Effective date: 5 September 2025

Entity: Aston Group Holdings LLC, a Delaware limited liability company

Service: pdftotxtconverter.com, related apps, and APIs

Contact: support [@] pdftotxtconverter.com

This policy explains how we collect, use, and disclose personal information for visitors and users worldwide.

1. Information we collect

You provide:

Account details such as name, email, password.

Files you upload and the resulting outputs.

Support messages and preferences.

Billing is handled by our payment processor. We receive subscription metadata, not full card numbers.

Collected automatically:

Device and usage data such as IP address, browser type, timestamps, pages viewed, and referring URLs.

Limited event logs for security and debugging.

Cookies and similar technologies for session management and analytics. See Section 6 and our Cookie Policy.

From third parties:

Payment and subscription status from Stripe.

Email delivery status from our email provider.

2. How we use information

Provide, operate, and secure the Service.

Process uploads and generate outputs.

Manage accounts, subscriptions, and credits.

Communicate with you about Service changes, security, and support.

Improve the Service, including analytics and quality assurance.

Comply with law and enforce our Terms.

Privacy by design and default. We aim to limit collection, use, sharing, and retention to what is necessary for the Service. We review data flows when we add features and choose privacy-preserving defaults where feasible.

3. Our role with respect to your files

For uploads and outputs, we act as a processor to you as the controller. We process data only on your instructions through the Service. Enterprise customers may request a Data Processing Addendum with Standard Contractual Clauses. Contact .

4. Automated decision-making and profiling

We do not perform automated decision-making that produces legal or similarly significant effects on individuals. We perform limited profiling for abuse detection, fraud prevention, and product analytics. Where GDPR applies, you may object to profiling based on legitimate interests. See Section 9 on your rights.

5. Retention

Uploaded files and outputs: typically deleted within 1 hour from active systems. This may be extended for short periods to address abuse, reliability, or legal requirements.

Account and subscription records: kept while your account is active, then as needed for tax, auditing, fraud prevention, or legal obligations.

Logs and analytics: typically 30 to 180 days, unless a longer period is needed for security or compliance.

6. Cookies, analytics, and consent

We use strictly necessary cookies for login and security, and optional cookies for analytics and functionality.

In the EEA and UK, we do not set non-essential cookies without your consent.

Elsewhere, we honor local rules and provide an opt-out.

If your browser sends a Global Privacy Control signal, we treat it as an opt-out from sale or sharing where applicable.

Manage choices any time through the Cookie Preferences link or your browser settings.

See our Cookie Policy for details and controls.

7. How we share information

We share personal information with service providers that help us operate the Service. Categories include:

Cloud hosting and storage.

Payment processing.

Email delivery and support.

Analytics, monitoring, and logging.

Security and anti-abuse tools.

We require service providers to use information only on our behalf and to protect it appropriately. We may disclose information if required by law, to protect rights and safety, or in connection with a merger or sale. We do not sell personal information. We do not share personal information for cross-context behavioral advertising as defined under California law.

Third-party scripts. We aim to minimize third-party scripts. Where we use them, we review purpose, data collection, and vendor terms before deployment and on a periodic basis.

8. Security and breach notification

We use reasonable and appropriate safeguards, including TLS in transit, encryption at rest provided by our cloud provider, access controls, least privilege, and scheduled deletion of uploaded files. No system is perfectly secure.

Breach notification. If a security incident leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal information, we will notify affected users without undue delay and consistent with applicable law. Where GDPR applies, we will notify the competent supervisory authority within 72 hours of becoming aware where required. In Australia, we will assess and notify under the Notifiable Data Breaches scheme where an eligible breach is likely to result in serious harm. For U.S. residents, we will follow applicable state breach notification rules.

9. Your rights

EEA, UK, and similar jurisdictions. Depending on your location, you may have the right to request access, correction, deletion, restriction, objection, and data portability, and to withdraw consent where we rely on consent. Legal bases include performance of a contract, legitimate interests, consent, and compliance with legal obligations.

Australia. You have rights under the Privacy Act and Australian Privacy Principles. We also recognize the right to erasure where applicable under the 2025 reforms once in force. We will handle complaints in line with OAIC guidance.

California and certain U.S. states. You may have the right to know and access, delete, correct, and opt out of sale or sharing for cross-context behavioral advertising, and to limit use of sensitive personal information. We do not sell or share personal information, and we do not use sensitive personal information for inferring characteristics. We will not discriminate against you for exercising your rights.

How to exercise rights. Email with your request and the email associated with your account. We may ask for information to verify your identity and to help locate data. If we deny your request where permitted by law, you may have the right to appeal by replying to our decision. If you still disagree, you may contact your local regulator.

10. DPIAs and regulator consultation

For processing that is likely to result in high risk to individuals, we will perform a Data Protection Impact Assessment. Where required, we will consult the relevant regulator before proceeding.

11. International data transfers and representatives

We are based in the United States. If you use the Service from another country, your information will be transferred to the United States and possibly to other countries where our providers operate. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses and supplementary measures. If you need a signed DPA with SCCs, contact .

EU and UK representatives. Based on our current operations, we do not believe Article 27 representatives are required. If our processing falls within the scope that requires representatives, we will appoint them and update this policy with contact details.

12. Children

The Service is not directed to children under 13. If you believe a child has provided personal information, contact us and we will take appropriate steps.

13. Third-party links

The Service may link to third-party sites. This policy does not cover those sites.

14. Certifications

We do not claim any security certifications at this time. If we obtain certifications such as SOC 2 Type II or ISO 27001, we will update this policy and provide details.

15. Changes and audits

We review this policy and our practices on a regular basis and update them for legal and operational changes. If changes are material, we will provide reasonable notice. Continued use after the effective date means you accept the updated policy.

16. Contact

Aston Group Holdings LLC Email:support [@] pdftotxtconverter.com