Privacy Policy
Last Updated: March 12, 2026
1. Introduction
Notnull, Unipessoal, Lda ("us", "we", or "our") operates www.bankpdf.com (hereinafter referred to as "Service").
Our Privacy Policy governs your visit to www.bankpdf.com, and explains how we collect, safeguard, and disclose information that results from your use of our Service.
We use your data to provide and improve the Service. By using our Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, the terms used in this Privacy Policy have the same meanings as in our Terms and Conditions.
Our Terms and Conditions ("Terms") govern all use of our Service and together with the Privacy Policy and the Data Processing Addendum ("DPA") constitute your agreement with us ("Agreement").
2. Definitions
- SERVICE means the www.bankpdf.com website operated by Notnull, Unipessoal, Lda.
- PERSONAL DATA means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).
- USAGE DATA is data collected automatically either generated by the use of Service or from Service infrastructure itself (for example, the duration of a page visit).
- COOKIES are small files stored on your device (computer or mobile device).
- DATA CONTROLLER means a natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. For the purpose of this Privacy Policy, we are a Data Controller of your data in relation to account data, usage data, and analytics. When processing files you upload, we act as a Data Processor on your behalf — see our Data Processing Addendum (DPA) for details.
- DATA PROCESSOR (OR SERVICE PROVIDER) means any natural or legal person who processes the data on behalf of the Data Controller. We may use the services of various Service Providers in order to process your data more effectively. Each sub-processor is bound by a data processing agreement in accordance with Article 28 GDPR.
- SUB-PROCESSOR means any Data Processor engaged by us to assist in the processing of Personal Data on behalf of the Data Controller, in accordance with Article 28(2) and (4) GDPR.
- DATA SUBJECT is any living individual who is the subject of Personal Data.
- THE USER is the individual using our Service. The User corresponds to the Data Subject, who is the subject of Personal Data.
- DATA PROCESSING ADDENDUM (DPA) means the supplementary agreement governing the processing of Personal Data by us on your behalf, as required by Article 28 GDPR.
3. Roles and Responsibilities
3.1 When We Act as Data Controller
We act as Data Controller when we collect and process data for our own purposes, including:
- Account registration and management data (name, email, billing information)
- Usage Data and analytics
- Marketing communications (with your consent)
- Cookie data
3.2 When We Act as Data Processor
When you upload PDF files for conversion, we act as a Data Processor on your behalf. In this capacity:
- We process your files solely on your documented instructions and for the purpose of providing the conversion service.
- The processing is governed by our Data Processing Addendum (DPA), which forms an integral part of this Agreement.
- We engage sub-processors only with your prior general authorization and under written agreements that impose equivalent data protection obligations.
4. Information Collection and Use
We collect several different types of information for various purposes to provide and improve our Service to you.
4.1 Personal Data
While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you ("Personal Data"). Personally identifiable information may include, but is not limited to:
- Email address
- First name and last name
- Phone number
- Address, Country, State, Province, ZIP/Postal code, City
- Cookies and Usage Data
We will only send you newsletters, marketing, or promotional materials if you have given your explicit prior consent. You may withdraw your consent and opt out of receiving any, or all, of these communications at any time by following the unsubscribe link or by contacting us at [email protected].
4.2 Usage Data
We may also collect information that your browser sends whenever you visit our Service or when you access the Service by or through any device ("Usage Data").
This Usage Data may include information such as your computer's Internet Protocol address (e.g., IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers, and other diagnostic data.
When you access the Service with a device, this Usage Data may include information such as the type of device you use, your device unique ID, the IP address of your device, your device operating system, the type of Internet browser you use, unique device identifiers, and other diagnostic data.
4.3 Uploaded Files (Processed Data)
When you upload PDF files for conversion, these files may contain Personal Data (e.g., bank statement data including names, account numbers, transaction details). We process these files solely for the purpose of providing the conversion service and in accordance with the DPA. We do not access, use, or analyze the content of your files for any purpose other than providing the conversion service and debugging as described in Section 9.
4.4 Tracking Cookies Data
We use cookies and similar tracking technologies to track the activity on our Service and we hold certain information.
Cookies are files with a small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Other tracking technologies are also used such as beacons, tags, and scripts to collect and track information and to improve and analyze our Service.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.
