PDFWhirlPDFWhirl

Privacy Policy

Last updated: April 5, 2026 · Effective date: April 5, 2026

This Privacy Policy describes how PDFWhirl ("PDFWhirl", "we", "us", or "our") collects, processes, stores, shares, and protects the personal data of visitors and users ("you", "user") who access pdfwhirl.com or interact with any of the PDF processing tools, content pages, email addresses, or supporting services offered under the PDFWhirl brand. We ask that you read this document carefully so you understand the role each party plays, the rights the law grants you, and the practical steps we take to keep uploaded documents and browsing information safe, minimal, and short-lived.

PDFWhirl is designed around the principle of purpose-limited processing. Every tool exists to perform a single user-initiated task — merging, compressing, converting, splitting, rotating — after which the files involved are removed from the processing environment on a deterministic schedule. We do not sell personal data, we do not run advertising profiles built from uploaded document contents, and we do not require an account to use any public tool.

1. Who is the data controller

The data controller — the entity that determines the purposes and means of processing personal data collected through pdfwhirl.com — is PDFWhirl. References in this policy to "we," "our," or "us" refer to PDFWhirl. For any question that relates to this Privacy Policy, to how your data is handled, or to the rights described in the later sections of this document, you can contact us directly at privacy@pdfwhirl.com. Where a specific law requires designated contact points — for example a Data Protection Officer under the GDPR, or a privacy representative under the LGPD — the privacy mailbox above functions as the primary intake channel, and requests are routed internally to the appropriate responsible party.

PDFWhirl operates a single consumer-facing property, pdfwhirl.com, alongside closely related subdomains used for infrastructure purposes (for example, a content delivery subdomain, a file-processing subdomain, and a transactional email subdomain). This policy applies uniformly to all of those endpoints. We do not operate separate shadow brands, white-label variants, or affiliate portals.

2. Scope of this policy

This Privacy Policy applies to:

  • all interactions with pdfwhirl.com and any subdomain we operate under the same brand,
  • all free PDF tools we provide, including merge, compress, split, convert, rotate, and any similar tool we add in the future,
  • content pages such as guides, FAQ entries, press material, and the blog,
  • any email, support ticket, contact-form submission, or similar communication initiated with the email addresses listed on the site, and
  • any future paid or authenticated product released under the PDFWhirl brand, unless that product is published with its own supplementary privacy notice.

This policy does not apply to third-party sites linked from PDFWhirl. When you follow an outbound link — for instance, to a social network, a reference article, an open-source repository, or a partner resource — the privacy policy of that destination governs your interaction there. We encourage you to read the privacy documentation of any service you engage with through a PDFWhirl link.

3. Categories of personal data we process

Because most PDFWhirl tools are anonymous and do not require an account, the amount of personal data involved is deliberately small. Below we describe every category of data that may be processed during your use of the service, separated by the situation in which it is collected.

3.1 Technical data collected automatically

When you load any page on pdfwhirl.com, our servers, content delivery network, and browser-side scripts may process:

  • the IP address assigned to your device by your internet service provider,
  • user-agent information including browser name, browser version, operating system, device family, screen size, and locale,
  • referrer URL (the page that brought you to our site), entry page, and exit page,
  • basic request metadata (timestamps, HTTP method, requested path, response status code, response size, approximate geographic region derived from the IP address),
  • network properties needed to deliver content efficiently such as ASN and edge location,
  • performance measurements like page load time, time to first byte, largest contentful paint, and cumulative layout shift, and
  • error and crash telemetry when a script on the page fails.

3.2 Files you upload for processing

When you use a PDF tool, the document(s) you choose are transmitted to our processing environment so the requested operation can execute. Depending on the tool, this can include the binary content of PDF files, image files such as JPG or PNG, Microsoft Word documents, or auxiliary files needed for a specific workflow. The tool reads these files in memory, performs the requested transformation, writes the result to a temporary output location, and exposes a download link to your browser. We treat the contents of these files as confidential; we do not mine them, index their text, or repurpose them for any business objective beyond delivering the tool output you requested.

