Privacy Notice (GDPR)

Effective: 18 May 2026 · Last update: 18 May 2026

Data Controller
Data We Collect
Purposes of Processing
Lawful Basis (Article 6)
Recipients & Third-Party Sharing
International Transfers
Retention Periods
Security Measures
Your Rights (Articles 15–22)
How to Exercise Your Rights / Complaint
Cookies
Changes to This Notice

1. Data Controller

This Privacy Notice describes how WellPDF (“WellPDF”, “we”, “us”) processes your personal data when you use WellPDF (wellpdf.com). WellPDF acts as the data controller within the meaning of Article 4(7) of the General Data Protection Regulation (GDPR / Regulation (EU) 2016/679).

Data Controller
WellPDF
Gülbahar Mah. Avni Dilligil Sk. Çelik İş Merkezi No: 9/B Apt. 21 Floor 5, 34394 Şişli / Istanbul, Türkiye
Tax Office: Zincirlikuyu · Tax No: 9500886070 · MERSİS: 0950088607000001

Website: wellpdf.com
DPO / Privacy contact: [email protected]
General support: [email protected]

WellPDF is operated by Yes Bilişim Teknolojileri A.Ş., established in Türkiye. Personal data is processed and stored in the EU (Hetzner, Germany). Transfers between the EU hosting infrastructure and the Türkiye-based controller are governed by Standard Contractual Clauses (SCCs).

2. Data We Collect

Category	Data Items
Identity	First name, last name
Contact	Email address
Account & Billing	Subscription plan, payment date, billing amount, payment status (managed by Lemon Squeezy)
Technical	IP address, browser User-Agent, session cookies, audit log entries
Transient	Uploaded PDF files (auto-deleted after processing)
Preferences	Language choice, UI cookie preferences

Important: We do not store your card details. All payment processing is handled entirely by Lemon Squeezy as the Merchant of Record. Card data never touches WellPDF servers.

3. Purposes of Processing

Providing and managing the service (account creation, authentication, session management)
Subscription billing and payment lifecycle (via Lemon Squeezy: invoicing, cancellation, refunds)
Customer communication (email notifications, support requests)
Service security (preventing unauthorised access, fraud, and abuse)
Compliance with legal obligations (tax, audit log retention, lawful requests)
Service improvement (anonymous usage statistics)

4. Lawful Basis (Article 6 GDPR)

Lawful basis	Applies to
Contract performance — Art. 6(1)(b)	Account creation, subscription billing
Legal obligation — Art. 6(1)(c)	Tax records, audit log retention
Legitimate interest — Art. 6(1)(f)	Security, fraud prevention, service improvement (balanced against your fundamental rights)
Consent — Art. 6(1)(a)	Optional cookies, marketing communications (where applicable)

5. Recipients & Third-Party Sharing

We share your data only with the following processors, all bound by data processing agreements:

Sub-processor	Purpose	Location	Safeguard
Lemon Squeezy (Lemon Squeezy, LLC)	Merchant of Record — billing, VAT, invoicing, refunds	United States	EU–US Data Privacy Framework (DPF)
Mailjet (Sinch Group)	Transactional email delivery	EU (France/Germany)	EU-based processor
Hetzner Online GmbH	Server hosting & infrastructure	Germany (EU)	EU-based processor
Apryse (PDFTron)	PDF editor SDK (WebViewer, client-side)	Canada / US	Client-side only; no personal data transmitted to Apryse servers

We do not sell your data, do not use it for behavioural advertising, and do not share it with data brokers.

6. International Transfers

WellPDF is operated by Yes Bilişim Teknolojileri A.Ş., established in Türkiye. Servers are located in Germany (EU). Transfers from the EU to Türkiye are made under Article 46(2)(c) GDPR using Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).

Where data is transferred to sub-processors outside the EEA (Lemon Squeezy, US), the transfer is protected by:

EU–US Data Privacy Framework (adequacy decision by the European Commission, 10 July 2023), and/or
Standard Contractual Clauses (SCCs) adopted under Article 46(2)(c) GDPR as a fallback.

No data is transferred outside the EU/EEA and the listed sub-processors.

7. Retention Periods

Data type	Retention	Reason
Account information (name, email)	Lifetime of the account + 30 days after deletion request	Contract
Uploaded PDF files	Auto-deleted after processing	Service contract
Payment records (audit)	10 years	Türkiye Tax Procedure Law, EU tax obligations
Audit logs (login / actions)	2 years	Legitimate interest (security)
Communication emails	3 years	Legitimate interest

8. Security Measures

All traffic encrypted with TLS 1.2/1.3.
Uploaded files encrypted at rest with AES-256.
Passwords stored as bcrypt hashes; plain-text passwords are never accessible.
Payments handled entirely by Lemon Squeezy on a PCI-DSS compliant platform; card details never reach our servers.
Comprehensive audit logging for authentication and processing events.
Infrastructure hosted in an ISO/IEC 27001 certified data centre (Hetzner, Germany).

9. Your Rights (Articles 15–22 GDPR)

Access (Art. 15): obtain confirmation and a copy of your personal data.
Rectification (Art. 16): correct inaccurate or complete incomplete data.
Erasure / right to be forgotten (Art. 17): request deletion under specified conditions.
Restriction (Art. 18): limit processing in certain situations.
Data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format.
Objection (Art. 21): object to processing based on legitimate interest.
Automated decision-making (Art. 22): right not to be subject to a decision based solely on automated processing — we do not use solely automated decision-making.
Withdraw consent at any time, where processing is based on consent.

10. Exercising Your Rights / Lodging a Complaint

To exercise any of the rights above:

Self-service: Account Settings → Privacy → clear history / close account.
Email: [email protected] — we respond within 30 days at no cost (extendable by 60 days for complex requests under Art. 12(3)).

You also have the right to lodge a complaint with your local supervisory authority. EU/EEA residents may contact their national Data Protection Authority. Turkish residents may contact:

Kişisel Verileri Koruma Kurumu (Turkish Data Protection Authority)
Website: kvkk.gov.tr
Email: [email protected]

11. Cookies

Strictly necessary cookies: session management, CSRF protection (no consent required, Recital 30 / ePrivacy Directive strictly-necessary exemption).
Functional cookies: language preference, UI settings.
Analytics / advertising cookies: not currently used.

You may disable cookies in your browser, but parts of the service may not work correctly.

For full details, see our Cookie Policy.

12. Changes to This Notice

We may update this Notice as needed. Material changes will be communicated via in-app notification and/or email at least 15 days before they take effect. The last update date is shown at the top of this page.