FeaturesUse CasesPricingDocsGet Started

Privacy Policy

Last updated: February 2026

PDFForge is operated by Zero Loop Labs Ltd, a company registered in England and Wales (Company No. 17035492), with its registered address at 17 Heronsforde, London W13 8JE, United Kingdom.

In this Privacy Policy, “we”, “us”, and “our” refer to Zero Loop Labs Ltd. This policy explains how we collect, use, and protect your personal data when you use the PDFForge platform, including the API and web dashboard.

1. What We Collect

We collect the following categories of data:

  • Account information: your email address and name, provided when you sign up.
  • API usage data: event type (fill, generate), document ID, mode (live or test), and timestamp for each API call.
  • Uploaded content: PDF forms, DOCX templates, and HTML templates you upload to the platform.
  • Generated documents: output files produced by our API on your behalf.
  • Payment information: billing details are collected and processed by Stripe. We store your Stripe customer ID and subscription status but do not store your credit card numbers.
  • Technical data: IP addresses are used transiently for rate limiting (held in memory for up to 60 seconds, not stored persistently). Browser information (user agent) is recorded alongside your dashboard session. API request logs record the HTTP method, endpoint path, response status, and response time, but do not include IP addresses or request body content.

2. How We Use Your Data and Legal Bases

Under the UK GDPR, we must have a lawful basis for processing your personal data. The table below sets out how we use your data and the legal basis for each purpose:

PurposeLegal basis
Providing the service (document processing, storage, downloads)Performance of contract (Art. 6(1)(b))
Authenticating your identity and managing your accountPerformance of contract (Art. 6(1)(b))
Processing payments via StripePerformance of contract (Art. 6(1)(b))
Sending transactional emails (sign-in links)Performance of contract (Art. 6(1)(b))
Tracking API usage for billing and rate limitingLegitimate interest (Art. 6(1)(f))
Improving platform reliability, performance, and securityLegitimate interest (Art. 6(1)(f))
AI-powered PDF-to-Template conversion (data sent to Anthropic)Explicit consent (Art. 6(1)(a)) — triggered only when you use this feature
Complying with legal obligationsLegal obligation (Art. 6(1)(c))

We do not sell your personal data to third parties. We do not use your uploaded templates or generated documents for any purpose other than providing the service to you.

3. Third-Party Services

We use the following third-party services to operate PDFForge:

  • Stripe (US) — payment processing. We send your email address and an internal account identifier. Card details are collected directly by Stripe. Subject to Stripe's Privacy Policy.
  • Resend (US) — email delivery for sign-in links. We send only your email address and the authentication link.
  • Anthropic (US) — AI-powered PDF-to-Template conversion. When you use this feature, the full content of your uploaded PDF (including any embedded images) is sent to the Anthropic API for analysis. This feature is opt-in: document content is only sent when you explicitly call the conversion endpoint. Subject to Anthropic's Privacy Policy.
  • Tigris (US) — S3-compatible object storage for templates and generated documents.
  • Upstash (US) — Redis-based rate limiting and transient caching. IP addresses are held for up to 60 seconds.
  • Fly.io (US company, London UK region) — application hosting. Our servers run in Fly.io's London, UK data centre (lhr).

4. International Data Transfers

Our application servers are located in the United Kingdom (London). However, several of our third-party processors are US-based companies (see Section 3). This means your personal data may be transferred to, and processed in, the United States.

Where personal data is transferred outside the UK, we rely on one or more of the following safeguards under UK GDPR Article 46:

  • UK Extension to the EU-US Data Privacy Framework — for processors certified under the framework (Stripe, Anthropic).
  • Standard Contractual Clauses (SCCs) — as adopted by the UK International Data Transfer Agreement (IDTA) or the EU SCCs with UK addendum, where applicable.

You may request a copy of the relevant transfer safeguards by contacting us at hello@pdfforge.dev.

5. Cookies

We use a single essential cookie:

  • pdfforge_session — a persistent authentication cookie with a 30-day expiry, used to keep you signed in on the web dashboard. It is strictly necessary for the service to function, is set with HttpOnly, Secure, and SameSite=Lax attributes, and does not track you across other websites.

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. Because this cookie is strictly necessary, no consent banner is required under UK GDPR and the Privacy and Electronic Communications Regulations (PECR).

6. Data Retention

We retain your data as follows:

  • Account data: retained for as long as your account is active, and deleted upon request.
  • Templates: retained until you delete them, or until your account is closed.
  • Generated documents: document files are retained according to your plan (7 days on Free, 30 days on Starter, 90 days on Pro, 1 year on Business, unlimited on Enterprise). When a document expires, the file is permanently deleted from storage. Document metadata (filename, file size, timestamps) is retained for billing and audit purposes for the lifetime of your account.
  • API usage records: retained for the lifetime of your account for billing and usage tracking. If your account is deleted, usage records are permanently removed.
  • Dashboard sessions: session records (including browser information) expire after 30 days and are periodically cleaned up.

7. Your Rights

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights:

  • Right of access: request a copy of the personal data we hold about you.
  • Right to rectification: request correction of inaccurate data.
  • Right to erasure: request deletion of your personal data.
  • Right to restrict processing: request that we limit how we use your data.
  • Right to data portability: receive your data in a structured, machine-readable format.
  • Right to object: object to processing based on legitimate interest.
  • Right to withdraw consent: where processing is based on consent (e.g. AI PDF-to-Template conversion), you may withdraw consent at any time by ceasing to use the feature.

To exercise any of these rights, contact us at hello@pdfforge.dev. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection, if you believe your rights have been infringed.

8. Contact

If you have questions about this Privacy Policy or how we handle your data, contact the data controller:

Zero Loop Labs Ltd
17 Heronsforde, London W13 8JE, United Kingdom
Email: hello@pdfforge.dev