Privacy Policy

Last updated: March 2026

Our Core Promise

We never store, read, or share your documents. All files are processed in memory and automatically deleted from our servers immediately after processing. Output files are purged within 60 minutes.

1. Information We Collect

1.1 Account Information

When you sign in via Google or email, we collect:

  • Email address - for authentication and account identification
  • Name - for personalization (from Google, or derived from email)
  • Profile picture - only if you sign in with Google (we don't store it, it's fetched from Google)

1.2 Usage Data

We track basic usage counts (number of documents processed) to enforce plan limits. We do not track what types of documents you process or their content.

1.3 Cookies

We use the following cookies:

  • session - httpOnly cookie storing your JWT session token (if logged in)
  • csrf_token - CSRF protection token for form submissions
  • usage_count - tracks anonymous usage count (for the 10 free conversions limit)
  • theme - your dark/light mode preference (stored in localStorage, not a cookie)

We do not use any third-party tracking cookies, advertising cookies, or analytics trackers.

2. How We Handle Your Files

This is the most important section of our privacy policy:

  • Your uploaded files are processed entirely on our server in real-time
  • Files are never stored permanently on our servers
  • Output files are kept temporarily (up to 60 minutes) for you to download
  • After the temporary period, all files are automatically and permanently deleted
  • We never read, analyze, index, or share the content of your files
  • We never use your files for AI training, analytics, or any other purpose
  • File processing happens over HTTPS (encrypted in transit)

3. Data Security

We implement industry-standard security measures:

  • HTTPS encryption for all data in transit
  • JWT-based session management with httpOnly cookies
  • CSRF protection on all form submissions
  • Secure HTTP headers (X-Frame-Options, X-Content-Type-Options, HSTS)
  • File validation with magic byte verification to prevent malicious uploads
  • Automatic file cleanup with background task running every 30 minutes

4. Data Sharing

We do not sell, trade, or share your personal information with any third parties. The only external service we interact with is Google OAuth (if you choose to sign in with Google), which is governed by Google's Privacy Policy.

5. Data Retention

  • Uploaded files: Deleted immediately after processing
  • Output files: Auto-deleted within 60 minutes
  • Account data: Retained until you request deletion
  • OTP codes: Auto-expire after 5 minutes via MongoDB TTL index

6. Your Rights

You have the right to:

  • Request a copy of your account data
  • Request deletion of your account and all associated data
  • Opt out of any future marketing communications
  • Use the Service without creating an account (up to 10 free conversions)

7. Children's Privacy

Our Service is not directed to children under the age of 13. We do not knowingly collect personal information from children.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users via email about significant changes. Your continued use of the Service after changes constitutes acceptance.

9. Contact Us

If you have any questions about this Privacy Policy or want to exercise your data rights, please contact us at our contact page or email support@justconvert.com.