PDFOrca

GDPR & DPDP Compliance

Your data protection rights under the EU's GDPR and India's DPDP Act, 2023.

Last updated: June 16, 2026

Right to Access

Request a copy of all personal data we hold about you (account email, name, activity history).

Right to Rectification

Update inaccurate or incomplete information directly from your dashboard settings.

Right to Erasure

Delete your account and all associated data permanently. This is irreversible.

Right to Data Portability

Export your activity history in a machine-readable (JSON) format.

Right to Restrict Processing

Ask us to pause specific processing of your data while a complaint is being resolved.

Right to Withdraw Consent

Withdraw consent for non-essential processing (e.g., product update emails) at any time.

1. Who this applies to

This page describes how PDFOrca complies with two major data-protection regimes:

  • GDPR — applicable if you reside in the European Economic Area (EEA), United Kingdom, or Switzerland.
  • DPDP Act 2023 — applicable if you reside in India and use the Service or if your personal data is processed in India.

The rights we offer apply uniformly to all users, regardless of jurisdiction.

2. Our role under each regime

Under GDPR, PDFOrca acts as a Data Controller for account information (email, profile, activity history) and as a Processor for files you upload (held transiently and deleted within 1 hour).

Under the DPDP Act 2023, PDFOrca is a Data Fiduciary with respect to personal data we determine the purposes and means of processing.

3. Lawful basis for processing

We process personal data on the following lawful bases:

  • Performance of a contract — to provide the tools you request.
  • Legitimate interest — to keep the service secure, prevent abuse, and improve reliability.
  • Consent — for optional marketing communications.
  • Legal obligation — to respond to lawful demands from authorities.

4. How to exercise your rights

Most rights can be exercised directly from your account dashboard. For requests we cannot fulfill automatically (e.g., a data access request as an EU citizen), email us:

[email protected]

We respond within 30 days under GDPR and the DPDP Act. We may ask for verification of identity before processing requests.

5. International transfers

Our infrastructure runs primarily in the European Union (Hetzner, Germany). When data is transferred from India to the EU, the transfer is governed by Standard Contractual Clauses (SCCs) or other safeguards permitted under Section 16 of the DPDP Act and GDPR Articles 44-49.

6. Data retention

  • Uploaded files: deleted automatically within 1 hour of processing.
  • Account data: retained while the account is active. Deleted within 30 days of account closure (or longer where required by law).
  • Server access logs: retained for 30 days for security and debugging.
  • Error reports (Sentry): retained for 90 days, then auto-purged.

7. Children

PDFOrca is not directed at children. Under the DPDP Act, processing personal data of a child (anyone under 18) requires verifiable parental consent. We do not knowingly collect data from children. Parents who believe their child has created an account should email us for immediate removal.

8. Right to lodge a complaint

If you believe we have not handled your data properly, you have the right to complain to a supervisory authority:

  • India: Data Protection Board of India (once constituted under the DPDP Act).
  • EU residents: Your local Data Protection Authority. A list is available at edpb.europa.eu.

9. Changes to this page

We will update this page if data-protection legislation evolves (for example, as the DPDP Act's implementing rules are published). Material changes are announced to registered users via email.

This page is offered in English and Hindi. The English version is the canonical legal text; the Hindi translation is provided for convenience.