Home
Tools
Documents
Search
  • Pricing

Privacy Notice

Thank you for visiting our website.

Smallpdf respects your right to privacy when you use our services, visit our website, download our desktop app or mobile apps, or communicate with us. We take all necessary measures to ensure that any personal data you give us is treated in compliance with data protection laws and with this Privacy Notice.

We are Smallpdf AG, a company incorporated under the laws of Switzerland, with its registered offices at Steinstrasse 21, 8003 Zürich, Switzerland, also reachable at privacy@smallpdf.com. ‘Personal data’ is any information that relates to an identified or identifiable natural person, such as your name or email address.

In exchange for our services, when you visit our website or communicate with us, we may process personal data related to you (‘Your Personal Data’). In these cases, Smallpdf is the controller of Your Personal Data.

When you upload or otherwise provide files and information, which may contain personal data related to you or others, and process such files and information using our services (‘User Files’), you remain fully responsible for such personal data contained in the User Files.

In the paragraphs below, we endeavor to provide you with information about our processing of Your Personal Data, your rights regarding Your Personal Data, and the measures we take to maintain the privacy and security of Your Personal Data.

If you provide us with personal data of other people (such as family members or work colleagues) or provide us User Files which contain personal data related to other people, please make sure they are aware of this Privacy Notice and only provide us with their data if you are allowed to do so and such personal data is correct.

Our website, desktop app, mobile apps, and communications may contain links to other websites. If you follow a link to any of those websites, please note that the personal information you submit will be processed according to their own privacy notices, and that Smallpdf does not accept any responsibility or liability for those websites. Please make sure to check those privacy notices before you submit any personal information to those websites.

This Privacy Notice has been drafted to be in line with applicable privacy laws. Based on your location, this might, for example, be the Swiss Federal Data Protection Act, the California Consumer Privacy Act, or the EU General Data Protection Regulation (GDPR).

Key Questions and Answers

1. What personal data does Smallpdf collect through its website and for what purposes?

In brief: If you use our services, regardless of whether you are a free or paying user, we will collect Your Personal Data as required to provide our services to you and/or help us improve our services for you.

1.1 Use of our website

If you visit any domain or subdomain of smallpdf.com and do not register for or log into your account, we collect and process Your Personal Data that is necessary to enable your informational use of these domains. We also use functional cookies and other technologies (see Section 8) to enable this functional use of our website and to maintain the stability and security of our website. For these purposes, we process your IP address and other usage metrics along with the date and time of your access. We process Your Personal Data to provide our website to you (Art. 6 (1) (1) b GDPR) and based on our legitimate interest to maintain our website’s stability and security (Art. 6 (1) (1) f GDPR).

1.2 Use of our mobile apps and desktop app

If you download our mobile apps or our desktop app and do not register for or log into your account, we process Your Personal Data to enable your informational use of the respective app and to ensure the stability and the security of the respective app. For our mobile apps, we process your device ID, information related to your device (e.g. the operating system), information about the app you use (app version and language), the amount of transferred data and applicable timestamps. For our desktop app, we process information related to your device, your IP address, and information on the browser you use for the download (browser type, version, and operating system). We process Your Personal Data in order to provide our mobile apps and/or desktop app to you (Art. 6 (1) (1) b GDPR) and based on our legitimate interest to maintain our apps’ stability and security (Art. 6 (1) (1) f GDPR).

1.3 Use of our services via third-party services

You may be able to access our services and upload User Files via third-party services, such as Dropbox and Google Drive. For this purpose, you do not have to create a User Account with us or provide your login credentials for the third-party service or application. Rather, we will let you access our services with an authorization token (aka “OAuth token”) from the third-party service provider confirming that you are a valid user of their service. We process this information to enable your use of our services (Art. 6 (1) (1) b GDPR).

1.4 User Account

If you create a Smallpdf account (including for a free trial of our services) via our website, mobile apps, or desktop app, we process your email address and the password you choose at registration.

You can also create a user account for our services using your pre-existing Google, Apple, or Facebook accounts and use that third-party platform’s credentials to log in to your user account with us. If you choose this option, you allow us to request and use some of Your Personal Data from the third-party account.

For Google, this involves us processing your name, surname, email address, and public profile information (e.g. profile picture). For Facebook, we will process your email address and public profile information (username and profile picture). For Apple, this involves us processing your username and email address. The third-party platform may ask for your consent to share this data with us. As the personal data we may process under this option was originally collected by the third-party platform, the initial data processing and sharing of the data with us is governed by the privacy policy of such third-party platforms (thus, either Google, Apple, or Facebook). Please refer to the relevant third-party platform and/or its settings, if you want to deactivate the connection between the third-party platform and us.

We process Your Personal Data to set up your user account and, thus, form a contractual relationship (Art. 6 (1) (1) b GDPR).

For security reasons, we also process the time, browser, IP address of your last login, and the time of your last password reset. We have a legitimate interest to process this information to filter out suspicious login requests and to detect and prevent abuse of your user credentials (Art. 6 (1) (1) f GDPR).

