests
- Privacy Notice update
Purpose and scope of this Privacy Notice
This Privacy Notice is our (data controller) statement to you (data subject) that describes how we collect, use, retain and disclose personal data.
This Privacy Notice applies to the App, available on the App Store.
You own and control the personal data we collect about you. You can choose not to provide certain information or disable it and prevent us from collecting, storing, and processing it.
Please be aware you will not be able to take advantage of some of the PDF Expert’s features in this case.
Who we are
We are the controller of the personal data for the Users from the moment of the User’s consent to the Terms of Service.
This means we determine the amount, purpose, and means of personal data processing when you use the App.
For details about our role as controller and as processor of personal data, please contact us at dpo@readdle.com. You can also send us a letter.
| Data Controller | Readdle Limited |
| Registration number | 630281 |
| VAT | IE 3560869EH |
| Address | Glandore Business Centre, Grand Canal House, 1 Grand Canal Street Upper, Dublin 4, D04 Y7R5, Ireland. |
| dpo@readdle.com — for privacy questions
rdsupport@readdle.com — for other questions |
Personal data in PDF Expert
We collect your personal data according to this Privacy Notice when you use the App.
| Please note: not every piece of data we receive and store. Even more, mainly the data is stored locally on your device, and we see pseudonymised or even anonymised data. |
Mainly, we process technical data and the data you give to us. Some of it you see in your interface, and some of it is processed on the backend.
| Client-Side is the part of the App displayed or takes place on the users’ devices Backend is an invisible crucial part of our App, where algorithms operate on the variables and data points. |
We can process personal data based on the following legal bases:
- performance of the contract — for processing that is strictly necessary for service provision as written in Terms of Service, technical and customer support;
- legitimate interest — for processing that is reasonable for the user and required for the development of the service;
- consent — for additional processing for specific purposes.
Personal data by source
The data we process is divided into categories by its source:
- data we can get from the Users;
- data assigned to the Users;
- automatically-collected, technical, and received by the third parties data.
| Data we can get from the Users | ||
|---|---|---|
| Data list | Feature | Legal basis |
| All Users: name, email, country, occupation, App functions preferences. Paying Users: payment data. |
App usage | contact, legitimate interest |
| Registration of the account | contract | |
| Subscription or trial | contract | |
| Conversion of the files | contract | |
| Login via third-party services | contract | |
| Support request | legitimate interest | |
| Receiving marketing data | consent | |
| Invoice history | legal obligation | |
| Push notifications | consent | |
| Data assigned to the Users | ||
|---|---|---|
| Data list | Feature | Legal basis |
| All Users: user ID, subscription id, history of payment, history of requests, account data. | App usage | contact, legitimate interest |
| Registration of the account | contract | |
| Login via third-party services | contract | |
| Subscription or trial | contract | |
| Conversion of the files | contract | |
| Support request | legitimate interest | |
| Automatically-collected, technical and received by the third parties data | ||
|---|---|---|
| Data list | Feature | Legal basis |
| All Users: IP address, hardware model, identifier, version, date/time of the first and last login, iOS/Android version, report version, crashed thread, data about your interaction with the App and session ID, deviceUUID, device name, device model, timezone, account data, connected platforms ("App usage data"). Paying Users: subscription data and payment data. |
App usage | contact, legitimate interest |
| Login via third-party services | contract | |
| Subscription or trial | contract | |
| Conversion of the files | contract | |
Personal data by features
We understand that you might wish to know the details about our privacy practices. We grouped our data privacy processes by features. Please click on each feature to read more.
App usage
Here, we described the data you see in our App.
Pay attention to the fact that we collect your device’s name for security purposes.
| Type of data | Type of user | Data description | Legal basis | The reasoning | Term of Storage |
|---|---|---|---|---|---|
| Provided by User | All Users | App usage data | Providing a service | App functioning | Duration of the service provision and 1 year after |
| your App settings | Legitimate interest | Analytics | |||
| Assigned | App usage data | Legitimate interest | Statistics Security |
Registration of the account
| Type of data | Type of user | Data description | Legal basis | The reasoning | Term of Storage |
|---|---|---|---|---|---|
| Provided by User | All Users | Performance of the contract | Creation of the account to allow access to the App functions | Duration of the service provision and 1 year after | |
| Occupation | Legitimate interest | Help us to develop the App | Stored in aggregated form | ||
| Assigned | Aoo functions preferences | Legitimate interest | Stored in aggregated form | ||
| User ID | Performance of the contract | Duration of the service provision and 1 year after |
Subscription or trial
Receipt is an electronic document provided by Apple, Stripe, or other charging platform about your payment. It is stored on your device. We receive only a hash (electronic value) to verify the transaction.
