Privacy Policy

We collect the minimum needed to run the Service: your email address, the templates you save, the PDFs you render, and basic usage metrics. We do not sell your data. We do not use your templates or PDFs to train machine-learning models.

• Account data — email address, authentication provider (Google / email), plan tier.
• Template data — the visual template tree, component props, and variable bindings you save.
• Usage data — API request counts, response status, duration, and payload size. Never the payload contents themselves.
• Billing data — processed by Polar. We store only the Polar customer ID and subscription status; payment instruments never touch our servers.
• Product analytics— pseudonymous PostHog events to understand which features are used (e.g., “exported a template”). No PII in event names.
• Error reports — Sentry captures crash traces. Stack traces and source maps, not user content.

To provide, maintain, and improve the Service, to process subscriptions, to send transactional emails (confirmation, password reset, usage alerts), and to diagnose and fix bugs.

• Supabase — auth and Postgres database.
• Vercel — application hosting and serverless compute.
• Polar — subscription billing and customer portal.
• Sentry — error monitoring.
• PostHog — product analytics (self-hosted or EU region).
• Upstash — Redis rate limiting for API calls.

Templates are retained as long as your account is active. Usage logs are retained for 90 days. Error reports are retained for 30 days. Deleting your account removes your templates, API keys, and associated usage logs permanently within 30 days.

You can access, correct, export, or delete your data at any time from Settings, or by emailing support@pdfxbuilder.com. EU / UK / California residents have additional rights under GDPR, UK GDPR, and CCPA respectively, including the right to object to processing and to lodge a complaint with a supervisory authority.

We use cookies required for login (Supabase session) and preferences (dark mode, dismissed notices). We do not use third-party advertising cookies.

Your templates live in a Postgres database behind Supabase Row-Level Security, so no user can read another user's data. API keys are stored as SHA-256 hashes; the raw key is shown to you exactly once, at creation. All traffic uses TLS.

We will post updates to this page and email registered users about material changes at least 14 days before they take effect.

Privacy questions, data access requests, or complaints: support@pdfxbuilder.com.