Privacy
Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is: Alessandra Tirnavan Karlsplatz 13, 1040 Wien, Austria Email: e1624264@student.tuwien.ac.at For the full provider details, see the Imprint page. No separate Data Protection Officer has been appointed under Art. 37 (1) GDPR; please direct data-protection inquiries to the email above.
Data collected
We process only such personal data as are required to operate this website and provide the PDFEnhancer application. Website. When you access this website, our hosting provider Cloudflare automatically records standard server logs (IP address, access timestamp, requested URL, browser user-agent). These data serve solely the security and availability of the website. Contact form. If you use the contact form, we process the data you provide (name, email address, message content) solely to respond to your inquiry. Application - BYO tier (free of charge). In this tier all data (PDFs, transcripts, generated content, AI chat history, exam questions, recordings) remain exclusively in the local storage of the end device (browser IndexedDB or local file storage). No personal data is transmitted to the provider in this tier. Application - Pro tier (work in progress). Upon creating a user account we process login data (email address, password hash), billing data, and the content you authorise for cloud synchronisation. Storage uses Cloudflare R2 (object storage) and Cloudflare D1 (database); execution runs on Cloudflare Workers. Application - Academia licence. Under institutional licences we process only the licensee's contact details (institution name, contact person, email address). The application itself is operated by the educational institution in this model. No cookies, no analytics. This website currently uses no cookies and no web-analytics tools.
Legal basis
We base the processing of your personal data on the following legal grounds under Art. 6 GDPR: Art. 6 (1)(f) GDPR - legitimate interest. The processing of server logs is necessary to safeguard our legitimate interest in the security, stability, and availability of the website. Art. 6 (1)(b) GDPR - contract performance and pre-contractual measures. The processing of data submitted via the contact form, and in future via the paid subscription and the academia licence, is necessary to initiate and perform the respective contract with you. Art. 6 (1)(a) GDPR - consent. Where we ask for your consent to a specific processing (e.g. future newsletters or marketing), such processing takes place exclusively on the basis of your actively given consent. You may withdraw any consent at any time with effect for the future. Art. 6 (1)(c) GDPR - legal obligation. Where statutory retention obligations apply (in particular under UGB and BAO once commercial activity commences), processing is carried out to fulfil those obligations.
Retention period
We retain personal data only as long as necessary for the respective processing purposes. Server logs of the website are deleted automatically by our hosting provider Cloudflare after a short period in accordance with their defaults. Contact-form data is stored until your inquiry has been fully resolved and to document the correspondence. Account and contract data for the paid subscription or the academia licence are stored for the duration of the contractual relationship and, after its termination, in accordance with the statutory retention periods under § 132 BAO (up to seven years). Synchronised application data (within the paid subscription) remain in the cloud infrastructure until deleted by you or until termination of the user account. Upon request we will delete your data, provided no statutory retention obligations apply.
Recipients and third-country transfers
To deliver our services we engage the following processors within the meaning of Art. 28 (1) GDPR. Cloudflare, Inc. (USA). Hosting of the website, edge network, and (planned) cloud synchronisation for the paid subscription (Cloudflare R2 for object storage, Cloudflare D1 for the database, Cloudflare Workers for execution). Transfers to the USA are based on the Standard Contractual Clauses (SCC) of the European Commission under Art. 46 (2)(c) GDPR and, where applicable, on the EU-US Data Privacy Framework. OpenAI Ireland Limited (Ireland) / OpenAI, L.L.C. (USA). Only invoked when you actively trigger application features that use OpenAI models (speech-to-text, text cleanup, text-to-speech). Transfers to the USA are based on the SCC. Anthropic PBC (USA). Only invoked when you actively trigger application features that use Claude models (summaries, AI chat, exam questions, generated transcripts). Transfers to the USA are based on the SCC. No further onward transfer of your data takes place.
Cookies
This website currently uses no cookies. Should cookies or comparable technologies (such as browser local storage for configuration purposes) be introduced in the future, they will be transparently disclosed here before deployment and - unless strictly technically necessary - used only on the basis of your actively given consent.