| Type of data | Type of user | Data description | Legal basis | The reasoning | Term of Storage |
|---|---|---|---|---|---|
| Provided | Paying Users | Charging platform name | Performance of the contract | Providing a service | 2 years after the latest date in record |
| Paying Users | Auto Renewal of the subscription status | Performance of the contract | Billing process and invoice storage | ||
| Assigned | Paying Users | Subscription start and expiration dates | Performance of the contract | Provinding a service | |
| Paying Users | Subscription status | Performance of the contract | Providing a service | ||
| Paying Users | Subscription or trial mark | Performance of the contract | Providing a service | ||
| Paying Users | Trial use status | Performance of the contract | Providing a service | 2 years after the latest date in record | |
| Received from 3rd parties | Paying Users | Confirmation of the payment, receipt | Legal obligation | Billing and invoice storage | 6 years after the completion of the transaction |
Conversion of the files
We provide you with the functionality for the conversion of the files into the different formats.
To convert your files, we use Convert API. The Convert API does not read or collect file content, metadata, or other data from the uploaded files.
| Type of data | Type of user | Data description | Legal basis | The reasoning | Term of Storage |
|---|---|---|---|---|---|
| Provided | All Users | Files you convert | Performance of the contract | Providing a service | Up to 7 days |
Login via third-party services
One of the main parts of our services is designed to make your experience with PDF Expert more comfortable and easy. So we provide you with the possibility to link accounts from 3rd-party services (Apple or Google) for integration and synchronisation of data.
| Type of data | Type of user | Data description | Legal basis | The reasoning | Term of Storage |
|---|---|---|---|---|---|
| Provided | All Users | All cloud data and third-party app data | Performance of the contract | Providing a service | Duration of the service provision and 1 year after |
Support request
We may collect your detailed log files to help you with your problem. These log files may contain sensitive personal information and are attached to you.
Pay attention to our practice on the log files:
- iOS or iPadOS – when you address your support request, you can choose whether to add detailed log files or not;
- macOS – when you address your support request, we collect your log files by default.
| Type of data | Type of user | Data description | Legal basis | The reasoning | Term of Storage |
|---|---|---|---|---|---|
| Provided | All Users | Name | legitimate interest | This data is processed by us to provide you with help in case of request. We need your email to communicate with you, although all other data listed here will help us to solve your request more quickly and professional | The duration of the service provision and 1 year after. After this period data is anonymised and stored in an aggregated way for analytical purposes. |
| All Users | Performance of the contract | ||||
| All Users | Type of device | legitimate interest | |||
| All Users | Support message | legitimate interest | |||
| All Users | Attached files | legitimate interest | |||
| All Users | Your choices in the Helpspot | legitimate interest | |||
| Collected | All Users | Detailed log files, containing information | Performance of the contract |
Receiving marketing data
We may send you marketing data only if you agree to receive it.| Type of data | Type of user | Data description | Legal basis | The reasoning | Term of Storage |
|---|---|---|---|---|---|
| Provided | All Users | Name, email | Consent | Marketing | Duration of the service provision and 1 year after or until you withdraw a consent |
Invoice history
To track and issue invoices on time, we process your receipt. We also keep the history of payments, as this is a legal requirement, and we cannot delete this information until the filing of the annual accounts expires.
| Type of data | Type of user | Data description | Legal basis | The reasoning | Term of Storage |
|---|---|---|---|---|---|
| Provided | Paying Users | Data on previously purchased subscription, Receipt | Legal obligation | Compliance with a legal obligation | 6 years after completion of the transaction |
Push notifications
We can send you small notifications to inform you about changes or updates via pushes from the App. You can allow or disable push notifications in the App Settings on your device.
| Type of data | Type of user | Data description | Legal basis | The reasoning | Term of Storage |
|---|---|---|---|---|---|
| Collected | All Users | Push token | Consent | Informing you about the App | Duration of the service provision and 1 year after or until you withdraw a consent |
Age limitation
The services are not directed at individuals under 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such information. If you become aware that a child has provided us with personal data, please contact us.
Term of storage
General
After the above respective periods expire, we anonymise the data and store it for statistical and analytical purposes.
We process your personal data based on your consent during the provision of services, during the term of storage (as defined above) or until you withdraw your consent.