Cookie Categories and Specific Cookies
Essential/Necessary Cookies:
Purpose: These cookies are essential for the website to function properly and cannot be switched off.
Examples: Session cookies, authentication cookies.
Analytics/Performance Cookies:
Purpose: These cookies allow us to recognize and count the number of visitors and see how visitors move around our website.
Examples: PostHog analytics cookies.
Functional Cookies:
Purpose: These cookies enable the website to provide enhanced functionality and personalization.
Examples: Language preference cookies, account settings cookies.
Third-Party Cookies:
Our website includes cookies set by the following third parties: PostHog.
Cookie Management:
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.
5. Legal Basis for Processing (Article 6 GDPR)
We process your Personal Data on the following legal bases:
- Consent (Art. 6(1)(a)): Where you have given clear consent for us to process your Personal Data for a specific purpose (e.g., marketing communications, non-essential cookies).
- Contract (Art. 6(1)(b)): Where processing is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into a contract (e.g., account creation, service delivery, file conversion).
- Legal Obligation (Art. 6(1)(c)): Where processing is necessary for compliance with a legal obligation to which we are subject (e.g., tax and accounting requirements).
- Legitimate Interests (Art. 6(1)(f)): Where processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms (e.g., analytics, service improvement, security).
| Processing Activity | Legal Basis |
|---|---|
| Account creation and management | Contract, Legitimate Interests |
| File conversion service delivery | Contract |
| Marketing communications | Consent |
| Analytics and service improvement | Legitimate Interests |
| Legal and regulatory compliance | Legal Obligation |
| Security monitoring | Legitimate Interests |
6. Use of Data
Notnull, Unipessoal, Lda uses the collected data for the following purposes:
- To provide and maintain our Service
- To notify you about changes to our Service
- To allow you to participate in interactive features of our Service when you choose to do so
- To provide customer support
- To gather analysis or valuable information so that we can improve our Service
- To monitor the usage of our Service
- To detect, prevent, and address technical issues
- To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection
- To provide you with notices about your account and/or subscription, including expiration and renewal notices
- To provide you with news, special offers, and general information about other goods, services, and events which we offer that are similar to those that you have already purchased or enquired about, unless you have opted not to receive such information
7. Sub-Processors and Third-Party Service Providers
We engage the following categories of sub-processors to deliver our Service. Each sub-processor is bound by a data processing agreement in accordance with Article 28 GDPR.
7.1 AI and Document Processing Services
| Sub-Processor | Purpose | Data Processed | Server Location | Transfer Mechanism |
|---|---|---|---|---|
| OpenAI | Text processing and analysis in documents | Document content | USA | Standard Contractual Clauses (SCCs) |
| Anthropic | Text content processing and analysis | Document content | USA | Standard Contractual Clauses (SCCs) |
| xAI | Text content processing and analysis | Document content | USA | Standard Contractual Clauses (SCCs) |
| OpenRouter | AI model routing and processing | Document content | USA | Standard Contractual Clauses (SCCs) |
| Mistral AI | Text content processing and analysis | Document content | EU (France) | N/A (within EEA) |
| Microsoft Azure (Document Intelligence) | Document extraction and analysis | Document content | EU (configurable) | Adequacy decision / SCCs |
| Google Vertex AI | Document processing tasks | Document content | EU (configurable) | Adequacy decision / SCCs |
Important: When you upload files for conversion, the content of your documents may be transmitted to the above AI service providers for processing. These providers process data solely on our instructions and are contractually prohibited from using your data for their own purposes, including model training.
7.2 Hosting and Infrastructure
| Sub-Processor | Purpose | Data Processed | Server Location | Transfer Mechanism |
|---|---|---|---|---|
| Hetzner | Server hosting and infrastructure | All service data | EU (Germany) | N/A (within EEA) |
7.3 Analytics and Tracking
| Sub-Processor | Purpose | Data Processed | Server Location | Transfer Mechanism |
|---|---|---|---|---|
| PostHog | Usage analytics and service improvement | Usage Data, IP address, browser data | EU | N/A (within EEA) |
7.4 Changes to Sub-Processors
This document contains the current and authoritative list of sub-processors. We will update this list and notify you of any intended changes concerning the addition or replacement of sub-processors, giving you the opportunity to object to such changes in accordance with the DPA.
