SEALEDPDF
SIGN_IN[ START_FREE ]
LEGAL_● PRIVACY_POLICY

Privacy Policy

LAST_UPDATED · APRIL 20, 2026

> THE_SHORT_VERSION

The short version

SealedPDF is built so your PDF files never leave your browser. The PDF bytes are read, edited, and saved on your own computer. Our servers see your email, your plan, a monthly operation count, and a log of which tools you ran — nothing about the files themselves.

There is exactly one exception: the PII redaction and contract analysis tools send the extracted plain text of your document to a scanning service so we can find entities or summarize terms. The PDF file itself still never leaves your browser. See “Tools that send text,” below.

> WHAT_WE_COLLECT

What we collect

When you use SealedPDF we collect and store:

  • Your email address (used to sign in and to send billing and account-related email)
  • Your authentication state (managed by Supabase Auth, stored in an HTTP-only cookie in your browser)
  • Your current plan (Free, Solo, or Firm)
  • Your Stripe customer ID and subscription status (Solo and Firm plans only)
  • A counter of how many operations you've run this month (used to enforce the Free tier limit)
  • A per-operation audit log entry: a timestamp, your user ID, and the name of the tool you ran (for example, merge or bates_stamp). For privacy-sensitive tools (PII redaction, contract analysis) the row carries nothing else — no file size, no match counts, no text.

> WHAT_WE_DON_T_COLLECT

What we don’t collect

We specifically do not collect or store any of the following:

  • The contents of your PDF
  • The file name of your PDF
  • Any content-derived metadata (hashes, extracts, page counts)
  • A copy of the output file you downloaded

You can verify this yourself: open browser DevTools, go to the Network tab, and process a PDF with any tool other than PII redaction or contract analysis. You will see zero file uploads.

> HOW_YOUR_PDF_IS_PROCESSED

How your PDF is processed

Every tool on SealedPDF runs in your browser using two open-source libraries maintained by Mozilla and community contributors: pdf-lib for creating and editing PDFs, and pdf.js for rendering pages. The PDF bytes are read into your browser's memory, transformed locally, and handed back to you as a download. Nothing about the file is sent to us.

> TOOLS_THAT_SEND_TEXT_THE_EXCEPTION_

Tools that send text (the exception)

Two tools need a server-side service to do their work: PII redaction (finds common structured PII — emails, SSNs, phone numbers, credit card numbers, URLs, IP addresses, and dates) and contract analysis(summarizes terms and flags risky clauses).

For these tools only, the plain text extracted from your PDF — not the PDF file, not images — is sent over TLS to a scanning service. That service reads the text in memory, returns the result, and does not store the text, log it, or write it to disk. Our audit-log row records that a scan happened and on which plan — nothing about the text itself.

For contract analysis, the text is sent to Anthropic's Claude API under zero-retention terms. Anthropic may process the text to return the analysis but does not train on it or retain it beyond that request.

We intend to eventually move these scans into your browser (using on-device ML models) so that the text never leaves your machine. Until then, those operational controls are what you are trusting.

> COOKIES_AND_LOCAL_STORAGE

Cookies and local storage

We use one category of cookie: a session cookie issued by Supabase Auth that keeps you signed in. It is HTTP-only, Secure, and SameSite=Lax. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

Your browser may cache PDF files and intermediate artifacts in its own memory while you use a tool. These never leave your device and are cleared when you close the tab.

> THIRD_PARTIES_WE_RELY_ON

Third parties we rely on

  • Supabase — authentication and database. Stores the account data described above.
  • Stripe — payment processing for paid plans. Stores your billing details (card, address) under Stripe's privacy policy; we store only your Stripe customer ID and subscription status.
  • Anthropic — Claude API used by the contract analysis tool. Receives extracted text for that tool only.
  • Google — optional sign-in provider. If you sign in with Google, they learn you use SealedPDF; we receive your verified email and a provider ID.
  • Brevo — transactional email delivery (account notifications, billing receipts, Firm seat invites, monthly usage-reset notices). We send them your email address and the message; they deliver it. We disable Brevo's open-tracking pixel and click-rewriting on every send.

> HOW_LONG_WE_KEEP_YOUR_DATA

How long we keep your data

Your account data is kept while your account exists. When you delete your account, we delete your profile row, your usage counters, your audit-log rows, and any matter records you created. Stripe keeps billing records for its own compliance period regardless of our deletion.

> YOUR_RIGHTS

Your rights

You can request access to, correction of, or deletion of your personal data at any time by emailing the address below. If you are in a jurisdiction with a statutory right to data portability or to object to processing (for example, the EU or California), those rights apply and we will honor them.

> CHILDREN

Children

SealedPDF is not directed to children under 13 and we do not knowingly collect data from children.

> CHANGES_TO_THIS_POLICY

Changes to this policy

If we change this policy in a way that affects how we handle data, we will update the “Last updated” date at the top and, for material changes, send an email to the address on your account.

> CONTACT

Contact

Questions or requests about this policy can be sent to hello@sealedpdf.com.