PDFRedactionZero-Server PII Redaction

Privacy Policy

Last updated: March 17, 2026

Our Core Privacy Guarantee

Your documents, the text extracted from them, and any PII detected are processed entirely within your browser. This data is never transmitted to our servers or any third party. This is not a policy choice — it is the technical architecture of the product.

How the Architecture Works

PDF Redaction uses a split-plane architecture that separates sensitive document processing from account management:

Local AI Processing Plane (your browser)

Document content, extracted text, PII values found during analysis, and redacted output. None of this data is ever transmitted over any network.

Control Plane (our servers)

Account identity (email, name), plan status, and anonymous usage metadata. Usage metadata includes only: file size, page count, number of entities found by type (e.g. "3 emails, 1 phone number"), and processing duration. It never includes the actual entity values, document text, or any document content.

This means that in the event of a server-side security incident, the data exposed would be limited to email addresses, plan status, and aggregate usage counts. No document content, no PII values, and no health records would be at risk — regardless of what documents users have processed.

What We Never Collect

We do not and structurally cannot access the following data, because all AI processing runs locally and this data is never transmitted to our servers:

  • The content of your documents (text, images, formatting)
  • The specific PII values found (names, SSNs, emails, phone numbers, etc.)
  • The redacted output or any derivative of your document content
  • Screenshots, thumbnails, or previews of your documents

What We Do Collect

Account Information

When you create an account, we collect your name and email address to provide authentication and account services. If you subscribe to a paid plan, your billing is handled by Lemon Squeezy (our payment processor) — we never receive or store your credit card number or bank details.

Usage Metadata

When you process a document, our server records anonymous metadata to enforce usage limits and improve the service. This includes: file size in bytes, page count, the count of entity types detected (e.g. "EMAIL: 3, PHONE: 1" — never the actual values), the redaction method used, and processing duration in milliseconds. This data is retained for 90 days on the Free plan and 365 days on Professional, then automatically deleted.

Website Analytics

We collect anonymous, aggregated analytics (page views and feature usage) to improve the website. This data contains no personally identifiable information and cannot be linked to individual users.

Third-Party Services

We use the following third-party services to operate the product. None of them receive your document content or PII values:

  • Vercel — Hosting and application delivery. Receives standard web request data (IP address, browser type).
  • Neon — Database hosting. Stores account info, plan status, and usage metadata only.
  • Resend — Transactional email (account verification, password reset). Receives your email address only.

If we introduce paid plans in the future, we will update this policy before enabling payment processing.

Data Retention

We retain data only as long as needed:

  • Account data — Life of your account plus 30 days after deletion request
  • Usage metadata — 90 days on the Free plan, then automatically purged
  • Session data — Expires after 7 days; you must re-authenticate

Your Rights

Under applicable privacy laws (including GDPR and CCPA), you have the right to:

  • Access — Export all data we hold about you in a machine-readable format
  • Correction — Update inaccurate personal data via your account settings
  • Deletion — Delete your account and all associated data
  • Portability — Download your data as JSON
  • Objection — Object to processing of your personal data
  • Withdraw Consent — Withdraw consent at any time where processing is based on consent

To exercise any of these rights, use the account settings page or contact us at the email below. We respond to all data requests within 30 days.

HIPAA Compatibility

Because document content — including Protected Health Information (PHI) — is processed entirely within your browser and never transmitted to our servers, the product supports HIPAA-compliant workflows. Our server infrastructure operates as an account and quota system, not a healthcare data processor. For Enterprise customers who require a Business Associate Agreement, please contact us.

Data Security

All server-side data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Account secrets and credentials are never stored in recoverable form. Our local-processing architecture means your sensitive documents never leave your control, providing a level of data security that server-side processing tools fundamentally cannot match.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date. Material changes will be communicated via email to account holders.

Contact Us

If you have any questions about this privacy policy or our data practices, please contact us at contact@pdfredaction.com.