Privacy Policy

INTEK CENTER SASU, registered at 369Q Avenue de Verdun, 33700 Mérignac, France (RCS Bordeaux 844 849 174, intra-community VAT FR02844849174), acts as Data Controller within the meaning of Regulation (EU) 2016/679 ("GDPR") and French Law No. 78-17 of 6 January 1978 ("Loi Informatique et Libertés").

Data protection contact: the in-app support form.

While the Company is not legally required to appoint a Data Protection Officer (Article 37 GDPR), the above contact serves as the designated point of contact for all data protection matters and will handle all requests with the same diligence as a formal DPO.

2.1. Service Data

2.2. Account Data (optional)

Account creation is optional. The free owner-password removal service requires no account or email.

2.3. Payment Data

The Company does not store credit card numbers. All payment data is processed exclusively by Stripe in a PCI-DSS compliant environment.

2.4. Technical Data

2.5. Analytics Data (consent required)

Analytics data is collected via Google Analytics 4 (GA4) only after explicit consent via the cookie consent banner.

Automated decision-making and profiling (Art. 22 GDPR): The Service does not engage in any automated decision-making or profiling that produces legal effects or similarly significantly affects you.

We use your data exclusively to:

• Provide, operate and improve the Service (password recovery, PDF unlocking).
• Extract only the encryption hash from uploaded PDFs — we never read, index or store the actual content of your documents.
• Process payments, generate invoices and handle refunds via Stripe.
• Communicate with you (job completion notifications, purchase confirmations, support replies).
• Detect and prevent fraud, abuse and unauthorized access (rate limiting, webhook verification).
• Comply with legal obligations (accounting, tax, law enforcement requests).
• Analyze usage patterns with anonymized data (only with consent).

We never sell, rent or trade your personal data.

Your data may be shared with the following service providers, strictly for the purposes described above:

We only work with sub-processors that provide adequate safeguards under GDPR. Your data is never shared with advertisers, data brokers or any other third party.

Primary data storage is within the European Union (Google Cloud, Belgium, europe-west1). Some sub-processors are based in the United States. These transfers are secured by:

• The EU-U.S. Data Privacy Framework (DPF) adequacy decision by the European Commission (July 10, 2023), to which our U.S. sub-processors adhere and are certified.
• Where DPF does not apply, Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), supplemented by appropriate technical and organizational measures (encryption in transit and at rest, access controls, pseudonymization).

Under GDPR and French law, you have the following rights:

• Access (Art. 15 GDPR): Obtain a copy of all data we hold about you.
• Rectification (Art. 16): Correct inaccurate or incomplete data.
• Erasure (Art. 17): Request deletion (subject to legal retention obligations).
• Restriction (Art. 18): Request limitation of processing.
• Portability (Art. 20): Receive your data in a structured, machine-readable format.
• Objection (Art. 21): Object to processing based on legitimate interest.
• Withdraw consent (Art. 7): Withdraw analytics/marketing consent at any time via "Manage cookies" in the footer.
• Post-mortem directives (French law): Define directives regarding the fate of your data after death.

To exercise your rights, contact the in-app support form. We will respond within 30 days (extendable to 60 days for complex requests, with notification).

You have the right to lodge a complaint with a supervisory authority. In France: Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr.

We implement industry-standard technical and organizational measures:

• All communications encrypted via TLS 1.2+ (HTTPS enforced by Firebase Hosting).
• User passwords hashed — we never store plain-text authentication passwords.
• Database access controlled by strict Firestore security rules (principle of least privilege).
• PDF files stored in Firebase Storage with auto-delete TTL (24 hours).
• Webhook signatures (Stripe) verified cryptographically to prevent tampering.
• Rate limiting on all API endpoints to prevent brute-force and abuse (5 uploads/hour per IP, 3 concurrent jobs max).
• Recovered PDF passwords stored encrypted, auto-deleted after 7 days.
• Regular security reviews and dependency updates.

In the event of a data breach likely to result in a risk to your rights and freedoms, we will notify the CNIL within 72 hours (Art. 33 GDPR) and inform affected users without undue delay (Art. 34 GDPR).

9.1. Strictly Necessary (no consent required)

• Authentication session — Maintains login state (localStorage).
• UI preferences — Theme (light/dark) and language (localStorage keys: pdfunlock-theme, pdfunlock-locale).
• Consent choice — Records your cookie consent decision.

9.2. Analytics (consent required)

• Google Analytics 4 — Cookies: _ga, _ga_*. Duration: up to 14 months. Purpose: understand website usage patterns. Only activated after explicit consent.

9.3. Marketing (consent required)

• Google Ads — Cookies: _gcl_*. Purpose: measure advertising campaign effectiveness via GA4 liaison.
• Microsoft Advertising (Bing UET) — Cookies: _uetmsclkid, _uetvid. Purpose: conversion tracking.

We implement Google Consent Mode v2. All analytics and marketing trackers are blocked by default (analytics_storage: denied, ad_storage: denied, ad_user_data: denied, ad_personalization: denied) and only activated after your explicit, affirmative consent via the cookie banner.

You can modify your choices at any time by clicking "Manage cookies" in the website footer.

Server-side events (purchase, refund) are sent via the GA4 Measurement Protocol from our backend (Stripe webhook) and are not subject to cookie consent, as they do not involve client-side tracking or personal data collection beyond the transaction itself.

The Service is not directed to children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16 without parental consent, we will delete it promptly. If you believe this has occurred, please contact us at the in-app support form.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. Changes will be posted on this page with an updated "Last updated" date.

For material changes affecting your rights, we will notify registered users by email at least 15 days before the changes take effect.