Skip to content
pdf.xhub

Privacy Policy

Last updated: May 24, 2026

1. Who we are

pdf.xhub.io provides a developer API for generating PDF documents. The service is operated from the European Union and hosted in Frankfurt and Paris. For workspace data submitted via the API, pdf.xhub.io acts as a data processor under Article 28 GDPR; the customer is the data controller.

2. What data we process

We process three categories of data:

  • Workspace data — templates, input payloads, and rendered PDFs that you submit via the API or Editor. Stored in the region you select.
  • API logs — request metadata (timestamp, endpoint, status, request ID, API key prefix, workspace ID) for security, abuse prevention, and observability.
  • Billing data — name, email, billing address, VAT ID, and tokenized payment-method references handled by Stripe Payments Europe.

3. Why we process it

  • Render PDFs — the core contractual obligation (Art. 6(1)(b) GDPR).
  • Bill — to invoice usage and comply with EU VAT rules (Art. 6(1)(b) and 6(1)(c) GDPR).
  • Comply — to satisfy legal obligations including tax retention, security incident reporting, and abuse mitigation (Art. 6(1)(c) and 6(1)(f) GDPR).

4. Sub-Processors

We engage the following sub-processors to operate the service. The full list, including the legal basis for each transfer, is included in our Data Processing Agreement.

  • Hetzner Online GmbH — hosting (Germany)
  • Cloudflare Inc. — CDN, WAF, DDoS protection (EU PoPs)
  • Stripe Payments Europe — billing and tax (Ireland)
  • Sentry GmbH — error monitoring (Germany)
  • Grafana Labs — logs, metrics, traces (EU Cloud)
  • Resend Inc. (EU) — transactional email (EU region)
  • HashiCorp Vault — secrets management (self-hosted, FRA)
  • Scaleway SAS — secondary EU region (France)
  • Google Ireland Ltd. / Google LLC — website analytics (Google Analytics 4), consent-based only. Transfers to the US are covered by the EU–US Data Privacy Framework and Standard Contractual Clauses.

5. Your rights

Under Articles 15–22 GDPR you have the right of access, rectification, erasure, restriction, data portability, and objection. The Console provides self-service tooling for export and erasure; remaining requests are handled by dpo.pdf@xhub.io within 30 days. You also have the right to lodge a complaint with your supervisory authority.

6. Data retention

  • Generated PDFs — kept for the retention window configured per workspace (default 30 days, configurable down to 0).
  • Templates — retained until deleted by the customer; deletion is final after the 14-day soft-delete window.
  • API logs — 90 days for operational use; anonymized records retained 12 months for fraud prevention (legitimate-interest basis).
  • Billing records — retained as required by EU and German tax law (typically 10 years).

7. Cookies & analytics

On this website we use Google Analytics 4 to understand how visitors use the site. It runs only with your consent (Art. 6(1)(a) GDPR): Google Consent Mode is set to denied by default, so no analytics cookies are written and no identifying data is sent until you opt in via the cookie banner.

  • Cookies set after opt-in _ga and _ga_<id>, used to distinguish visitors and sessions. Typical lifetime up to 14 months.
  • No advertising — ad storage and personalization remain denied; we do not use Google Analytics for advertising.
  • Withdraw anytime — change or revoke your choice via Cookie settings in the footer. Withdrawal clears the analytics cookies on your next choice.

The website itself sets no marketing or tracking cookies beyond the above. Analytics data is processed by Google as a sub-processor; see section 4.

8. Contact

Questions about this policy or data-subject requests: dpo.pdf@xhub.io. For general inquiries: hello.pdf@xhub.io..