3.3 Information you provide voluntarily

If you send a message to one of our email addresses (support@pdfwhirl.com, privacy@pdfwhirl.com, or security@pdfwhirl.com), complete a contact form, or respond to a survey, we receive the content of your message. This typically includes your email address, a subject line, the body of your message, and any attachments you choose to send. We also retain metadata generated by the email provider (routing headers, spam and authentication signals, delivery timestamps).

3.4 Cookies and device identifiers

PDFWhirl stores a small number of cookies and similar tokens in your browser. Categories include strictly necessary cookies (for example, a CSRF defense token), preference cookies (such as a remember-the-banner flag for the cookie notice), measurement cookies used by privacy-respecting analytics, and — where you have given consent — advertising cookies associated with partners such as Google AdSense. A complete inventory, including provider names and retention periods, is maintained in the separate Cookie Policy.

3.5 Data we do NOT collect

PDFWhirl does not require you to create an account, so we do not hold usernames, passwords, social profiles, or billing addresses for the free tools. We do not ask for government identifiers, biometric data, health information, or religious/political beliefs, and we do not attempt to derive any of those attributes from the documents you upload. We do not run commercial background checks, credit checks, or identity-verification processes on visitors to the site.

4. Purposes of processing

We process the categories above only for the following purposes. If you are ever in doubt about whether a specific use case fits within one of these purposes, please ask us — we are happy to clarify.

  1. Service delivery. Running the PDF tool you have selected, returning the resulting file, and cleaning up temporary storage.
  2. Security and abuse prevention. Protecting the service from denial-of-service attempts, scraping, automated abuse, credential stuffing against future account features, malware uploads, fraud, and other misuse.
  3. Reliability and performance. Detecting errors, diagnosing outages, tuning server capacity, and improving page speed for visitors across different regions and devices.
  4. Product improvement. Understanding, in aggregate, which tools are popular, which steps cause confusion, and which content pages resolve user questions effectively.
  5. Support and communication. Responding to questions, privacy requests, security reports, and feature suggestions that you send us.
  6. Legal compliance. Meeting our obligations under applicable laws including tax, accounting, consumer protection, and anti-fraud requirements.
  7. Advertising. Displaying advertisements, including through partners such as Google AdSense, on certain pages where an advertising slot exists, subject to your cookie consent.

For users in the European Economic Area, the United Kingdom, and Switzerland, we rely on the following legal bases under the General Data Protection Regulation (GDPR) and equivalent local regimes:

  • Contract (Article 6(1)(b)). Processing that is necessary to perform the PDF operation you initiated; the act of dragging a file into a tool and clicking the action button constitutes your request for us to perform a defined service.
  • Legitimate interests (Article 6(1)(f)). Keeping the service secure, preventing abuse, diagnosing errors, running privacy-respecting analytics, and defending our legal rights. We document and periodically review a legitimate-interests assessment for each such use so we can demonstrate that our interest does not override your rights and freedoms.
  • Consent (Article 6(1)(a)). Setting advertising and non-essential analytics cookies, and any other processing where applicable law requires opt-in consent. Consent can be withdrawn at any time via the cookie preference control on the site or by emailing the privacy mailbox.
  • Legal obligation (Article 6(1)(c)). Responding to lawful requests from regulators or courts, complying with retention rules, and satisfying consumer-protection mandates.

6. How uploaded files are handled

The handling of uploaded documents is the most privacy-sensitive part of the service, and we take particular care with this flow. The pipeline works as follows:

  1. Your browser establishes a TLS connection with our servers and streams the file into the processing environment.
  2. The file is written to a short-lived storage area scoped to your session, where it is readable only by the worker dedicated to your request.
  3. The worker performs the requested transformation — for example, merging two PDFs into one, compressing a document, or extracting images.
  4. The resulting file is written to an output slot and a download link is returned to your browser.
  5. Both the input and the output are scheduled for deletion. In ordinary operation, deletion happens within two hours at the latest, and often significantly sooner.

The processing environment does not enable persistent full-text indexing, AI training, advertising personalisation, or any other secondary use of the file content. We do not permit our staff to open uploaded files except in narrowly-scoped debugging scenarios where a user has explicitly asked us to investigate an issue with their own document and has re-uploaded it through a support channel. Even in that case, the file is deleted after the investigation.