1.5 Smallpdf Pro subscription

During registration of your user account or later on, you may provide Your Personal Data as part of your profile if you purchase any of our paid subscriptions (Smallpdf Pro). These types of personal data vary based on the type of account (single or team), the type of subscription, and the payment method you choose. These types of data may generally include your name, address, which subscription plan you are on, your payment method (e.g. PayPal or credit card, in the latter case including expiration date and certain digits of your credit card number), your VAT or other tax number, user settings, your company, role, and employee status.

We process Your Personal Data to suggest the right type of subscription for your needs to you and to complete your purchase. The data processing serves to conclude and fulfill the subscription contract between you and us (Art. 6 (1) (1) b GDPR).

a) Payment

We use payment data and information on your subscription and payment history (subscription plan, billing period, etc.) to process the regular payments for your Smallpdf Pro subscription and, thus, fulfill our contract (Art. 6 (1) (1) b GDPR). We accomplish this through third-party payment processors, such as PayPal (in case you choose Paypal as a payment method or, in some cases, for credit card payments), Adyen (in some cases you choose credit card as your payment method), and GoCardless (in case you choose direct debit payment as your payment method). We also use Recurly as a subscription management provider. For further information on these providers, please visit section 4 below.

If you choose credit card as your payment method, your full credit card number is always sent directly to the payment provider and never reaches our server. We only receive the first and last four digits of any credit card.

b) Invoices

We process your account, subscription, and payment information to fulfill our legal obligations (legal data storage obligations, e.g. under tax law) (Art. 6 (1) (1) c GDPR) and provide you with invoices under our contract (Art. 6 (1) (1) b GDPR). We also use Recurly as a subscription management provider to help us in providing the aforementioned services. For further information on this provider, please visit section 4 below.

1.6 Email communication, including customer support, newsletters, and other marketing emails

When you communicate with us via email, including for customer support, you provide us with your email address and may provide us with your name, contact details, and other personal data, including the content of your email. We process this information to answer your request (Art. 6 (1) (1) b GDPR).

We may send you our newsletter or other marketing emails, generally only with your consent (Art. 6 (1) (1) a GDPR). However, where you have already purchased products and/or services from us, we may inform you about our similar products or services via email where we have informed you of such a possibility in advance and allowed you to refuse it. We do so under our legitimate interest to promote our business with existing customers (Art. 6 (1) (1) f GDPR). Please note that you can opt out of such email communication by clicking on the unsubscribe link at the end of each marketing email.

For information about third-party providers that we may use for the aforementioned purposes, please visit Section 4 below.

1.7 Service improvement and error detection
a) Website and mobile apps

For our website and mobile apps, we may process information on your default system language, your device, your usage of our services, and information on the pages of our website which you have visited. For error detection, we aggregate this information by shortening your IP address, such that it is not directly attributable to specific users. We only use this information in this aggregated form. We generally use the same type of information, as well as file metadata, for analytical purposes to improve our services by identifying features our users like and how our services function with different devices. We have a legitimate interest to use this information for service improvement (Art. 6 (1) (1) f GDPR). For information on third-party providers that we use for these tasks, please visit Section 4 below.

b) Desktop app

For our desktop app, we may process information on your operating system, the number of CPU cores your computer uses, your computer memory, your default system language, your system architecture, and your default PDF app. We aggregate this information such that it is not directly attributable to specific users, then use it to improve your experience on our desktop app and develop our desktop app. We have a legitimate interest to provide our services to you in a seamless way based on aggregated technical information (Art. 6 (1) (1) f GDPR).

1.8 Surveys & user feedback

We occasionally conduct voluntary surveys through our website, desktop app, mobile apps, or other methods to collect user feedback. For some of these surveys, we may process Your Personal Data, such as your name, email, and IP address in addition to your feedback/answers. In other cases, we only collect aggregated information that is not directly attributed to specific users (e.g. yes or no answers through a survey field only). We process and store all of the aforementioned information to carry out the surveys (Art. 6 (1) (1) b GDPR) and under our legitimate interest to collect user feedback (Art 6 (1) (1) f GDPR). In some cases, we may also collect your consent (Art. 6 (1) (1) a GDPR). For more information on third-party providers we use for this purpose please visit Section 4 below.

1.9 Our services
a) PDF services

If you choose to use our PDF services and upload or otherwise provide User Files for this purpose, we process the User Files and metadata (such as file size, file name, and file type) and may store User Files as set out in Section 6 below. Such files and information may contain personal data related to you or others and you remain fully responsible for any personal data contained in the User Files. We process this information in order to provide you with our PDF services (Art. 6 (1) (1) b GDPR).

b) Signature/eSign

If you use our eSign tool, we process and store your signature(s) for future use at your convenience. If you are requesting a signature via our eSign tool from someone else, you remain fully responsible for the data processing regarding the other person. In order to verify the signing process, we also process other information on the involved persons/people, such as their email address, their IP address, the time of their signature, and the document status. This is necessary to provide the eSign tool (Art. 6 (1) (1) b GDPR) and is based on our legitimate interest to provide you with an easy-to-use and smooth service as well as to prevent its abuse (Art. 6 (1) (1) f GDPR).

