Privacy Policy

Last Updated: May 26, 2026

🔒 Our Core Promise: We do NOT sell, share, trade, or monetize your personal data. Ever.

1. Information We Collect

We collect only the minimum information necessary to operate the Service securely and deliver files to you:

1.1 Information You Provide

Email Address — Optional for YouTube downloads (only required if you explicitly choose the Google Drive delivery option) and file transfer services. Used exclusively for delivering download links (Google Drive links, direct download links, or failure notifications). No mandatory verification or account creation is required.
Feedback Messages — If you submit feedback via the widget, we store the message text and an anonymous UUID generated by your browser.
Uploaded Files — Files you upload for processing (PDFs, images, videos, etc.) are temporarily stored on the server for processing only and are automatically deleted within 30 minutes.

1.2 Information Collected Automatically

IP Address — Logged for security purposes, rate limiting, and bot prevention to block automated traffic and protect the service from abuse.
Request Metadata — For YouTube download requests, we log: the URL requested, email address, IP address, IP reputation score, chosen download method, and timestamp. This data is stored in a secure server-side log file to identify and block bot traffic.
Browser-Generated UUID — The feedback widget generates and stores a random UUID in your browser's localStorage to associate feedback messages. This is not a tracking identifier and is never shared.
Ad Blocker Detection Status — We detect whether an ad blocker is active in your browser using client-side bait elements and network request checks. The detection result (blocked or not blocked), your IP address, and the page visited are logged anonymously for aggregate analytics. No personal browsing data or extension information is collected.
Device Fingerprint — A SHA-256 hash is generated from your standard HTTP headers (User-Agent, Accept-Language, Accept-Encoding) as part of our AI bot detection system. This fingerprint is not tied to your hardware and cannot identify you personally — it is used solely to detect repeat abusive traffic patterns across IP changes.
Request Logs (Bot Detection) — For security purposes, all HTTP requests are temporarily logged in a server-side buffer (up to 500 entries). Each entry includes: IP address, HTTP method, URL path, response status code, User-Agent (truncated to 300 characters), referer, response time, and device fingerprint. These logs are analyzed by our AI bot detection system and then cleared.

1.3 Information We Do NOT Collect & Functional Cookie Policy

We do NOT use cookies for tracking, analytics, or behavioral advertising. We use a single, secure first-party functional cookie (premium_token) to synchronize your premium subscription state with the server so you can upload larger files (up to 1GB) and bypass ad blocks / bot checks.
We do NOT use Google Analytics or any third-party tracking platforms
We do NOT collect your name, physical address, phone number, or payment details (all checkout is handled securely through Stripe's external portal).
We do NOT create user profiles or track browsing behavior across sessions
We do NOT require account creation or registration

2. How We Use Your Information

All collected information is used exclusively for server operational needs:

Email — To send download links (Google Drive or direct), processing confirmations, and failure notifications. Your email is never added to any mailing list.
IP Address — To enforce rate limits, detect and block bot/abusive traffic, and protect server resources.
Request Logs — To identify patterns of automated abuse and improve service reliability.
Uploaded Files — To perform the requested processing operation (convert, compress, download, etc.) and then delete them.
Device Fingerprint & Request Logs — To power our AI bot detection system, identify malicious traffic patterns, and automatically ban abusive IPs/device fingerprints to protect the Service for all users.

3. Data Retention

Uploaded/Downloaded Files — Automatically deleted from the server within 30 minutes of processing.
Request Logs — Retained on the server for bot detection and abuse prevention purposes. Contains email, IP, reputation score, requested URL, and timestamp.
Google Drive Links — Files uploaded to Google Drive for delivery are subject to periodic cleanup.
Ad Blocker Detection Logs — Anonymous detection events (IP address, detection result, page path) are retained in a rolling log limited to the most recent 500 entries. Older entries are automatically purged.
Bot Detection Request Logs — HTTP request logs used for AI analysis are held in a server-side ring buffer (maximum 500 entries). Once analyzed, the buffer is cleared. Logs are never written to disk beyond the analysis window.
Banned List — If the AI bot detection system identifies your IP or device fingerprint as malicious, the ban entry (IP, device fingerprint, reason, User-Agent snippet, timestamp) is persisted in a secure server-side data store. Ban entries remain indefinitely until manually reviewed and removed by an administrator.

4. Data Sharing & Selling

🚫 We NEVER sell, trade, rent, or share your personal information with any third parties for marketing, advertising, or any commercial purpose.

Your data may only be disclosed if required by law, legal process, or governmental request, or to protect the rights, property, or safety of PdfStuffAI, its users, or the public.

5. Third-Party Services

Our Service interacts with the following third-party services for operational purposes only:

Google Drive API — Used to upload processed files and generate shareable download links sent to your email.
Gmail API — Used to send transactional emails (download links, failure notifications).
Google Fonts — Used for typography. Subject to Google's Privacy Policy.
PopAds — Third-party advertising may be displayed. We do not control the data collection practices of ad networks. See their respective privacy policies.
Google Gemini API (Gemma 4 31B) — Used server-side for AI-powered bot detection analysis and automated error reporting. Only server request logs (IP, path, User-Agent, response time) and application error tracebacks are sent to this API. No personal user content (files, emails, or browsing history) is ever transmitted to the AI model.
Discord Webhooks — Used to send automated server notifications (error reports, bot detection alerts) to our internal operations channel. Only server-side data (error tracebacks, banned IP summaries) is transmitted — no personal user data is included.