7. Data retention periods

We apply the following retention schedule:

  • Uploaded files and processed outputs: automatically deleted within two hours of processing completion, subject to earlier deletion when storage pressure demands it.
  • Server access logs: retained for up to 30 days, after which records are either deleted or anonymised. Shorter-lived copies used for real-time incident detection may exist in monitoring systems with their own retention of a few days.
  • Security incident logs: extended retention of up to 12 months for events flagged during an investigation, or longer where required by law.
  • Support correspondence: retained for up to 24 months after the last message in the thread, so we can reference prior context if you contact us again about a related issue.
  • Cookie-based preferences: retained for the duration stated in the Cookie Policy for each cookie.
  • Aggregated analytics: retained indefinitely in aggregate, non-identifying form.

8. Who we share data with

PDFWhirl does not sell personal data. We share data with third parties only in the limited circumstances listed below, and only to the extent necessary:

  • Infrastructure providers. Hosting, storage, content delivery, DDoS protection, database operations, and email delivery are handled by specialised vendors that act as processors on our behalf and are contractually bound to appropriate data-protection obligations.
  • Analytics providers. Privacy-respecting analytics tooling that counts page views, device classes, and tool-usage events in aggregate.
  • Advertising networks. Where advertising slots appear on a page, partners such as Google AdSense may receive the cookies and identifiers required to serve the ad, subject to your cookie consent.
  • Professional advisers. Lawyers, accountants, auditors, and similar advisers when a specific matter requires them.
  • Authorities. Law enforcement, regulators, or courts, when we receive a valid legal demand or when we believe in good faith that disclosure is needed to protect the safety of users or the integrity of the service.
  • Corporate transactions. If PDFWhirl is involved in a merger, acquisition, reorganisation, financing, or asset sale, personal data may be transferred to the acquirer, subject to this policy or a substantially equivalent successor document.

9. International data transfers

PDFWhirl operates a globally-distributed architecture. Content delivery edges are located on multiple continents, and processing workers may run in regions chosen to minimise network latency for the requesting user. As a result, personal data may be transferred to or processed in countries outside your own, including countries whose laws do not provide the same level of protection as your home jurisdiction.

Where transfers from the European Economic Area, the United Kingdom, or Switzerland are involved, we rely on one or more of the following mechanisms: (a) transfer to a country for which the European Commission or the UK government has issued an adequacy decision, (b) the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, or (c) binding corporate rules and similar instruments offered by our vendors. Where appropriate we also apply supplementary technical and organisational measures such as encryption in transit and at rest, strict access controls, and ephemeral processing.

10. Security safeguards

We maintain an information-security programme proportionate to the risk of the data we process. Highlights include:

  • TLS 1.2 or newer for all browser-server connections, with modern cipher suites and HSTS enforcement,
  • encryption at rest for temporary file storage,
  • least-privilege access controls on the processing infrastructure, with multi-factor authentication required for administrative access,
  • automated patching of operating-system and library dependencies,
  • network segmentation between edge, application, and data layers,
  • continuous logging and alerting for unusual access patterns,
  • vulnerability disclosure channel available at security@pdfwhirl.com, and
  • periodic internal reviews of access logs, retention behaviour, and backup operations.

A more detailed description of security practices is available on the Security page. No system connected to the internet can be guaranteed secure, but we design PDFWhirl so that even in the event of an incident, the exposure window for any individual document is minimised by the short retention policy.

11. Cookies and similar technologies

PDFWhirl uses cookies and similar technologies such as localStorage and sessionStorage. Categories include strictly-necessary, preference, analytics, and advertising cookies. Non-essential categories are loaded only after you give consent through the cookie banner displayed on your first visit. You can withdraw or change that consent at any time from the cookie preference control. See the full inventory in the Cookie Policy.

12. Advertising

Advertising displayed on PDFWhirl is served primarily by Google AdSense (publisher ID ca-pub-1004794055866437). Google may use cookies, device identifiers, and interest signals to show ads that are more relevant to you, subject to your consent and your Google ad settings. You can manage personalised advertising via the Google Ad Settings page, and you can opt out of many ad networks through the Digital Advertising Alliance and the Your Online Choices platform for Europe.

