Privacy Policy
Last updated: January 6, 2026
Security & Privacy Commitment
Bank-Grade Encryption
Your documents are protected with AES-256 encryption at rest and TLS 1.3 in transit.
Zero Data Retention
AI providers receive zero data retention - your prompts and extracted data are never stored or used for training.
Ephemeral Processing
Code execution happens in ephemeral sandboxes that are destroyed immediately after processing.
1. Introduction
OkraPDF ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our PDF processing service. We recognize that our users entrust us with sensitive financial and legal documents, and we have built our architecture with a "security-first" and "privacy-by-design" approach.
2. Information We Collect
We collect the minimum amount of data necessary to provide our services:
- Account Information: Email address and authentication identifiers (managed securely via Clerk).
- User Content: PDF documents you explicitly upload for processing.
- Processing Data: Temporary data extracted from your documents (text, tables) to generate responses.
- Usage Metrics: For anonymous visitors, we collect aggregate page views with no personal identifiers. For logged-in users, we track feature usage (uploads, extractions, exports) via PostHog to improve the product. We do not record user sessions.
3. How We Process Your Documents
Our document processing pipeline is designed to ensure maximum privacy:
- Upload & Storage: Documents are stored in Google Cloud Storage buckets encrypted with AES-256 keys. Signed URLs with short expiration times (15-60 minutes) are used for access.
- AI Processing: We use top-tier AI providers (like Anthropic and Google) configured with Zero Data Retention (ZDR) policies where available. This means your document data is processed in memory and not saved to their servers.
- Code Execution: For complex analysis involving code (e.g., Python scripts for data cleaning), we use ephemeral sandboxes (E2B) that are isolated and terminated immediately after the task completes. No data persists in these environments.
- No Training: We contractually ensure that your data is never used to train our AI models or third-party base models.
4. Third-Party Subprocessors
We partner with industry-leading infrastructure providers to deliver our service. All partners are vetted for security compliance (SOC 2, ISO 27001).
| Provider | Purpose | Data Treatment |
|---|---|---|
| Google Cloud Platform | Cloud Infrastructure & Storage | Encrypted at rest (AES-256) |
| Clerk | Authentication | SOC 2 Compliant Identity Management |
| Stripe | Payments | PCI-DSS Level 1 (We never see card details) |
| OpenRouter / Anthropic | LLM Inference | Zero Data Retention (ZDR) enabled |
| PostHog | Product Analytics | Identified users only, no session recordings |
5. Google Drive Integration
When you choose to connect your Google Drive account, OkraPDF requests restricted, read-only access. We only access the specific files you explicitly select via the Google Picker. We do not scan your drive, and we do not store your Google credentials. You can revoke this access at any time via your Google Account permissions.
6. Data Retention & Deletion
We believe your data belongs to you.
- Retention: Documents are retained only as long as your account is active or until you delete them.
- Deletion: You can delete any document from your dashboard at any time. This triggers a hard delete from our storage systems.
- Account Deletion: Upon account termination, all associated data is permanently removed from our active systems within 30 days.
7. Enterprise Security
For enterprise clients, we currently offer a **complete audit trail** for all document activities, ensuring full visibility and accountability.
We are actively developing additional enterprise security features such as Single Sign-On (SSO), Role-Based Access Control (RBAC), and Data Residency options. For a detailed discussion of our security roadmap and how we can meet your specific compliance needs, please contact our security team.
8. Contact Us
If you have any questions about this Privacy Policy or our security practices, please contact us at support@okrapdf.com