Date: Aug 1, 2025
Readdle Limited (“Readdle”, “we”, or “us”) welcomes you. We provide you with access to our web application “PDF Copilot by PDF Expert” (“App” or “PDF Copilot”) and related website services (collectively, the “Service”), subject to the terms and conditions of our Terms of Service.
This Privacy Notice describes what personal data the App collects, how stores, processes, and uses it, and what happens when you use the Service. We understand you care about your privacy, and we appreciate the trust you place in us. To justify that trust, we embed the latest data security standards, improve our awareness of privacy matters, and comply with the General Data Protection Regulation and other privacy laws.
When you use our application for Mac and iOS “PDF Expert”, your personal data is processed in accordance with the Privacy Notice for PDF Expert App.
If you have any questions or comments about this Privacy Notice, please feel free to contact us.
We are the controller of your personal data processed in connection with the Service. This means that we determine the purposes and means of personal data processing.
Our support team is happy to assist you in any matter. We kindly ask you to be polite and calm in your communication with us. Otherwise, we may not respond to offensive emails/messages.
When you access or use the Service, you become our user (“User”), and we collect and process some of your personal data.
Please note that we do not knowingly process the personal data of Users under the age of 16. If you are such a User or you are a legal representative of such a User, please contact us.
We collect data directly from you or automatically when you access or use the Service. We may generate some data in relation to you, for example a user ID. We may also, although we do not necessarily do so, receive data from third parties. It depends on your settings and the features you use.
To process your personal data, we rely on one of the following lawful bases:
We collect your personal data according to this Privacy Notice when you access or use the Service, depending on how you interact with it, what features you use, and what subscription you have.
We collect identifiers, technical information, usage, and diagnostics data about the Users to optimize performance, debug issues, and improve our Service while ensuring security and privacy to improve the overall user experience. Some data may be collected via cookies and similar technologies; for more details please refer to our Cookie Policy.
| Data | Reasons for Processing | Lawful Basis | Data Storage |
|---|---|---|---|
| Providing you with the Service | Performance of the contract | We store the data during your use of the Service and for six (6) years after your account deletion. If your account is inactive for thirty six (36) months, we may delete it by ourselves with a prior notice. |
| Improvement of the Service | Legitimate interest | We store the data until you object to the processing where we have your email and can identify you |
We may ask you for some information about yourself to register an account, provide you with the Service and communicate with you.
| Data | Reasons for Processing | Lawful Basis | Data Storage |
|---|---|---|---|
| Registration and maintaining your account | Performance of the contract | We store the data during your use of the Service and for six (6) years after your account deletion. If your account is inactive for thirty six (36) months, we may delete it by ourselves with a prior notice. | |
| Name | Registration and maintaining your account | Performance of the contract | We store the data during your use of the Service and for six (6) years after your account deletion. If your account is inactive for thirty six (36) months, we may delete it by ourselves with a prior notice. |
| Email, Name (continued) | Confirming your subscription status | Performance of the contract | (Same as above) |
| Email, Name (continued) | Confirming the payment for compliance with the applicable law | Legal obligation | (Same as above) |
| Email, Name (continued) | Communication with you about the product (updates, recommendations, tips, news) and our major news and offers | Legitimate interest | We process the data during the performance of the contract or until you unsubscribe |
| Google profile picture (if you sign in with your Google account) | Registration and maintaining your account | Performance of the contract | We store the data during your use of the Service and for six (6) years after your account deletion. If your account is inactive for thirty six (36) months, we may delete it by ourselves with a prior notice. |
We collect some additional data to process your payments. We also keep the history of payments, as this is a legal requirement, and we cannot delete this information until the filing of the annual accounts expires.
| Data | Reasons for Processing | Lawful Basis | Data Storage |
|---|---|---|---|
| Confirming the payment for compliance with the applicable law | Legal obligation | We store the data during your use of the App and for six (6) years after your account deletion. If your account is inactive for thirty six (36) months, we may delete it by ourselves with a prior notice. |
| (Same data as above) | Confirming the payment for providing you with the paid features of the App | Performance of the contract |
We collect personal data to provide you with the Services depending on your interactions with it.
| Data | Reasons for Processing | Lawful Basis | Data Storage |
|---|---|---|---|
| Files | Providing you with the Service | Performance of the contract | We store the data during your use of the App and fourteen (14) days after deletion of your account. If your account is inactive for thirty six (36) months, we may delete it by ourselves with a prior notice. If you have not signed in to your account, the files are stored for 1 day. |
You will have access to AI chat features. The request within the AI chat features is processed in three steps. First, we receive and pseudonymize your request. Second, we send it to the AI provider for processing. Third, we receive the output and provide the result back to you. Please note that we do not control or influence the data included in your requests or their results.
