Privacy Policy

Last updated: 14 April 2026

This Privacy Policy explains what personal data makesPDF ("we", "us", operated by Eight Degrees Off Center) collects when you use the Service, why we collect it, how we use and share it, and the rights you have over it. Capitalised terms not defined here have the meaning given in our Terms of Service.

1. Who we are

The data controller for personal data processed via the Service is Eight Degrees Off Center, a business registered in Queensland, Australia. For privacy questions or to exercise the rights described below, contact us at jason@makespdf.com.

2. What we collect

Account data

When you register, we store your email address, a hashed password (we never see or store your plaintext password), and optionally your name. If you sign in with Google, we receive your email, name, and Google account identifier from Google.

Billing data

Payments are processed by Stripe, Inc. Card numbers and bank details are sent directly from your browser to Stripe and never touch our servers. We receive and store a Stripe customer identifier, subscription status, plan tier, the last four digits and brand of your saved payment method (for auto top-up display), and invoice history references.

Content you submit

When you use the Service we process the Markdown, template definitions, or other input you send us to render a PDF. This content is processed in memory to produce the output and is not retained beyond what is needed to complete the request. A short-lived cache of rendered PDFs may exist (typically measured in minutes) to allow retry of failed downloads; cached PDFs are not accessible from other user accounts and are automatically purged. We do not use Your Content to train machine-learning models.

Usage and operational data

To operate, secure, and meter the Service we record: API key usage (key prefix only — full keys are hashed), endpoint, timestamp, response status, payload size, and number of pages rendered. We record authentication events (sign-in, sign-out, password reset) and standard web-server metadata (IP address, user agent) for security and abuse prevention. IP addresses are not shown to other users.

Cookies and local storage

We set an httpOnly session cookie when you sign in; this cookie is required for the Service to work. We store your theme preference in your browser's localStorage. We do not use third-party analytics cookies, advertising cookies, or cross-site tracking.

3. Why we process your data (legal bases)

  • Contract: account data, billing data, and content you submit are processed to provide the Service you have signed up for.
  • Legitimate interests: operational logs, security monitoring, and abuse prevention, balanced against your privacy.
  • Legal obligation: tax, accounting, and record-keeping where required by applicable law.
  • Consent: where we rely on consent (e.g. marketing emails, if ever introduced), you may withdraw it at any time.

4. Who we share data with (subprocessors)

We share personal data only with service providers that help us run the Service. Current subprocessors:

  • Cloudflare, Inc. — hosting, database (D1), object storage (R2), cache (KV), and rate-limiting. Data is processed in Cloudflare's global network.
  • Stripe, Inc. — payment processing, subscription management, and invoicing.
  • Mailgun Technologies, Inc. — transactional email (email verification, password reset, billing notices).
  • Google LLC — optional "Sign in with Google" authentication, only if you choose to use it.
  • PostHog Inc. — product analytics (anonymous page views and UI events) so we can understand which features are used and where people get stuck. No personal profile is created; we don't link events to your account identifier. Data is processed in the EU region. We respect the browser's Do Not Track signal and will not load PostHog when it is enabled.

We do not sell personal data and do not share it with advertisers.

5. International transfers

Our subprocessors are based in or operate globally, including in the United States. Where personal data is transferred outside your country of residence, we rely on the transfer mechanisms offered by those subprocessors (for example, Standard Contractual Clauses and, where applicable, adequacy decisions).

6. How long we keep data

  • Account data: retained for as long as your account is active. When you delete your account, account data and associated content are removed from our primary systems promptly and from backups within 30 days.
  • Content you submit: processed in memory and not retained beyond the time needed to complete the request, plus a short-lived cache (typically minutes) for retry.
  • Usage and billing records: retained for up to 13 months for billing, dispute resolution, and security, unless a longer period is required by law (for example, tax or accounting rules).
  • Security logs: retained for up to 90 days unless needed longer to investigate an incident.

7. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you;
  • Correct inaccurate data;
  • Delete your account and associated data ("right to be forgotten");
  • Export your data in a portable format;
  • Object to or restrict certain processing;
  • Withdraw consent where processing is based on consent;
  • Lodge a complaint with your local data-protection authority.

You can delete your account from your account settings. For other requests, contact us at jason@makespdf.com; we will respond within the timeframes required by applicable law (typically within 30 days).

8. Security

We use industry-standard measures including TLS for data in transit, password hashing, httpOnly session cookies, API key hashing at rest, and access controls on our infrastructure. No online service is perfectly secure; we encourage you to use a strong unique password and to rotate API keys if you suspect compromise.

9. Children

The Service is not directed to children under 16 and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.

10. Changes to this policy

We may update this policy as the Service evolves. Material changes will be notified by email or in-app at least 14 days before taking effect. The "Last updated" date at the top of this page indicates when the current version was published.

11. Contact

Privacy questions or rights requests: jason@makespdf.com.