2. How does Smallpdf protect Your Personal Data?

In brief: Ensuring the safety and security of our service and Your Personal Data is a priority.

Smallpdf uses appropriate technical and organizational measures to protect Your Personal Data. Only authorized Smallpdf staff or third-party company staff (i.e. service providers) have access to Your Personal Data. All such staff are required to adhere to our Privacy Notice. Additionally, all third-party employees who have access to Your Personal Data must sign non-disclosure agreements. In addition, Smallpdf has contracts in place with third-party companies that have access to Your Personal Data in order to protect it. To protect Your Personal Data, Smallpdf maintains a secure IT environment and has measures in place to prevent unauthorized access to it. All communication and file transfers to and from our server are encrypted with TLS. Passwords are only stored in encrypted (hashed) form, never in plain text.

3. How does Smallpdf use Your Personal Data?

In brief: We use Your Personal Data to provide you with high-quality services. Your privacy is our priority. We would not use Your Personal Data for any unlawful purposes.

We process Your Personal Data for the purposes listed above.

In specific cases, Your Personal Data may also be processed for the following purposes:

● In case we partially or fully sell the company or buy another company in whole or in part. We have a legitimate interest to further the development of our company through mergers and acquisitions (Art. 6 (1) (1) f GDPR).

● To comply with our legal obligations, including participation in investigations and proceedings conducted by the government or public authorities (Art. 6 (1) (1) c GDPR).

● In case we have a legal obligation to this effect (Art. 6 (1) (1) c GDPR), we may process Your Personal Data to protect our rights and safety, as well as those of our customers and third parties. Although we may not have a legal obligation to do so, we may still process data for this purpose based on our legitimate interest or those of other affected persons in order to assert legal claims (Art. 6 (1) (1) f GDPR).

4. To whom does Smallpdf disclose Your Personal Data, and why?

In brief: We share some of Your Personal Data with others in order to provide you with our services. Don’t worry, we do not sell Your Personal Data or give it to spammers.

Smallpdf may share Your Personal Data with the following categories of recipients as necessary:

● External services providers (e.g. hosting providers, software and software as a service providers, app development providers, email service, email verification and email analytics providers, providers for error logging and service development, customer support providers, survey and user feedback providers, payment providers, billing service providers, and marketing providers). We have a legitimate interest to use external providers to ensure that we can provide our services in a professional and user-friendly manner and with a high level of service quality (Art. 6 (1) (1) f GDPR). Data transfers to service providers are covered by data processing agreements between us and the respective provider (in connection with Art. 28 GDPR).

● In the event that we buy or sell our company in whole or in part, data may be transferred to our potential contractual partners. We have a legitimate interest to further the development of our company in this manner (Art. 6 (1) (1) f GDPR).

● To law enforcement agencies, public authorities, and courts in order to comply with legal obligations to participate in investigations and proceedings conducted by governments or public authorities (Art. 6 (1) (1) c GDPR).

● To other companies, individuals, or government agencies where it is required to disclose personal data by law (Art. 6 (1) (1) c GDPR) or based on legitimate interests to protect our rights or safety as well as those of our customers and third parties (Art. 6 (1) (1) f GDPR).

Some of the aforementioned providers may process Your Personal Data outside the EU/EEA. For more information on protective measures used to secure data transfers in countries outside the EU/EEA, please see Section 7 below.

Among other things, Smallpdf may share Your Personal Data with the following third parties, but only in the circumstances set out below:

4.1 Essential providers
4.1.1 Adyen

To process credit card payments, we transfer Your Personal Data to Adyen (Adyen N.V., Simon Carmiggeltstraat 6-50, 1011 DJ Amsterdam, Netherlands). We use an external provider for this payment method to enable you to make payments under our contract (Art. 6 (1) (1) b GDPR) and according to our legitimate interest to offer you extended payment options and to outsource payments (Art. 6 (1) (1) f GDPR). This transfer is based on our data processing agreement with Adyen (in connection with Art. 28 GDPR). Per this agreement, Adyen must process Your Personal Data only in accordance with our instructions and to the extent permitted by data protection law. Adyen may process personal data outside the EU/EEA. For more information on protective measures for securing data transfers to countries outside the EU/EEA, please see section 7 below.

4.1.2 GoCardless

To process direct debit payments, we transfer Your Personal Data to GoCardless (GoCardless Ltd, Sutton Yard, 65 Goswell Road, London, EC1V7EN, United Kingdom). We use an external provider for this payment method to enable you to make payments under our contract (Art. 6 (1) (1) b GDPR) and according to our legitimate interest to offer you extended payment options and to outsource payments (Art. 6 (1) (1) f GDPR).

GoCardless acts as a data controller in providing its services. Therefore, the data processing is governed by GoCardless’ privacy policy, not ours. We have no control over the data that GoCardless collects or the extent of data use by GoCardless. For details about GoCardless’ data processing, please refer to https://gocardless.com/privacy/.

GoCardless may process personal data outside the EU/EEA. For more information on protective measures for securing data transfers to countries outside the EU/EEA, please see section 7 below.