We process your requests within the AI Chat features with the engagement of different third-party AI providers (Open AI by Open AI LLC and Azure OpenAI Service by Microsoft Corporation). We may switch between the AI providers to provide a more secure and faster service, to run new versions of models, or for other commercially justifiable reasons. The switch between the providers is manual, and we retain full control over it. We will not provide notification about such switches.
Please note that the AI providers commit not to use the User’s data to train their models. They retain the data sent within the request for abuse and misuse monitoring purposes for a maximum of thirty (30) days, after which it is deleted, unless otherwise required by law.
| Data | Reasons for Processing | Lawful Basis | Data Storage |
|---|---|---|---|
| Providing you with the App features | Performance of the contract | We store the data until you delete a relevant document or clear the AI Chat history. We do not store this data. After completion of your request, the data is deleted. The AI providers may store the data up to thirty (30) days, unless otherwise required by law. |
| Analytics and improvement of the App | Legitimate interest | We store this data until deletion of your account or object to the processing You can also delete your communication in the AI Chat by clearing the chat in the App. |
When you address your request to support in relation to the Service, we collect some information to help you.
We may collect your detailed log files to help you with your problem. These log files may contain personal information and are connected to you.
| Data | Reasons for Processing | Lawful Basis | Data Storage |
|---|---|---|---|
| Assistance with your support request | Performance of the contract | We store the data during communication and for six (6) years after the last communication on the ticket |
| Data | Reasons for Processing | Lawful Basis | Data Storage |
|---|---|---|---|
| To respond to your request | Performance of the contract | If you submit your request to our support team, the data is stored during communication and for six (6) years after the last communication on the ticket If you use Support Chat but do not submit your request to our support team, the data is stored during communication and up to one (1) year after closing the conversation. |
| Improvement of the Service | Legitimate interest | Stored during communication and up to one (1) year after closing the conversation. |
To enhance our Support chat, we may offer the option of using AI-powered assistance from the trusted provider. In this case you can get quick, automated responses to your inquiries. No data will be used for training. Still, you can always choose to continue the chat without AI, if you prefer so.
We may reach out to request your feedback. Your insights are invaluable to us for enhancing the Service and improving user experience.
| Data | Reasons for Processing | Lawful Basis | Data Storage |
|---|---|---|---|
| To ask for your feedback or suggest participation in the users’ surveys | Legitimate interest | We process data in this way until you unsubscribe |
When you submit your feedback about the Service to us directly or via third-party platforms, we process personal data in your feedback, which may include the data listed below.
| Data | Reasons for Processing | Lawful Basis | Data Storage |
|---|---|---|---|
| Communication regarding your feedback and consent | Legitimate interest | We store the data for six (6) years from the feedback or the last communication on feedback, or until you withdraw the consent |
| (Same data as above) | Improvement of the Service / Use in marketing activities | Consent | |
| Improvement of the Service / Use in marketing activities | Legitimate interest / Consent |
| Data | Reasons for Processing | Lawful Basis | Data Storage |
|---|---|---|---|
| To use your feedback in our product development and/or marketing activities | Legitimate interest | We store the data for two (2) years from feedback or the last communication on feedback |
We may receive some personal data from third parties.
The amount of data collected, the purposes, and the lawful bases for processing are determined by the respective privacy documents of these parties.
| Third Party | Privacy Documents |
|---|---|
| Privacy Policy | |
| Apple | Privacy Policy |
| OpenAI | Privacy Policy Enterprise Privacy |
| Azure OpenAI | Data, privacy and security |
We may share your personal data with third parties without causing you any harm and in strict compliance with applicable privacy laws. Additionally, we maintain organizational and technical measures to secure your personal data during its transfer to third parties.
