Security & Compliance

CocoConvert is committed to protecting your data throughout the conversion process. We employ a privacy-first, zero-retention architecture and follow international best practices to ensure your files and personal information remain secure and private. We process data in accordance with applicable data protection laws across all jurisdictions we serve.

We comply with the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA) and the United Kingdom:

• Lawful basis (Art. 6) — We process data based on contract performance (file conversion), consent (analytics cookies), or legitimate interest (security, abuse prevention)
• Data minimization (Art. 5(1)(c)) — We collect only what is strictly necessary to provide the service
• Purpose limitation (Art. 5(1)(b)) — Data is used exclusively for its stated purpose
• Right of access (Art. 15) — You can request a copy of your personal data at any time
• Right to rectification (Art. 16) — You can request correction of inaccurate data
• Right to erasure (Art. 17) — You can request deletion of your account and associated data
• Right to restrict processing (Art. 18) — You can request limitation of processing
• Right to data portability (Art. 20) — You can request your data in a structured, machine-readable format
• Right to object (Art. 21) — You can opt out of processing based on legitimate interest or direct marketing
• Consent management — Our cookie banner provides granular control over non-essential cookies

International transfers: Where personal data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) as adopted by the European Commission (Art. 46(2)(c) GDPR) and/or the EU-U.S. Data Privacy Framework.

For users in California, we comply with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• We do not sell personal information to third parties
• We do not share personal information for cross-context behavioral advertising
• You have the right to know what personal information is collected, used, and disclosed
• You have the right to request deletion of your personal information
• You have the right to correct inaccurate personal information
• You have the right to opt out of the sale or sharing of personal information (though we do not sell or share)
• We will not discriminate against you for exercising these rights

For users in Brazil, we comply with the Lei Geral de Prote\u00E7\u00E3o de Dados (LGPD):

• Right to confirmation of the existence of processing
• Right to access your data
• Right to correction of incomplete, inaccurate, or outdated data
• Right to anonymization, blocking, or deletion of unnecessary or excessive data
• Right to data portability
• Right to information about shared data
• Right to revoke consent

For users in India, we comply with the Digital Personal Data Protection Act 2023:

• Right to access information about your personal data
• Right to correction and erasure of personal data
• Right to grievance redressal
• Right to nominate another person to exercise rights in case of death or incapacity

We also respect the data protection rights provided by the following laws:

• Australia — Australian Privacy Principles (APPs) under the Privacy Act 1988
• Canada — Personal Information Protection and Electronic Documents Act (PIPEDA)
• Japan — Act on the Protection of Personal Information (APPI)
• South Korea — Personal Information Protection Act (PIPA)
• United Kingdom — UK GDPR and Data Protection Act 2018

Regardless of your jurisdiction, we apply the same high standard of data protection to all users.

When you upload a file to CocoConvert, the following data processing occurs:

• Files are uploaded over HTTPS (TLS 1.3) encrypted connections
• Files are processed in isolated sandboxes on European compute servers
• Files are automatically and permanently deleted within 24 hours of conversion
• No file contents are ever read, analyzed, shared, or used for purposes other than conversion
• Converted output files are available for download for a limited time, then permanently deleted
• All processing is automated — no human interaction with your files

Our infrastructure is distributed across trusted, vetted providers in multiple regions. Key architectural layers include:

• Edge network — Global CDN, DNS, DDoS protection, and TLS 1.3 termination
• Compute servers — Isolated sandboxed processing in the EU
• Message queue — Serverless job orchestration
• Database — PostgreSQL encrypted at rest (AES-256)
• Temporary storage — Files deleted within 24 hours of conversion

For a complete list of sub-processors with legal entity details, see our Privacy Policy.

Additional security measures include:

• Network-level DDoS protection
• Automated vulnerability scanning and patching
• Sandbox isolation — each conversion runs in its own environment
• No persistent file storage — all files are permanently deleted within 24 hours
• HSTS headers with preloading on all endpoints

All payment processing is handled by Razorpay (India) and Paddle (international, Merchant of Record), both PCI-DSS Level 1 compliant providers. CocoConvert never stores, processes, or has access to your full card numbers, CVV, UPI credentials, or bank account details.

Paddle handles automated tax compliance (VAT, GST, sales tax) for international transactions, ensuring compliance with local tax laws in every jurisdiction.

• OAuth 2.0 via Google, GitHub, and Facebook — no passwords stored for social logins
• Secure session management with HTTP-only, same-site cookies
• Password hashing with bcrypt (for email/password accounts)
• Role-based access control for admin operations
• Rate limiting to prevent abuse and brute-force attempts
• IP-based throttling for anonymous users

• Uploaded files: Permanently deleted within 24 hours of conversion
• Conversion metadata: Retained for up to 90 days for usage tracking
• Account data: Retained while your account is active; deleted within 30 days of account deletion
• Payment records: Retained as required by financial regulations (typically 7-10 years, per Art. 6(1)(c) GDPR and applicable tax law)
• Server logs: Retained for 30 days for security and debugging
• Cookie data: Retained per cookie-specific durations disclosed in our cookie banner

In the unlikely event of a data breach, we will:

• Notify affected users within 72 hours as required by GDPR (Art. 33 and 34)
• Notify relevant supervisory authorities
• Provide details of the breach, affected data, and remediation steps
• Take immediate action to contain and resolve the incident
• Document the breach and all response efforts

We provide a publicly available Data Processing Agreement (DPA) that outlines our obligations as a data processor in accordance with Art. 28 GDPR. View our Data Processing Agreement.

For security or compliance inquiries, contact our team at legal@cococonvert.com.

To report a security vulnerability, please email legal@cococonvert.com.

For data subject access requests (DSARs), email legal@cococonvert.com. We will respond within 30 days.