4.1.3 Recurly

To provide you with invoices and to route your payments to the payment service provider(s) mentioned in this privacy notice, we transfer Your Personal Data to our subscription management provider Recurly (Recurly Inc., 400 Alabama St., Suite 202, San Francisco, CA 94110, USA). Recurly is a billing platform that allows us to manage your and other customers’ subscriptions to our services in a centralized manner by routing you to the right payment providers and by initiating the appropriate billing. We use this provider to enable you to make payments under our contract (Art. 6 (1) (1) b GDPR), to provide you with invoices under our contract (Art. 6 (1) (1) b GDPR), and according to our legitimate interest to outsource payments and billing processes (Art. 6 (1) (1) f GDPR). This transfer is based on our data processing agreement with Recurly (in connection with Art. 28 GDPR). Per this agreement, Recurly must process Your Personal Data only in accordance with our instructions and to the extent permitted by data protection law. Recurly may process personal data outside the EU/EEA. For more information on protective measures for securing data transfers to countries outside the EU/EEA, please see section 7 below.

4.1.4 PayPal

We offer payment via PayPal, a service offered by PayPal Pte. Ltd., 5 Temasek Boulevard, #09-01 Suntec Tower Five, Singapore 038985. If you select PayPal as your payment method, you will be redirected to the PayPal website and the personal data you enter will be transmitted to PayPal in encrypted form. Paypal enables you to make payments under our contract (Art. 6 (1) (1) b GDPR) and according to our legitimate interest to offer you extended payment options and to outsource payments (Art. 6 (1) (1) f GDPR).

PayPal acts as a data controller in providing its services. Therefore, the data processing is governed by PayPal’s privacy policy, not ours. We have no control over the data that PayPal collects or the extent of data use by PayPal. For details about PayPal’s data processing, please refer to https://www.paypal.com/en/webapps/mpp/ua/privacy-full.

PayPal may process personal data outside the EU/EEA. For more information on protective measures for securing data transfers to countries outside the EU/EEA, please see Section 7 below.

4.1.5 Hotjar

We use Hotjar (Hotjar Ltd., Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta) to collect user feedback through survey widgets and polls on our website or external survey links. If you complete an external survey, or complete or minimize survey or poll widgets on our website provided by Hotjar, Hotjar will place cookies on your device to ensure that the poll or survey will not be shown to you again (see Section 8 below for further information). We use this feature to ensure that surveys and widgets are displayed to you correctly (Art. 6 (1) (1) b GDPR) and have a legitimate interest to display them to you in line with your prior participation (Art. 6 (1) (1) f GDPR). These cookies expire after 365 days.

The transfer of Your Personal Data to Hotjar is based on our data processing agreement with this provider (in connection with Art. 28 GDPR). Hotjar may process personal data outside the EU/EEA. For more information on protective measures for securing data transfers to countries outside the EU/EEA, please see Section 7 below.

4.1.6 Typeform

We use Typeform (TYPEFORM SL, Carrer Bac de Roda, 163, local, 08018 Barcelona, Spain) to collect and analyze user feedback through surveys and polls on our website, via email, or in our mobile apps. You may be redirected to Typeform’s website to complete such surveys. We have a legitimate interest to use a third-party provider for this purpose in order to carry out surveys and polls in an efficient, user-friendly, and professional manner (Art. 6 (1) (1) f GDPR). The transfer of Your Personal Data to Typeform is based on our data processing agreement with this provider (in connection with Art. 28 GDPR). Typeform may process personal data outside the EU/EEA. For more information on protective measures for securing data transfers to countries outside the EU/EEA, please see Section 7 below.

Please note that we have no control over the data that Typeform collects or the extent of data use by Typeform on its website other than through surveys conducted on our behalf. For details about Typeform’s data processing as a data controller, please refer to https://admin.typeform.com/to/dwk6gt.

4.1.7 HubSpot

Some of the contact forms on our website are provided by HubSpot (HubSpot, Inc., Dublin (European HQ), Ground Floor, Two Dockland Central Guild Street, Dublin 1). If a user fills out such a contact form, HubSpot will create a contact record. We use this service for efficient contact management based on our legitimate interests (Art. 6 (1) (1) f GDPR).

The transfer of Your Personal Data to HubSpot is based on our data processing agreement (in connection with Art. 28 GDPR). HubSpot may process personal data outside the EU/EEA. For more information on protective measures for securing data transfers to countries outside the EU/EEA, please see Section 7 below.

4.1.8 Google reCAPTCHA

We use the reCAPTCHA service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA on our website. This is a security service that helps us distinguish whether data inputs on our website (e.g. into contact forms or when opening a URL) are made by an individual or by automated means. The purpose of reCAPTCHA is to block automated requests, spam, or other malicious traffic to our website. Google will process Your Personal Data (e.g. IP address, input rates, time spent on a specific site, and movements on the site) to evaluate the website traffic as part of this product. Our use of Google reCAPTCHA is based on our legitimate interest to protect our website against spam and malicious traffic in order to ensure its security (Art. 6 (1) (1) f GDPR).