To share your data, we rely on the lawful bases such as consent, compliance with the law, and performance of a contract, depending on the specific circumstances.
| Third Party | Description |
|---|---|
| Analytics tools | We use analytics tools to understand and promote our business. |
| Contractors | We cooperate with contractors to operate, develop, and improve the Service, fulfill your support requests, etc. We sign data processing agreements with them and impose various security measures to ensure your data is safe. |
| Services PDF Copilot Web uses | We use third-party services to provide you with the Service. For example, we use different third-party AI providers (Open AI by Open AI LLC, and Azure OpenAI Service by Microsoft Corporation) to offer the AI features. You can find links to the privacy documents of AI providers here. |
| Services our team uses | We use CRM systems, messengers, and other services in our organization to provide you with our services. For example, to manage and fulfill privacy requests we use: |
| State authorities, courts, law enforcement agencies, etc | We may be obliged to transfer some of your data to tax authorities, courts, law enforcement agencies, and other governmental bodies:
|
To get a detailed list of the third-party recipients of your personal data, contact us.
The personal data we collect is stored on the US servers, which participate in the Data Privacy Framework and European Economic Area (“EEA”) servers, which fall under the General Data Protection Regulation.
We may share personal data with the recipients in the USA and other countries, including non-EEA ones, ensuring that your data is protected and processed in accordance with the General Data Protection Regulation.
To share the data outside the EEA, we rely on the adequacy decision by the European Commission or the Data Privacy Framework participation of the recipient. If the recipient does not participate in the Data Privacy Framework and its country is not deemed to provide an adequate level of protection for your personal data, we adopt Standard Contractual Clauses based on legislation assessments for data protection during transfer and storage.
You can read more detailed measures to protect your personal data here.
We routinely conduct Data Protection Impact Assessments to guarantee the implementation of adequate technical and organizational measures. These measures aim to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
To enhance the protection of your personal data, we employ HTTPS and encryption, establish segmented group and individual access (as necessary), utilize an alarm system, implement a corporate VPN, and adhere to formally approved internal policies, including those for password management and physical access.
Furthermore, we consistently monitor the state of the art of our technologies and diligently maintain backups. Additionally, all our contractors are bound by contractual obligations that comply with the GDPR and other privacy legislation requirements.
You can contact us in case of any questions regarding security issues.
Here you can find information about the steps we mentioned above:
Physical Measures
Organizational Measures
Transfer Protection
Contractor and Staff Training
Regular Access and Policy Review
Privacy Protection
Code Review
Technical Measures
Backup
Two-factor Authentication
Stress-tests
Static Analysis
Quality Assurance
Regular Patch Management
Dependency and Supply Chain Vulnerability Check
As a data subject, you have the right to access, manage, and control your data either directly or by submitting a request to us. This section outlines these rights and explains how you can exercise them based on your place of residence.
| Right | Description |
|---|---|
| Right to access | You can request an explanation of the processing of your personal data. |
| Right to rectification | You can change the data if it is inaccurate or incomplete. |
| Right to erasure | You can send us a request to delete your personal data from our systems. We will remove them unless otherwise provided by law. |
| Right to restrict the processing | You may partially or completely prohibit us from processing your personal data. |
| Right to data portability | You can request all the data you provided to us and request to transfer data to another controller. |
| Right to object | You may object to the processing of your personal data. |
| Right to withdraw consent | You can withdraw your consent at any time. |
| Right to file a complaint | If your request was not satisfied, you could file a complaint to the regulatory body. |
To exercise your rights, contact us.
For EEA residents: we will answer your request within one (1) month. If your request is not satisfied, you can submit a complaint to your local Data Protection Authority. You may find it here.
For UK residents: we will answer your request within one (1) month. If your request is not satisfied, you can submit a complaint at the Information Commissioner’s Office via number 0303-123-1113 or go online at www.ico.org.uk/concerns.