You can exercise your right to request us to delete your personal data. In this case, we will delete your personal data from our servers within 30 days of your request.
However, you can exercise your right to delete your data. In this case, we will delete your data from our servers within 30 days of your request.
| Storage limitation | |
|---|---|
| Data that are processed on the basis of a performance of the contract | Stored for 3 years after completion of services OR 1 year from the last communication |
| Data that are processed on the basis of a legitimate interest | Stored for 1 year after the completion of services/unsubscribe OR 1 year from the last communication |
Backup storage
We store your data in the backups of databases. We regularly back up our databases: at least once a day and store them 1 week.
Data transfer outside the European Economic Area
The personal data we collect is stored on servers in the USA. The data is stored in the USA by default, but we may need to process your personal data in another country. We also share some data with our service providers in Ukraine.
There is no adequate decision by the European Commission regarding neither the US nor Ukraine. This means that the USA and Ukraine are not deemed to provide an adequate level of protection for your personal data. We use adopted Standard Contractual Clauses based on legislation assessments for data protection during transfer and storage.
You can read more detailed measures to protect your personal data here and in our Data Processing Agreement.
However, if a data transfer is required to perform a contract or provide you services, we have the right to do so without your consent.
Data sharing with third parties
We use your personal data on the basis of the performance of the contract to provide services and communicate with the users.
We share your personal data with our contractors in the scope we need to provide services and technical and customer support. Also, we can share your data on the following grounds: consent, compliance with the law, and legitimate interest.
Details
Consent. We share your personal data based on your explicit consent.
Compliance with the law. We will disclose your personal data to third parties to the extent that it is necessary:
- to comply with a government request, court order, or applicable law;
- to prevent unlawful use of our App or violation of the Terms of Service and our policies;
- to protect against claims of third parties;
- to help prevent or investigate fraud.
Legitimate interest or performance of the contract: We share your personal data with third parties based on a public offer for processing on our behalf, subject to technical and organisational measures to protect your personal data. We may transfer your personal data to certain companies, consultants, and contractors, as a part of our core team that is hired to provide certain services on our behalf.
We will ask for your consent unless data transfer is part of the contract performance.
Data received from third parties
Also, we can collect some data from third parties.
We share your data with the service providers who, for example, help us:
- operate, develop, and improve the features and functionality of our Website;
- provide you with their services;
- complete your payment transactions;
- fulfil your support requests;
- convert your files;
- communicate with you as described elsewhere in this Privacy Notice.
The scope of the data collected, the purposes, and the legal basis for the processing is determined by the respective privacy documents of these parties:
| Third parties | Description | Link to privacy documents |
|---|---|---|
| Google Analytics | We use Google Analytics for statistics and analytics. | Safeguarding your data |
| We use Google for log-in purposes | Privacy & Terms | |
| Apple | We use Apple for log-in purposes | Privacy Notice |
| Slack | We use Slack for communication and support. | Privacy Policy |
| Stripe | We use Stripe to make payments for our services. | Privacy Policy |
| Digital Ocean | DigitalOcean backup images. | Privacy Policy |
| Hetzer | This is backup storage for manually managed servers. | Privacy Policy |
| Backblaze B2 | This is backup storage for manually managed servers. | Privacy Policy |
| Wistia | We use Wistia for marketing activities. | Privacy Policy |
| Paddle | We use Paddle to handle our tax obligations. | Privacy Policy |
| Convert API | We use Convert API to convert your files. | Privacy Policy |
| Note: we can get data from third parties, but we won't necessarily get it. It all depends on your settings and the features you use. | ||
Security measures
We regularly perform Data Protection Impact Assessments to ensure that we use an appropriate level of technical and organisational measures to prevent accidental or unlawful destruction, loss, alteration, and unauthorised disclosure of or access to personal data transmitted, stored, or otherwise processed. We follow ISO 27001 Standard to put all security controls in place as a basis.
To be more specific, to protect your personal data, we use HTTPS and encryption, divided group and individual access (where appropriate), an alarm system, corporate VPN, and written approved internal policies (like password policy and physical access policy).
Moreover, we systematically monitor our technologies’ state of the art and never forget about the backups. All our contractors are under contractual obligations compliant with the GDPR requirements.