We do not build advertising profiles from the contents of documents you upload. The ad personalisation signal Google receives from our pages is limited to the URL of the page the ad is served on plus the standard browser-provided fields.

13. Analytics

Analytics help us understand in aggregate how visitors move through the site: which tools are popular, where users drop out of a workflow, and whether a recent change improved the experience. Where we use privacy-respecting analytics tools, they are configured to collect the minimum amount of data needed to answer those questions, to respect Do Not Track signals where feasible, and to anonymise IP addresses before persistence.

14. Children's privacy

PDFWhirl is a general-audience service. We do not target our tools or content to children under the age of 13 (or under 16 where local law sets a higher threshold for data processing). We do not knowingly collect personal data from children. If you believe a child has uploaded data to PDFWhirl, please contact privacy@pdfwhirl.com so we can delete the corresponding data.

15. Your rights under the GDPR

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:

  • Access — obtain confirmation of whether we process your data and receive a copy,
  • Rectification — correct inaccurate or incomplete data we hold about you,
  • Erasure — ask us to delete data we no longer have a basis to keep,
  • Restriction — ask us to pause processing while a dispute about your data is resolved,
  • Portability — receive a structured, machine-readable copy of data you have provided to us,
  • Objection — object to processing based on our legitimate interests, including profiling,
  • Withdraw consent — withdraw consent you previously gave for non-essential cookies or any other consent-based activity,
  • Lodge a complaint — file a complaint with your national data protection authority.

To exercise any of these rights, email privacy@pdfwhirl.com. We may need to verify your identity before completing the request — usually by confirming access to the email address from which the request was sent, or by requesting limited additional information if the request is unusual or high risk.

16. Your rights under the LGPD (Brazil)

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) grants you specific rights that are conceptually similar to those under the GDPR. These include confirmation of processing, access to your data, correction of incomplete or outdated data, anonymisation or deletion of unnecessary data, portability, information about entities with whom your data has been shared, information about the possibility of withdrawing consent, and the right to revoke consent previously given. You may submit an LGPD request by writing to privacy@pdfwhirl.com.

17. Your rights under the CCPA and CPRA (California)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act gives you the right to know what categories of personal information we have collected about you, to request deletion of that information, to correct inaccurate information, to opt out of "sale" or "share" of personal information for cross-context behavioural advertising, and to limit the use of sensitive personal information. PDFWhirl does not sell personal information for monetary consideration. Where advertising cookies set through our pages qualify as "sharing" under CPRA, you can opt out via the cookie preference control. Requests should be sent to privacy@pdfwhirl.com.

18. Automated decision-making

PDFWhirl does not subject visitors to solely-automated decisions that produce legal or similarly significant effects. The PDF tools perform automated transformations of file content at the user's request, but these are procedural operations on documents rather than decisions about a person.

19. Guidance on sensitive documents

Users sometimes ask whether to upload particularly sensitive documents — medical records, tax filings, legal contracts — to any online service. PDFWhirl is engineered so that even sensitive documents spend only a short time in our processing environment, but the most private workflow is always a fully-offline desktop tool. If you are in doubt, the guide Is It Safe to Use Online PDF Tools walks through how to evaluate risk, check a provider's security posture, and decide when a local tool is the better choice.

20. Updates to this policy

We review this Privacy Policy periodically and update it when our practices change, when new features are added to the site, or when relevant laws are updated. The "Last updated" and "Effective date" near the top of this page always reflect the most recent version. If we make a material change, we will provide a more prominent notice on the homepage or via email to users who have previously contacted us about privacy matters. Continued use of PDFWhirl after the effective date of an updated policy constitutes acceptance of the updated terms.

21. How to contact us

For any privacy-related question, request, or concern, please write to us at privacy@pdfwhirl.com. General product support is available at support@pdfwhirl.com. Security reports and vulnerability disclosures should be sent to security@pdfwhirl.com. We aim to acknowledge all privacy requests within five business days and to resolve them within one calendar month, in line with the timelines set by the GDPR, the LGPD, and the CPRA.