Privacy Policy

Pedulli ("we", "us") is an EU-sovereign, GDPR-by-design project operated by Francesco Pedulli, Forli, Italy. This policy explains what we collect, why, and your rights. We make no absolute-security claims; we describe our actual practices honestly.

1. Who is the data controller

Francesco Pedulli, Forli, Italy. Contact: francescopedulli@gmail.com.

2. What we process and why

• Browser trial files (sub-1 MiB): processed entirely in your browser via WASM. These files are not uploaded to our servers.
• Larger files / API requests: sent to our server to be compressed or decompressed, then returned. We do not retain your file contents beyond what is needed to complete the request; upload sessions are kept at most 6 hours and then deleted.
• Account data: email, password (stored only as a salted hash), API key, plan, token balance and usage counts - to provide and bill the service.
• Lead / contact forms: the name, email, company and message you submit, plus a form "source" tag - to respond to you. Submissions may trigger a notification to the founder.
• Payments: handled by Stripe. We do not store your card details; Stripe processes them under its own policy.
• Technical logs: minimal request metadata (timestamp, status, anonymized aggregate stats) for reliability and abuse prevention.

3. Legal bases (GDPR)

Performance of a contract (providing the service you signed up for), legitimate interest (security, abuse prevention, aggregate analytics), consent (where you submit a form), and legal obligation (tax/accounting for payments).

4. Cookies & tracking

We use only essential cookies/local storage needed to keep you logged in and to remember your theme preference. We do not load Google Translate, advertising trackers, or third-party analytics that profile you.

5. Sharing

We share data only with processors strictly necessary to run the service: Stripe (payments), an email provider (Resend, for confirmation emails), and our hosting provider (an EU/Hetzner server). We do not sell personal data.

6. Retention

Account data is kept while your account is active and for the period required by law after closure. Uploaded file sessions are deleted within 6 hours. Lead submissions are kept for follow-up and then periodically purged.

7. Your rights

Under the GDPR you may request access, rectification, erasure, restriction, portability, and you may object to processing. Email francescopedulli@gmail.com and we will respond within the legal time limit. You may also lodge a complaint with your local supervisory authority.

8. Security

We use TLS in transit, hashed passwords, scoped API keys (never placed in URLs or page markup), and EU-located hosting. No system is perfectly secure and we make no claim of absolute security; we apply reasonable, proportionate safeguards.

9. International transfers

Data is primarily processed within the EU. Where a sub-processor operates outside the EEA, transfers rely on Standard Contractual Clauses or an adequacy decision.

10. Changes

We will update the "last updated" date above when this policy changes. Material changes will be highlighted on the site.