Privacy Policy

CocoConvert ("we", "us", "our") is operated by CocoConvert, based in India. As data controller within the meaning of the General Data Protection Regulation (GDPR) and other applicable data protection laws, we are responsible for the processing of your personal data when you use our file conversion service at cococonvert.com.

Contact:
CocoConvert
Email: legal@cococonvert.com

This Privacy Policy applies to all users worldwide who access cococonvert.com, our API, or any related services. It covers the collection, processing, storage, and deletion of personal data in accordance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the UK Data Protection Act 2018, Brazil's Lei Geral de Prote\u00E7\u00E3o de Dados (LGPD), India's Digital Personal Data Protection Act 2023, and other applicable data protection laws.

If you do not agree with this policy, please do not use our services.

When you upload a file for conversion, it is temporarily stored on our servers solely for the purpose of processing your conversion request.

• Files are automatically and permanently deleted within 24 hours of conversion or upon manual deletion, whichever comes first.
• We do not read, analyze, copy, mine, or share the contents of your files.
• We do not use your files for machine learning, AI training, analytics, profiling, or any purpose beyond the requested conversion.
• All file processing is performed by automated systems. No human can access your files.

Legal basis: Processing is necessary for the performance of the contract with you (Art. 6(1)(b) GDPR) — i.e., to provide the conversion service you requested.

We collect only the minimum data necessary to operate the service:

4.1 Account Data (if you register)

• Name and email address (via Google, GitHub, Facebook OAuth, or email/password signup)
• Profile photo (from OAuth provider, if available)
• Authentication provider identifier

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

4.2 Payment Data (if you subscribe)

• For users in India: payments are processed by Razorpay (PCI-DSS Level 1 compliant). We never store card numbers, UPI IDs, or bank details.
• For international users: payments are processed by Paddle.com Market Limited, who acts as our Merchant of Record. Paddle collects your name, email, billing address, and payment method directly. See Paddle's Privacy Policy.

Legal basis: Contract performance (Art. 6(1)(b) GDPR).

4.3 Usage Data

• Conversion types, file formats, file sizes, timestamps (never file contents)
• Feature usage (batch, compression, advanced options)

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — service improvement and quota enforcement.

4.4 Technical Data

• IP address (temporarily, for rate limiting and abuse prevention)
• Browser type, operating system, device type
• Referrer URL, pages visited, time of access

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) — security and service operation.

4.5 Cookies

• Essential cookies: Required for authentication and session management. These are technically necessary and do not require consent (Art. 6(1)(f) GDPR; § 25(2) TTDSG).
• Analytics cookies: Set only with your explicit consent (Art. 6(1)(a) GDPR). You can manage preferences via our cookie banner.
• Advertising cookies: On the free tier, third-party ad partners may set cookies. You can opt out via the ad partner's mechanisms or your browser settings.

• To process your file conversion requests
• To authenticate your account and manage your subscription
• To enforce rate limits and prevent abuse
• To improve service performance, reliability, and user experience
• To generate anonymized, aggregated statistics
• To display advertisements on the free tier
• To send transactional emails (receipts, password resets) — never marketing unless you opt in
• To comply with legal obligations (tax records, fraud prevention)

We do not sell, rent, or trade your personal data to any third party. We do not create user profiles for advertising purposes.

We employ a privacy-first, zero-retention architecture. All files are processed in isolated sandboxes and permanently deleted within 24 hours of conversion.

Our infrastructure is distributed across the following sub-processors:

Some of our sub-processors are located outside the European Economic Area (EEA). Where personal data is transferred to countries without an adequacy decision from the European Commission, we rely on:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission (Art. 46(2)(c) GDPR)
• EU-U.S. Data Privacy Framework certifications where applicable
• Binding Corporate Rules of the respective processor

Cloudflare and Supabase participate in the EU-U.S. Data Privacy Framework. Hetzner processes data exclusively within the EU.

• Uploaded files: Deleted permanently within 24 hours of conversion.
• Account data: Retained while your account is active. Deleted within 30 days of account deletion.
• Conversion metadata: Retained for up to 90 days for usage tracking and quota enforcement.
• Server logs (IP, user agent): Retained for 30 days for security monitoring.
• Payment records: Retained as required by tax and commercial law (typically 7-10 years).
• Email correspondence: Retained for the duration of the business relationship.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Under the GDPR (EU/EEA/UK):

• Right of access (Art. 15) — obtain a copy of your personal data
• Right to rectification (Art. 16) — correct inaccurate data
• Right to erasure (Art. 17) — request deletion of your data
• Right to restrict processing (Art. 18) — limit how we use your data
• Right to data portability (Art. 20) — receive your data in a structured format
• Right to object (Art. 21) — object to processing based on legitimate interest
• Right to withdraw consent (Art. 7(3)) — withdraw consent at any time without affecting prior processing

Under the CCPA (California, USA):

• Right to know what personal information is collected and how it is used
• Right to delete personal information
• Right to opt out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights

Under Brazil's LGPD:

• Right to confirmation and access, correction, anonymization, portability, deletion, and information about sharing

Under India's DPDP Act 2023:

• Right to access, correction, erasure, and grievance redressal

To exercise any of these rights, email legal@cococonvert.com. We will respond within 30 days (or sooner as required by applicable law).

CocoConvert is not directed at children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

The free tier of CocoConvert is ad-supported. Third-party advertising partners may use cookies and similar tracking technologies. You can opt out of personalized advertising through your browser settings, the ad partner's opt-out mechanisms, or industry opt-out pages such as aboutads.info or youronlinechoices.eu.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In the EU, you can contact the data protection authority in your country of residence. A list of EU data protection authorities is available at edpb.europa.eu.

We may update this policy from time to time. Changes will be posted on this page with an updated date. If we make material changes that affect your rights, we will notify you by email (if you have an account) or via a prominent notice on our website. Continued use of the service after the changes take effect constitutes acceptance.

For privacy-related questions, data subject access requests, or complaints, email us at legal@cococonvert.com.