In providing Google reCAPTCHA, Google acts as a data controller for Google Ads and may process Your Personal Data for other purposes. We have no control over the data that Google collects or the extent of the data collected by Google. We also have no knowledge of the content of the data transmitted to Google. For details about Google’s data processing, please refer to https://policies.google.com/privacy. Google may process personal data outside the EU/EEA. For more information on protective measures for securing data transfers to countries outside the EU/EEA, please see Section 7 below.

4.2 Analytics providers
4.2.1 Freshdesk

We use feedback forms to gather user feedback on our desktop app. With your consent (Art. 6 (1) (1) a GDPR), we may share the feedback you provide through these forms with Freshdesk (Freshworks Inc., 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403, USA), including the results of some of the user feedback forms you fill out. We use this service to gather and analyze user feedback in an efficient manner in order to improve our services.

The transfer of Your Personal Data to Freshdesk is based on our data processing agreement with this provider (in connection with Art. 28 GDPR). Freshdesk may process personal data outside the EU/EEA. For more information on protective measures for securing data transfers to countries outside the EU/EEA, please see Section 7 below.

4.2.2 Google Analytics

We use Google Analytics on our website, provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA. Its purpose is to analyze user behavior and, based on the results, help us make decisions relating to product and marketing optimization. Google will process Your Personal Data (IP address, online identifiers, device identifiers, and device information, e.g. browser type, version, device type, user behavior, e.g. pages visited, session duration, use of specific website functions, e-commerce activity) to evaluate your use of the website, compile reports on website activity, and provide us with other services related to website activity and internet usage.

Google Analytics uses cookies for data processing (see Section 8 below for further information). You can consent to the processing of Your Personal Data by Google Analytics (Art. 6 (1) (1) a GDPR) and/or prevent it/withdraw your consent at any time through our cookie banner. To withdraw your consent, go to the cookie settings at the bottom of our website. Google will anonymize Your Personal Data 14 months after your last activity, provided there is no legal obligation to store it for a longer period.

The transfer of Your Personal Data to Google is based on our data processing agreement (in connection with Art. 28 GDPR). Google may process personal data outside the EU/EEA. For more information on protective measures for securing data transfers to countries outside the EU/EEA, please see Section 7 below.

4.2.3 Hotjar

We use Hotjar (Hotjar Ltd., Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta) on our website. Hotjar processes a unique user identifier number, user country, device-related information (such as browser type, operating system, and session time), information on the visited pages, and interactions with the website, including time and date, and purchased services or products. Hotjar stores this information on our behalf in pseudonymized user profiles. We use the information and profiles to analyze user behavior on our website in order to improve its navigation and marketing.

Hotjar uses cookies for data processing (see Section 8 below for further information). You can consent to the processing of Your Personal Data by Hotjar (Art. 6 (1) (1) a GDPR) and/or prevent it/withdraw your consent at any time through our cookie banner. To withdraw your consent, go to the cookie settings at the bottom of our website. In case you consent, Hotjar will place a cookie which assigns you a unique user ID in order to recognize you when you revisit our website. It expires after 365 days. Hotjar will also place session cookies (which expire when you close your browser session after visiting our website) to track you across the pages of our website, to identify new users and/or changes in user attributes and to capture information about your viewport (size and dimension). Furthermore, Hotjar will place cookies that expire after 30 minutes to detect when you first visit a page of our website and to detect whether you are included in data sampling based on our website’s pageview limit.

The transfer of Your Personal Data to Hotjar is based on our data processing agreement (in connection with Art. 28 GDPR). Hotjar may process personal data outside the EU/EEA. For more information on protective measures for securing data transfers to countries outside the EU/EEA, please see Section 7 below.

4.2.4 HubSpot Analytics

We use HubSpot Analytics, a service provided by HubSpot (HubSpot, Inc., Dublin (European HQ), Ground Floor, Two Dockland Central Guild Street, Dublin 1) to analyze how visitors use our website. Hubspot processes Your Personal Data, such as your IP address, your location, information on your device and browser, and information on the pages you visited including date and time of each visit. We use this information to improve our services, our website and its functionalities, and for targeted marketing.

For data collection, Hubspot places a cookie on your device (see Section 8 below for further information). You can consent to the processing of Your Personal Data by Hubspot (Art. 6 (1) (1) a GDPR) and/or prevent it/withdraw your consent at any given time through our cookie banner. To withdraw your consent, go to the cookie settings at the bottom of our website. Hubspot uses this data to provide us aggregated reports on the use of the pages of our website. Most of the cookies used for this purpose expire when a session is closed; however, one of them remains and expires within two years.

Please note that if you consent to data processing for HubSpot Analytics, HubSpot may associate information from your previous page visits with your contact record that has been created based on contact forms provided by HubSpot on our website (see Section 4.5 above) with the help of the cookies that have been placed on your device. This will enable us to see information on past visits to our site within your contact record. Your consent is the legal basis for our use of HubSpot Analytics (Art. 6 (1) (1) a GDPR).