Web analytics and observation
We currently use no web-analytics tools on this website. There is no tracking of your usage behaviour, no session recording, and no profiling. With respect to the PDFEnhancer application we make the following commitments: No content observation. We do not inspect user-generated content (uploaded PDFs, transcripts, generated summaries, AI chat histories, exam questions, recordings). Such data remain in the local storage of the end device (BYO tier; academia tier with self-hosting) or - under the paid subscription - in the cloud infrastructure you have authorised, without the provider accessing the content itself. No user logs. No personal usage logs (inputs, queried content, asked questions) are stored on the provider's side. Planned future measures. We reserve the right to introduce in future: (i) web analytics on this website (website only, not the application) for A/B optimisation of pages and call-to-action elements; (ii) availability and infrastructure monitoring (system metrics only, no user content); (iii) versioning of internal application system-prompts with an optional thumbs-up / thumbs-down feedback signal from users, processing only the feedback signal and not the associated content. Each of these measures will be transparently disclosed here before going live and, where required, implemented on the basis of your actively given consent.
PDFEnhancer application - data flow per tier
The PDFEnhancer application is publicly accessible through the website and is offered in three tiers. The provider's data-protection position differs per tier. BYO tier (free of charge). You supply your own OpenAI and Anthropic API keys and manage them yourself. No registration is required. All data - PDFs, transcripts, generated content, AI chat history, exam questions, audio recordings - remain exclusively in the local storage of your end device (browser IndexedDB or local file storage). The provider gains no knowledge of your content or your API calls in this tier. Pro tier (work in progress). Upon creating a user account we process your login and billing data, and the content you authorise for synchronisation is replicated across your devices via the cloud infrastructure of our processor Cloudflare (R2, D1, Workers). The provider's responsibility is limited to the proper setup and maintenance of these data flows, including the secure management of the API keys provided by the provider. For the availability and reliability of the underlying infrastructure (Cloudflare), the service-level agreements of the third-party provider apply. Academia licence. Educational institutions generally operate the application themselves (self-hosting). In this model the provider processes only the licensee's master data. Any processing within the application takes place under the responsibility of the respective institution. Recording feature (audio). If you use the application's recording feature, you bear sole responsibility for obtaining the consents required under Art. 6 (1)(a) GDPR and Austrian law (in particular § 120 (1) StGB on the misuse of recording devices and § 1328a ABGB on intrusion into private life) from all persons recorded. Recording starts only after you have explicitly granted microphone access in your browser and is indicated by a visible marker while it is active. The application stores the recording exclusively in the local storage of your end device (browser IndexedDB); no transmission to the provider takes place. The raw audio is automatically deleted from local storage once its transcript has been created and is at no point part of any cloud synchronisation; where synchronisation applies, only the derived transcript text is synced, never the audio recording itself. Any processing of the audio for transcription is carried out by the AI services you have chosen (e.g. OpenAI Whisper) under the conditions stated in the “Recipients and third-country transfers” section above. Provider liability. The provider is responsible for the proper functioning of the cloud infrastructure offered (where chosen), for the availability of the website, and for the availability of the application URL. Liability for the outputs generated by OpenAI or Anthropic, for content uploaded by you, for transcripts, summaries, or AI responses generated by the application, and for the availability of the third-party services mentioned, is excluded to the extent permitted by law (see the License page, Liability disclaimer section).
Data-subject rights
Under the GDPR you have the following data-subject rights: right of access (Art. 15 (1) GDPR), right to rectification (Art. 16 GDPR), right to erasure (Art. 17 (1) GDPR), right to restriction of processing (Art. 18 (1) GDPR), right to data portability (Art. 20 (1) GDPR), right to object (Art. 21 (1) GDPR), and the right to withdraw a given consent at any time with effect for the future (Art. 7 (3) GDPR). To exercise these rights please contact us at the email address given under “Controller” above. We will respond to your request within the legal time frame - generally within one month. We do not employ any automated decision-making within the meaning of Art. 22 (1) GDPR that would produce legal effects on you or significantly affect you in a similar manner.
Right to lodge a complaint
If you consider that the processing of your personal data infringes data protection law or that your data-protection rights have otherwise been violated, you are free to lodge a complaint with the competent supervisory authority. In Austria this is: Österreichische Datenschutzbehörde Barichgasse 40-42 1030 Wien Phone: +43 1 52 152-0 Email: dsb@dsb.gv.at Web: https://www.dsb.gv.at/
Portions of this privacy policy were derived from the WKO model form for IT services (https://www.wko.at/oe/information-consulting/unternehmensberatung-buchhaltung-informationstechnologie/it-dienstleistung/musterformular-datenschutzerklaerung.docx) and adapted for the provision of digital educational software.