pdf.xhub

Privacy Policy

Last updated: April 30, 2026

1. Who we are

pdf.xhub.io provides a developer API for generating PDF documents. The service is operated from the European Union and hosted in Frankfurt and Paris. For workspace data submitted via the API, pdf.xhub.io acts as a data processor under Article 28 GDPR; the customer is the data controller.

2. What data we process

We process three categories of data:

  • Workspace data — templates, input payloads, and rendered PDFs that you submit via the API or Editor. Stored in the region you select.
  • API logs — request metadata (timestamp, endpoint, status, request ID, API key prefix, workspace ID) for security, abuse prevention, and observability.
  • Billing data — name, email, billing address, VAT ID, and tokenized payment-method references handled by Stripe Payments Europe.

3. Why we process it

  • Render PDFs — the core contractual obligation (Art. 6(1)(b) GDPR).
  • Bill — to invoice usage and comply with EU VAT rules (Art. 6(1)(b) and 6(1)(c) GDPR).
  • Comply — to satisfy legal obligations including tax retention, security incident reporting, and abuse mitigation (Art. 6(1)(c) and 6(1)(f) GDPR).

4. Sub-Processors

We engage the following sub-processors to operate the service. The full list, including the legal basis for each transfer, is included in our Data Processing Agreement.

  • Hetzner Online GmbH — hosting (Germany)
  • Cloudflare Inc. — CDN, WAF, DDoS protection (EU PoPs)
  • Stripe Payments Europe — billing and tax (Ireland)
  • Sentry GmbH — error monitoring (Germany)
  • Grafana Labs — logs, metrics, traces (EU Cloud)
  • Resend Inc. (EU) — transactional email (EU region)
  • HashiCorp Vault — secrets management (self-hosted, FRA)
  • Scaleway SAS — secondary EU region (France)

5. Your rights

Under Articles 15–22 GDPR you have the right of access, rectification, erasure, restriction, data portability, and objection. The Console provides self-service tooling for export and erasure; remaining requests are handled by dpo@pdf.xhub.io within 30 days. You also have the right to lodge a complaint with your supervisory authority.

6. Data retention

  • Generated PDFs — kept for the retention window configured per workspace (default 30 days, configurable down to 0).
  • Templates — retained until deleted by the customer; deletion is final after the 14-day soft-delete window.
  • API logs — 90 days for operational use; anonymized records retained 12 months for fraud prevention (legitimate-interest basis).
  • Billing records — retained as required by EU and German tax law (typically 10 years).

7. Contact

Questions about this policy or data-subject requests: dpo@pdf.xhub.io. For general inquiries: hello@pdf.xhub.io.