The transfer of Your Personal Data to HubSpot is governed by our data processing agreement (in connection with Art. 28 GDPR). Hubspot may process personal data outside the EU/EEA. For more information on protective measures for securing data transfers to countries outside the EU/EEA, please see Section 7 below.

4.3 Personalization and advertising-related providers
4.3.1 Google Ads
a) Conversion Tracking

We use Google Ads Conversion Tracking (offered by Google LLC, 1600 Amphitheatre Parkway, Mountain View, California 94043, USA) on our website. We use this service to determine how successful our advertisements through the Google marketing network are (so-called Google Ads) based on the display of the advertisements and clicks by users. This service makes our advertisements more interesting for you and improves our marketing campaigns.

To enable this service, Google places a conversion tracking cookie on your computer (for further information on cookies see Section 8 below). You can consent to the processing of Your Personal Data by Google (Art. 6 (1) (1) a GDPR) and/or prevent it/withdraw your consent at any given time through our cookie banner. To withdraw your consent, go to the cookie settings at the bottom of our website.

The cookie expires within 30 days after visiting our website. It enables Google to recognize your internet browser and captures the unique cookie ID, the number of ad impressions per placement (frequency), last impression (relevant for post-view conversions), and opt-out information (ads that the user no longer wishes to be addressed with). If you visit our website before the cookie expires, we and Google can recognize you, for example, if you click on an ad for our services and are redirected to our website. We only receive statistical evaluations from Google. Based on these evaluations, we can see which of the advertising measures are particularly effective. We do not receive any further data from the use of the advertising tools; in particular, we cannot identify users on the basis of this information.

b) Google Ads Remarketing

We also use the online marketing service Google Ads Remarketing offered by Google (see 4.5 for company details) on our website. We use this function to present you with advertisements on our website based on your interests in Google Ads on other websites within the Google marketing network. For this purpose, Google analyzes your interaction with our website, e.g. which offers you were interested in, in order to be able to display relevant advertisements on other sites even after you have finished visiting our website.

To enable this service, Google places a cookie on your computer (for further information on cookies see section 8 below). You can consent to the processing of Your Personal Data by Google (Art. 6 (1) (1) a GDPR) and/or prevent it/withdraw your consent at any given time through our cookie banner. To withdraw your consent, go to the cookie settings at the bottom of our website.

This cookie expires 180 days after visiting our website. Google uses this cookie to analyze how you interact with Google Ads on our website and on other websites to present you relevant advertisements.

c) General information on Google Ads

Google acts as a data controller for Google Ads and may process Your Personal Data for other purposes. We have no control over the data that Google collects or the extent of the data collected by Google. We also have no knowledge of the content of the data transmitted to Google. For details about Google’s data processing, please refer to: https://policies.google.com/privacy. Google may process personal data outside the EU/EEA. For more information on protective measures for securing data transfers to countries outside the EU/EEA, please see Section 7 below.

4.3.2 LinkedIn (LinkedIn Insight Tag)

We use the LinkedIn Insight Tag (provided by LinkedIn, LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland) on our website. We use this function to capture visits of LinkedIn users to our website in order to track conversions from LinkedIn (i.e. if users came to our website based on our LinkedIn advertisements or articles) to track retargeting of our website visitors to LinkedIn. For this purpose, LinkedIn collects Your Personal Data (IP address, URL referrer, device and browser characteristics, timestamp, and events, such as page views).

LinkedIn places a cookie to capture Your Personal Data (see Section 8 below for further information). You can consent to the processing of Your Personal Data by LinkedIn (Art. 6 (1) (1) a GDPR) or prevent it or withdraw your consent at any given time through our cookie banner. To withdraw your consent, go to the cookie settings at the bottom of our website.

The cookie expires within 6 months from the last visit to our website. We will receive aggregated reports about our audience and LinkedIn advertisement performance from LinkedIn. We use this information to evaluate the quality of interaction of our audience on LinkedIn with our website and services.

The transfer of Your Personal Data to LinkedIn for the aforementioned purposes is based on our data processing agreement (in connection with Art. 28 GDPR). LinkedIn may process personal data outside the EU/EEA. For more information on protective measures for securing data transfers to countries outside the EU/EEA, please see Section 7 below.

4.3.3 Facebook

Our website utilizes Facebook Pixel (provided by Facebook Inc., 1601 S. California Ave., Palo Alto, CA 94304, USA) for the following purposes:

a) Facebook Conversion Tracking

We use the Facebook Pixel as an analytics tool to measure the effectiveness of our advertisements on Facebook by understanding the actions that Facebook users make on our website. The tool allows us to follow the actions of users after they are redirected to our website via an advertisement on Facebook (so-called “conversion”). This allows us to evaluate the efficacy of our Facebook advertisements for statistical and marketing research purposes.

b) Facebook Custom Audiences

We also use the Facebook Pixel for remarketing purposes in order to be able to show you advertisements on Facebook likely to correspond to your interests. This tool allows us to match visitors of our website to Facebook users and enables us to create Facebook advertisements for different target groups based on how they interacted with our website.

c) General information on Facebook

The Facebook Pixel captures information about your browser session when visiting our website and shares this information with Facebook, along with a hashed version of your Facebook ID and the viewed URL. We will only place the Facebook Pixel (for information on cookies and similar technologies see Section 8 below) with your consent (Art. 6 (1) (1) a GDPR). Therefore, you can prevent the use of Facebook Pixel or withdraw your consent at any given time through our cookie banner. To withdraw your consent, go to the cookie settings at the bottom of our website.