Your rights may vary depending on the state of your residency, as indicated below.
| Right | Description | Area |
|---|---|---|
| Right to access | You can request an explanation of the processing of your personal data. | California; Colorado; Connecticut; Indiana; Iowa; Montana; Tennessee; Texas; Utah; Virginia. |
| Right to correct | You can change the data if it is inaccurate or incomplete. | California; Colorado; Connecticut; Indiana; Montana; Tennessee; Texas; Virginia. |
| Right to delete | You can send us a request to delete your personal data from our systems. | California; Colorado; Connecticut; Indiana; Iowa; Montana; Tennessee; Texas; Utah; Virginia. |
| Right to portability | You can request all the data you provided to us and request to transfer data to another controller. | California; Colorado; Connecticut; Indiana; Iowa; Montana; Tennessee; Texas; Utah; Virginia. |
| Right to opt out of sales | The right to opt out of the sale of personal data to third parties. | California; Colorado; Connecticut; Indiana; Iowa; Montana; Tennessee; Texas; Utah; Virginia. |
| Right to opt out of certain purposes | The right to opt out of processing for profiling/targeted advertising purposes. | Colorado; Connecticut; Indiana; Montana; Tennessee; Texas; Utah; Virginia. |
| Right to opt out of the processing of sensitive data | The right to opt out of the processing of sensitive data. | California. |
| Right to opt in for sensitive data processing | The right to opt in before the processing of sensitive data. | Colorado; Connecticut; Indiana; Montana; Tennessee; Texas; Virginia. |
| Right against automated decision-making | A prohibition against a business making decisions about a consumer based solely on an automated process without human input. | California; Colorado; Connecticut; Indiana; Iowa; Montana; Tennessee; Texas; Virginia. |
| Private right of action | The right to seek civil damages from a controller for violations of a statute. | California. |
To exercise your rights, contact us.
We will answer your request within thirty (30) to sixty (60) days, depending on the state and legislative requirements. If your complaint is not satisfied, you can submit a complaint with the Federal Trade Commission.
Please note! Some states do not have privacy laws. The rights of residents of such states are governed by U.S. federal law. If your state is not on the list, please contact us.
Under the California Consumer Privacy Act (CCPA), California residents possess the right to opt out of the “sale” of their personal information by entities governed by the CCPA.
We do not sell your personal information to anyone, nor do we use your data as a business model. Ensuring your privacy is our top priority, and we are fully committed to safeguarding it.
We adhere to the CCPA by providing California residents the option to opt out of any potential future sale of their personal information. If you wish to register your preference that we do not sell your data in the future, please contact us at dpo@readdle.com.
California residents using our Service have the option to request that we do not automatically collect and track information related to their online Browse activities across the Internet.
These requests can usually be made via web browser settings that manage signals or other mechanisms, enabling consumers to express their preferences concerning the collection of personal data about their online activities over time and across third-party websites or online services.
We currently do not have the ability to honor these requests. However, we may update this Privacy Notice as our capabilities evolve.
| Right | Description |
|---|---|
| Right to access | You can request an explanation of how your personal data is processed. |
| Right to rectification | You can change the data if it is inaccurate or incomplete. |
| Right to delete | You can send us a request to delete your personal data from our systems. We will remove all data except what we are obliged to store in compliance with the law requirements. |
| Right to data portability | You can request all the data you provided to us and request to transfer data to another controller. |
| Right to object opt-out | You may object to the processing of your personal data. |
| Right to withdraw consent | You can withdraw your consent at any time. |
| Right not to be subject to automated decision-making | You can object to being subject to automated-based processing to know if there are consequences concerning them due to such processing. |
| Right to lodge a complaint | If your request is not satisfied, you can file a complaint to the regulatory body. |
To exercise your rights, contact us.
We will answer your request within thirty (30) days. If your complaint is not satisfied, you can submit a complaint to the Office of the Privacy Commissioner of Canada.
The Privacy Notice and the relationships falling under its effect are regulated by the General Data Protection Regulation. Please note that laws and requirements for processing personal data can evolve. In the event of changes, we will release an updated version of the Privacy Notice to reflect these modifications.
If we make substantial changes to the Privacy Notice or the Service that affect your data privacy rights, we will notify you by email or display information on the website or in the App and ask you to read it. You will be notified in advance, and if you continue to use the Service after these changes take effect, it will be considered that you have consented to and accepted the revised Privacy Notice.