8. Retention of Data
We will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy.
| Data Category | Retention Period | Justification |
|---|---|---|
| Account data (name, email, etc.) | Duration of account + 12 months after deletion | Contract performance, legal obligations |
| Uploaded PDF files | Maximum 30 days | Service delivery, debugging, and quality assurance |
| Converted output files | Maximum 30 days | Service delivery, debugging, and quality assurance |
| Usage Data and analytics | 26 months | Service improvement (Legitimate Interests) |
| Billing and payment records | 10 years | Legal obligation (Portuguese tax law, Art. 123.º Código do IRC) |
| Marketing consent records | Duration of consent + 3 years | Demonstrating compliance |
Uploaded and Converted Files: PDF files you upload and the resulting converted output files are retained for a maximum period of 30 days for service delivery, debugging, and quality assurance purposes. In cases where you request assistance with resolving specific conversion issues, we may retain the relevant files for the duration necessary to resolve the issue, even if this extends beyond the standard 30-day period. Once this period expires or the issue is resolved, the files are automatically and permanently deleted from our systems.
Sub-Processor Retention: Data transmitted to AI sub-processors (OpenAI, Anthropic, xAI, OpenRouter, Mistral, Azure, Google) for processing is not retained by those sub-processors beyond the duration necessary to complete the processing request, as specified in our data processing agreements with each provider. We use zero-data-retention API configurations where available.
9. Technical and Organizational Security Measures (Article 32 GDPR)
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
9.1 Encryption
- All data in transit is encrypted using TLS 1.2 or higher.
- Uploaded documents are encrypted at rest.
- API communications with sub-processors are encrypted using TLS.
9.2 Access Control
- Access to Personal Data and uploaded files is restricted to authorized personnel on a need-to-know basis.
- We enforce multi-factor authentication (MFA) for administrative access to our systems.
9.3 Infrastructure Security
- Our servers are hosted in Hetzner data centers in Germany, which are ISO 27001 certified.
- We implement firewall rules to limit exposure.
- Periodic security testing is conducted internally.
9.4 Data Minimization
- We collect only the minimum amount of Personal Data necessary for the purposes described in this policy.
9.5 Backup and Recovery
- Regular backups are maintained to ensure data availability.
9.6 Confidentiality
- All persons with access to Personal Data are bound by confidentiality obligations.
9.7 Secure Deletion
- Uploaded files are permanently deleted after the retention period using secure deletion methods.
- Upon account deletion, all associated Personal Data is removed within the timeframes specified in Section 8.
9.8 Regular Testing and Evaluation
In accordance with Article 32(1)(d) GDPR, we periodically review and evaluate the effectiveness of our technical and organizational measures for ensuring the security of the processing.
10. Data Breach Notification (Articles 33 and 34 GDPR)
10.1 Notification to Supervisory Authority
In the event of a Personal Data breach, we will notify the competent supervisory authority (Comissão Nacional de Proteção de Dados — CNPD) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
10.2 Notification to Data Subjects
Where a Personal Data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the breach to the affected Data Subjects without undue delay.
10.3 Breach Notification Content
Any notification will include:
- A description of the nature of the Personal Data breach
- The name and contact details of our Data Protection Officer
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach
10.4 Processor Breach Notification
When acting as a Data Processor, we will notify the Data Controller (you) without undue delay after becoming aware of a Personal Data breach affecting your data, as further specified in the DPA.
11. International Data Transfers
Some of our third-party sub-processors are based outside the European Economic Area (EEA), so their processing of your Personal Data involves a transfer of data outside the EEA.
Whenever we transfer your Personal Data out of the EEA, we ensure a similar degree of protection is afforded to it by implementing at least one of the following safeguards:
- Adequacy Decisions: We transfer data to countries that have been deemed to provide an adequate level of protection by the European Commission.
- Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) to provide appropriate safeguards.
- Supplementary Measures: Where required by the circumstances (following a Transfer Impact Assessment), we implement additional technical, organizational, or contractual measures to ensure the protection of your data.
The specific transfer mechanisms used for each sub-processor are detailed in Section 8.