The Facebook Pixel will be deleted after 180 days of your last interaction with our website. Facebook provides us with aggregated reports which enables us to improve the quality and relevance of our advertisements on Facebook and to present Facebook users with more relevant advertisements for marketing improvement.

We and Facebook are joint controllers for data processing through the Facebook Pixel under Art. 26 GDPR and have entered into a joint control agreement. You may access this agreement here: https://www.facebook.com/legal/controller_addendum. You may exercise your data protection rights directly with Facebook.

Facebook may process personal data outside the EU/EEA. For more information on protective measures for securing data transfers to countries outside the EU/EEA, please see Section 7 below.

4.3.4 Twitter

We use Twitter Ads, a marketing service provided by Twitter (Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland) on our website. We use this service to determine how successful our advertisements on Twitter (so-called Twitter Ads) are based on the display of the advertisements and clicks by users. We use this service to make our advertisements more interesting for you and to improve our marketing campaigns, including developing custom audiences for remarketing purposes.

To enable this service, Twitter places a cookie (“Universal Website Tag”) on your device which enables Twitter to collect information on your interaction with ads placed on Twitter. For this purpose, Twitter collects Your Personal Data, such as your IP address, the unique cookie ID, the number of ad impressions per placement, and the last ad impression.

You can consent to the processing of Your Personal Data by Twitter (Art. 6 (1) (1) a GDPR) or prevent it or withdraw your consent at any given time through our cookie banner. To withdraw your consent, go to the cookie settings at the bottom of our website. This cookie expires within 30 days.

Twitter may process personal data outside the EU/EEA. For more information on protective measures for securing data transfers to countries outside the EU/EEA, please see Section 7 below.

5. What are my data protection rights and how can I exercise them?

In brief: You have certain rights over Your Personal Data under data protection laws, including, for example, the Swiss Federal Data Protection Act, the California Consumer Privacy Act, or the EU GDPR.

Depending on the specific circumstances of the case and your place of residence, you may have some or all of the following rights:

● to withdraw your consent to the processing of Your Personal Data at any time. As a result, we may no longer process Your Personal Data based on the consent. But the withdrawal of your consent has no effect on the lawfulness of processing before the withdrawal;

● to access the personal data processed by us and/or request copies of this data. In particular, you can obtain information about the purposes of processing, categories of personal data, categories of recipients to whom your data has been or will be disclosed, planned retention period, and origin of your data if it was not collected directly from you;

● to request the rectification/correction, erasure, or restriction of processing of Your Personal Data;

● to request Your Personal Data, which you have provided to us, in a structured, commonly used, and machine-readable format and to transmit this data to another controller. You may also ask us to directly transmit this data to another controller, where technically feasible;

to object to the processing of Your Personal Data on grounds relating to your particular situation, if we process Your Personal Data based on our legitimate interests. You may also object to the processing of Your Personal Data for direct marketing purposes at any time;

● to opt-out of the sale of Your Personal Data to third parties. We currently sell data to Google and Facebook via cookies. You may opt out of these cookies by following the instructions in 4.3.1(a) (for Google) and 4.3.3(c) (for Facebook). You may also access it via the form below or via our “Sale of Personal Information” page.

● to obtain information of the possibility of denying consent to the data processing and the consequences of the denial;

● to oppose the processing grounded on a legal basis other than consent;

● to request review, by a natural person, of decisions taken solely on the basis of automated processing of personal data that affects their interests, including decisions intended to define their personal, professional, consumer or credit profile, or aspects of their personality.

In general, exercising these rights requires you to be able to prove the account ownership. In order to assert these rights, please contact us at Smallpdf AG, Steinstrasse 21, 8003 Zürich, Switzerland or via email at privacy@smallpdf.com, or using this form. After you’ve contacted us, we may ask you for some information to prove your identity; what we ask for will depend upon whether or not you have an account with us. Once we have authenticated your identity, we will fulfill your request within one month unless we inform you otherwise. You may also contact our representatives in the EU and the UK as well as our Data Protection Officer as set out in section 10 below.

You can have an agent (your attorney or another person empowered to represent your interests) make one of these requests on your behalf. We will ask the agent to provide proof of your authorization and proof of both their and your identity.

In addition, every data subject has the right to enforce their rights in court or to lodge a complaint with the competent data protection authority. We will not discriminate against you for exercising your data rights in any way; however, please be aware that the erasure of certain essential data may prevent us from continuing to provide you with the same services.

6. How and for how long do we store Your Personal Data?

In brief: We keep Your Personal Data and the User Files you upload only as long as they are needed for the provision of our services or as required by law.