Here you can find information about the steps we mentioned above:
| Physical measures | |
|---|---|
| Limited access to premises We use logically separate databases to prevent unauthorised persons from accidentally reading data to separate data. Access to the data is also restricted because employees use services (applications) that control access. |
|
| Stress-tests | |
| Organisational measures | |
Policies and instructions
|
Transfer protection
|
Agreements
|
|
| Contractor and staff training | Privacy protection
|
| Regular access and policy review Code review |
|
| Technical measures | |
| Encryption technologies: encryption in transit, backup encryption, state-of-the-art methods of cryptographic keys |
Backup: We ensure the availability of data in several ways. For example, there is a regular backup of the entire system. This can be used if the other availability measures fail. |
| Two-factor authentication | Critical services are operated redundantly in multiple data centres and controlled by a high-availability system. |
| Static Analysis | Quality Assurance |
| Regular Patch Management | Dependency and Supply Chain Vulnerability Check |
Data subjects rights
EU residents
You, as a data subject, have the right to interact with your data directly or through a request to us. This section describes these rights and how you can exercise them:
| The right | Description |
|---|---|
| Right to access | You can request an explanation of the processing of your personal data. |
| Right to rectification | You can change the data if it is inaccurate or incomplete. |
| Right to erasure | You can send us a request to delete your personal data from our systems. We will remove them unless otherwise provided by law. |
| Right to restrict the processing | You may partially or completely prohibit us from processing your personal data. |
| Right to data portability | You can request all the data that you provided to us, as well as request to transfer data to another controller. |
| Right to object | You may object to the processing of your personal data. |
| Right to withdraw consent | You can withdraw your consent at any time. |
| Right to file a complaint | If your request was not satisfied, you can file a complaint to the regulatory body. |
| To exercise your rights, contact us. | |
If your request is not satisfied, you can file a complaint with the regulatory body — The Data Protection Commission (DPC).
U.S. residents
You, as data subjects, have some special privacy rights. To use them, please contact us.
| Note: Depending on the state and legislative requirements, we have from 30 to 60 days to exercise your request with the right to postpone it for 30 days more. |
If your complaint is not satisfied, you can file a complaint with the Federal Trade Commission.
Your rights vary depending on the laws that apply to you, but may include:
| Tight | Description | Area | |
|---|---|---|---|
| Right to access | You can request an explanation of the processing of your personal data. | California, Virginia, Ohio, Colorado, Nevada, Massachusetts | Minnesota, New York, North Carolina, Pennsylvania, Delaware, Utah |
| Right to rectification | You can change the data if it is inaccurate or incomplete. | California, Virginia, Colorado, Nevada, Delaware | Massachusetts, Minnesota, New York, North Carolina |
| Right to deletion | You can send us a request to delete your personal data from our systems. We will remove them unless otherwise provided by law. | California, Virginia, Ohio, Colorado, Massachusetts | Minnesota, New York, North Carolina, Pennsylvania, Utah |
| Right to restriction | You may partially or completely prohibit us from processing your personal data. | California, Massachusetts | New York |
| Right to portability | You can request all the data that you provided to us, as well as request to transfer data to another controller. | California, Virginia, Ohio, Colorado, Massachusetts | Minnesota, New York, North Carolina, Utah |
| Right to Opt-Out | You may prohibit the sharing or selling of your data. | California, Virginia, Ohio, Nevada, Massachusetts, Minnesota | New York, North Carolina, Pennsylvania, Delaware, Colorado, Utah |
| Right Against Automated Decision Making | You have the right not to be subject to a decision based solely on automated means if the decision produces legal effects concerning you or significantly affects you in a similar way. | California, Virginia, Colorado, Massachusetts | Minnesota, New York, North Carolina |
| Right to lodge a complaint | If your request was not satisfied, you can file a complaint to the regulatory body. | by default | |
| Note: Some states do not have their own privacy laws. The rights of residents of such states are governed by U.S. federal law. If your state is not on the list, please contact us. | |||
Do-not-track requests
California residents visiting our websites may request that we do not automatically gather and track information pertaining to their online browsing movements across the Internet.
Such requests are typically made through web browser settings that control signals or other mechanisms that allow consumers to exercise choice regarding collecting personal data about an individual consumer's online activities over time and across third-party websites or online services.
We currently do not have the ability to honour these requests. We may modify this Notice as our abilities change.
Privacy Notice update
This Privacy Notice and the relationships falling under its effect are regulated by the GDPR.
Existing laws and requirements for the processing of personal data are subject to change. In this case, we will publish a new version of the Privacy Notice in the App.
If significant material changes are made that affect your privacy and confidentiality, we will notify you by displaying information in the App and ask for your consent.