Please contact us at [email protected] if you want further information on the specific mechanism used when transferring your Personal Data out of the EEA.
12. Disclosure of Data
We may disclose Personal Information that we collect, or you provide:
- Law Enforcement: Under certain circumstances, we may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities.
- Business Transaction: If we or our subsidiaries are involved in a merger, acquisition, or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.
- Service Providers: To contractors, service providers, and other third parties we use to support our business, subject to contractual obligations consistent with this Privacy Policy and Article 28 GDPR.
- With Your Consent: In any other cases where you provide explicit consent.
- Legal Protection: If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of the Company, our customers, or others.
13. Your Data Protection Rights Under GDPR
If you are a resident of the European Union (EU) or European Economic Area (EEA), you have the following rights under the GDPR:
- Right of Access (Art. 15): You have the right to obtain confirmation as to whether your Personal Data is being processed and to access that data.
- Right to Rectification (Art. 16): You have the right to have inaccurate Personal Data corrected and incomplete data completed.
- Right to Erasure (Art. 17): You have the right to request the deletion of your Personal Data under certain circumstances.
- Right to Restriction of Processing (Art. 18): You have the right to request the restriction of processing of your Personal Data under certain circumstances.
- Right to Data Portability (Art. 20): You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
- Right to Object (Art. 21): You have the right to object to processing based on Legitimate Interests, including profiling.
- Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
- Right Not to Be Subject to Automated Decision-Making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling.
- Right to Lodge a Complaint (Art. 77): You have the right to lodge a complaint with a supervisory authority. In Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD) at www.cnpd.pt. You can also find your local EU supervisory authority at: https://edpb.europa.eu/about-edpb/board/members_en
To exercise any of these rights, please contact us at [email protected] or our Data Protection Officer at [email protected]. We will respond to your request within 30 days. In exceptional circumstances, we may need to extend this period by a further two months, in which case we will inform you within the initial 30-day period.
Please note that we may ask you to verify your identity before responding to such requests.
14. Data Protection Officer
For questions about our privacy practices or to exercise your data protection rights, you can contact our Data Protection Officer at:
- Email: [email protected]
- Address: Rua Campo Alegre, Nº 1636, h42, Porto, Portugal
15. Your Rights under the California Privacy Protection Act (CalOPPA)
According to CalOPPA we agree to the following:
- Users can visit our site anonymously.
- Our Privacy Policy link includes the word "Privacy" and can easily be found on the home page of our website.
- Users will be notified of any privacy policy changes on our Privacy Policy page.
- Users are able to change their personal information by emailing us at [email protected].
Our Policy on "Do Not Track" Signals: We honor Do Not Track signals and do not track, plant cookies, or use advertising when a Do Not Track browser mechanism is in place. You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.
16. Your Rights under the California Consumer Privacy Act (CCPA)
If you are a California resident, you are entitled to:
- Right to Know: Learn what personal information we collect about you, the sources, purposes, and categories of third parties with whom we share it.
- Right to Delete: Request deletion of your personal information.
- Right to Opt-Out: Request that we stop selling your personal information. We do not sell your personal information for monetary consideration. However, under some circumstances, a transfer of personal information to a third party without monetary consideration may be considered a "sale" under California law.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
You are entitled to request this information up to two times in a rolling twelve-month period.
To exercise your California data protection rights, please send your request(s) by email to: [email protected].
17. Payments
We may provide paid products and/or services within Service. In that case, we use third-party services for payment processing.
We will not store or collect your payment card details. That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS.
18. Links to Other Sites
Our Service may contain links to other sites that are not operated by us. If you click a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit.
We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.
19. Children's Privacy
Our Services are not intended for use by children under the age of 18 ("Child" or "Children").
We do not knowingly collect personally identifiable information from Children under 18. If you become aware that a Child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from Children without verification of parental consent, we take steps to remove that information from our servers.
20. Changes to This Privacy Policy
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top.
We will notify you via email and/or a prominent notice on our Service prior to the change becoming effective.
You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.
21. Contact Us
If you have any questions about this Privacy Policy, please contact us:
- General inquiries: [email protected]
- Data Protection Officer: [email protected]
- Address: Notnull, Unipessoal, Lda, Rua Campo Alegre, Nº 1636, h42, Porto, Portugal