We will only retain Your Personal Data and User Files you upload for as long as necessary to fulfill the purpose for which it was collected or to comply with legal requirements. To help us, we apply criteria to determine the appropriate periods for retaining Your Personal Data depending on its purpose, such as account maintenance, facilitating client relationship management, and responding to legal claims or requests from authorities.

If you do not have a User Account (see Section 1.4 above) or are not logged in when using our services (e.g. when being asked for a signature via our eSign tool, see Section 1.9 above), we will generally delete User Files within 14 days after the last time they were opened. Please note that this retention period is extended by another 14 days every time you reopen the respective User File. Please note that if you use third-party services to access our services, data retention of User Files by the respective provider may differ.

If you access our services via a User Account, we delete User Files within one hour unless you save them to your file storage. When you choose to delete saved User Files, we generally delete them within 14 days.

7. Which data transfers outside the EU/EEA take place?

In brief: In some cases, we may transfer Your Personal Data outside of Switzerland and will ensure that Your Personal Data is well protected irrespective of its location.

We are located in Switzerland, which has been recognized as a safe third country in an adequacy decision of the European Commission. When you use our services, Your Personal Data may be transferred to recipients located in other countries, including outside the EU/EEA.

Where such a recipient country does not provide for an adequate level of data protection according to the European Commission, we will only transfer Your Personal Data to the recipient country on the basis of appropriate safeguards, such as binding corporate rules, standard contractual clauses (European Commission decision 2010/87/EU), or when another exception under Art. 49 GDPR applies. Please contact us (see “Contact Us” section) to request information on the specific safeguards that are in use for the recipients of Your Personal Data.

8. COOKIES–How and why does Smallpdf use them?

In brief: We may use cookies for functional purposes without your consent, or for analytical or advertising-related purposes, if you consent to this.

A cookie is a small piece of data placed on your computer’s hard drive that permits identifying a specific device or browser. We may place our own cookies (first-party cookies) or third-party services integrated on our website may place cookies on your device (third-party cookies). Cookies may typically process personal data, such as your IP address, device information, date and time of your visit to our website, information on your activities on our website, settings you make when visiting our website, and unique identification numbers. There are different types of cookies, such as session cookies (which expire at the end of your browsing session) or persistent cookies (which are stored on your device for a longer period of time and between sessions and can enable the entity that placed the cookie to recognize your device or browser between sessions).

We use cookies for different purposes:

8.1 Cookies for functional purposes

We use cookies or similar technologies that are technically necessary to operate our website or provide its basic functions, such as our payments or keeping you logged in (if you want that). These cookies allow us to operate our site, maintain its security, and provide its key functions. We process Your Personal Data to provide our website to you (Art. 6 (1) (1) b GDPR) and based on our legitimate interest to ensure its security, a smooth user experience, and smooth access to these key functions (Art. 6 (1) (1) f GDPR).

8.2 Cookies for analytical purposes

We use cookies or similar technologies to better understand your use of our website. For example, they help us track the number of visitors to our website and see how users move around our website. This helps us improve the way our website works, for example, by ensuring that users can find what they are looking for. Some of these cookies may be placed by third-party providers (see Section 4 above for details). We only place these cookies with your consent (Art. 6 (1) (1) a GDPR).

8.3 Cookies for personalization and advertising-related purposes

We use cookies or similar technologies to capture your visit to our website, the pages you visit, and the links you follow. We may use this information based on your consent (Art. 6 (1) (1) a GDPR) and will process it to evaluate your preferences to make our website and the advertisements we display more relevant for you. We may also share this information with third parties (see Section 4 above for details). Some of these cookies may track your movements on other websites.

9. Does Smallpdf knowingly handle the data of minors?

Smallpdf does not knowingly collect or retain the data of minors under the age of sixteen. Such persons are not permitted to use this website except where enabled by a school that has contracted with us, in which case the school is the data controller and is responsible for the respective data processing affecting minors. If you discover that a minor has been using our website, please let us know via the contact information in Section 11 and we will delete their information.

10. Can Smallpdf change the terms of this Privacy Notice?

In brief: Changes to this Privacy Notice may occur and will be made available to you.

Smallpdf may occasionally make changes and corrections to this Privacy Notice. Please check this Privacy Notice regularly to see the changes and how they may affect you.

11. Contact us

In brief: Let us know if you have any questions.

If you have any requests concerning our processing of Your Personal Data or any queries with regard to these practices, please contact Smallpdf at the contact data given above, including via email at privacy@smallpdf.com.

Individuals and data protection supervisory authorities in the EU and the UK may contact our data protection representatives according to Art. 27 GDPR. For the EU, please reach out to DP-Dock GmbH, Attn: Smallpdf, Ballindamm 39, 20095 Hamburg, Germany. For the UK, please reach out to DP Data Protection Services UK Ltd., Attn: Smallpdf, 16 Great Queen Street, Covent Garden, London, WC2B 5AH, United Kingdom. You may also contact any of these representatives at smallpdf@gdpr-rep.com.

You can also contact our data protection officer at any time at our postal address or the following email address: dpo@smallpdf.com.

Zürich, February 2022 (original created January 2020), Smallpdf AG