6. Data Security

We implement reasonable security measures to protect your data, including HTTPS encryption for all connections and automated file cleanup. However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security and are not responsible for unauthorized access resulting from factors beyond our control.

7. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will take steps to delete it promptly.

8. Your Rights

You may:

Request deletion of any data associated with your email address by contacting us via the Feedback widget
Choose not to provide your email (note: this will prevent using Google Drive delivery, but you can still use direct downloads)
Clear your browser's localStorage to remove the feedback UUID at any time

9. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected by updating the "Last Updated" date at the top of this page. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

10. Contact

For questions or requests regarding your data, please use the Feedback widget on any page of our website.

11. Automated Security Scanning

To protect our users and infrastructure, all files uploaded to PdfStuffAI are subject to automated security scanning. This process uses binary analysis and extension verification to identify and neutralize malicious software, scripts, or unauthorized executables.

This scanning is entirely automated and performed by our server software.
No human employee or administrator reviews, reads, or accesses the content of your files during this process.
Any file identified as suspicious may be automatically renamed, quarantined, or deleted to prevent system harm.

12. Ad Blocker Detection

To sustain our free service model, PdfStuffAI uses client-side ad blocker detection. Here is exactly what this involves:

How It Works: A small hidden element with advertisement-related CSS class names is placed on each page. If your browser's ad blocker hides or removes this element, we detect it. Additionally, a small network request is made to an internal URL; if blocked, this serves as a secondary signal.
What We Log: Only your IP address, whether an ad blocker was detected (true/false), and the page path. No browser extension names, configurations, or personal browsing history are collected.
Purpose: This data is used solely for aggregate analytics (e.g., "X% of visitors use ad blockers") to help us understand ad revenue impact. It is never used for individual user profiling or targeting.
Impact on Browsing: Ad blocker detection does NOT prevent you from browsing any page on our site. It only restricts the ability to submit processing tasks (downloads, conversions, etc.) until the ad blocker is disabled.

13. AI-Powered Bot Detection

To protect our infrastructure and all users from automated abuse, PdfStuffAI uses an AI-powered bot detection system. Here is exactly what this involves:

Data Collected: Each HTTP request generates a log entry containing: IP address, HTTP method, URL path, status code, User-Agent (truncated to 300 characters), referer, response time, and a SHA-256 device fingerprint derived from your HTTP headers.
How It's Used: These logs are batched (up to 500 entries) and periodically analyzed by an AI model (Gemma 4 31B via the Google Gemini API) to identify suspicious patterns. The AI looks for rapid-fire requests, path scanning, known attack tools, and other bot signatures.
Search Engine Protection: Requests from known search engine crawlers (Google, Bing, Yahoo, Yandex, Baidu, DuckDuckGo, etc.) and social media preview bots are explicitly tagged and never sent for AI analysis or subject to banning.
Automated Actions: If the AI determines an IP or device fingerprint is malicious, it is automatically added to a persistent ban list. Banned actors receive a 403 (Access Denied) response on all subsequent requests.
No Personal Content: The AI model never receives your uploaded files, email address, or any personal content — only anonymized request metadata (IP, path, User-Agent, timing).
Data Retention: The request log buffer is cleared after each analysis batch. Ban entries persist until manually reviewed. No request logs are permanently stored on disk.

14. Automated Error Reporting

When our server encounters an unexpected error, an automated system analyzes the error using AI (Gemma 4 31B) and sends a summary report to our internal Discord channel.

What Is Sent: Only the application error traceback (code stack trace) and the HTTP request method/URL are sent for analysis. No personal data (email, uploaded files, IP address) is included in the AI analysis prompt.
Purpose: This system helps us quickly identify, understand, and fix bugs to improve service reliability.
Storage: Error reports are saved to a local file on the server for developer review.

15. Server Restart Notifications

If a server restart occurs while you have an active processing task and you provided an email address, we will send an automated email notifying you that your task was cancelled. This email includes:

A brief explanation that the server was restarted for maintenance or updates.
A "Retry" link that pre-fills your original request, allowing you to seamlessly resume.
No additional personal data is collected or shared as part of this notification.

16. Cryptographic Proof-of-Work (PoW) Challenge

To prevent brute-force automated scraping and API abuse, our bot protection checkbox executes a client-side cryptographic Proof-of-Work challenge.

How It Works: When you request download qualities, the server generates a unique cryptographically signed challenge seed. Your browser's built-in Web Crypto API automatically solves a quick hash puzzle asynchronously. Once resolved, the verification checkbox is unlocked and checked.
No Personal Data: This process runs entirely locally within your browser and does not collect, log, or transmit any personal data. It only consumes a tiny fraction of CPU power for less than a second to prove browser authenticity.