1. Overview
This Privacy Policy explains how BladePDF collects, uses, stores, shares, protects, and deletes personal data when you visit our website, create an account, use the dashboard, generate PDFs, use our API, use our Laravel or Composer integration, purchase a subscription, contact support, or otherwise interact with BladePDF.
BladePDF is a SaaS platform for PDF generation, primarily designed for Laravel developers. You may use BladePDF through our dashboard, API route, Composer package, or other documented integrations.
This Privacy Policy should be read together with our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms of Service.
2. Controller and Contact Details
BladePDF is operated by Karel Talich, a sole proprietor established in the Czech Republic.
- Operator: Karel Talich
- Tax ID: 19409516
- Registered address: Nálepkova 298, 405 05 Děčín, Czech Republic
- Email: support@bladepdf.com
- Dashboard: ticket system available inside your BladePDF account
For account data, website data, billing-related records received from Paddle, support data, security logs, and usage metadata, BladePDF acts as the data controller.
For personal data contained inside Generation Payloads that you submit for PDF generation, BladePDF usually acts as your processor or service provider, and you act as the controller or business responsible for that content. If data-protection law requires a data processing agreement, you must request and enter into one before submitting personal data that requires such an agreement.
BladePDF has not appointed a separate Data Protection Officer. Privacy questions can be sent to support@bladepdf.com.
3. Personal Data We Collect
The personal data we collect depends on how you use BladePDF.
3.1 Account data
When you create or use a BladePDF account, we may collect and process:
- email address;
- name, company name, or profile details if you provide them;
- password hash if you register using email and password;
- authentication method, such as email/password or Google sign-in;
- account ID, user ID, organization ID, plan, role, permissions, and account settings;
- API Keys, API key identifiers, API key status, and API key metadata;
- login timestamps, authentication events, password reset events, and security events.
3.2 Billing and subscription data
Payments are handled by Paddle. We do not directly collect or store full payment card numbers. We may receive or access billing-related information from Paddle, such as:
- customer name, email address, billing country, business details, VAT or tax details if provided;
- subscription plan, subscription status, renewal date, cancellation status, and billing interval;
- Paddle customer ID, subscription ID, transaction ID, invoice ID, receipt details, refund status, and chargeback status;
- payment status, checkout status, tax information, currency, amount, and purchase history;
- billing communications and support information related to payments, refunds, invoices, or disputes.
3.3 Usage metadata and technical data
When you use the website, dashboard, API, Composer package, or PDF generation service, we may collect:
- IP address, approximate location derived from IP address, user agent, browser, operating system, and device information;
- request IDs, timestamps, API endpoint, HTTP method, response status, error category, latency, and rate-limit events;
- plan usage, generation counts, Concurrency usage, Queue usage, approximate payload size, approximate output size, bandwidth usage, storage usage, webhook delivery events, and timeout events;
- security logs, abuse-prevention logs, authentication logs, and system events;
- referring page, pages visited, dashboard actions, and basic service interaction logs where needed to operate and secure the Service.
3.4 Support and communication data
When you contact us through the dashboard ticket system, email, or contact page, we may process:
- your name, email address, company, account details, and contact information;
- support ticket content, messages, attachments, screenshots, logs, error messages, request IDs, and troubleshooting information;
- refund requests, downtime remedy requests, abuse reports, legal notices, and complaint details;
- any sample payloads, generated PDFs, or other files you voluntarily provide for support.
3.5 Google sign-in data
If you choose to register or log in using Google sign-in, we may receive basic Google account information necessary to authenticate you, such as your Google account identifier, email address, name, and profile image if provided by Google.
4. PDF Generation Payloads and Generated PDFs
BladePDF processes Generation Payloads only to provide the PDF generation service, operate the renderer, handle Queue and Concurrency functionality, secure the Service, prevent abuse, troubleshoot issues, and provide support where you voluntarily provide relevant data.
We do not permanently store the Generation Payloads you submit for a render, and we do not permanently store a Generated PDF unless you explicitly choose to store it. HTML, CSS, JavaScript, text, images, fonts, assets, metadata, submitted render data, and non-stored Generated PDFs are used for the specific render request and then deleted after completion, failure, rejection, timeout, or queue expiration, subject only to transient technical processing required to provide the Service.
Some features let you save content in your account for reuse, which we refer to as Stored Content. Stored Content may include dashboard-managed Blade templates, uploaded assets such as logos, fonts, images, and stylesheets, and any Generated PDFs you choose to store. Unlike ephemeral Generation Payloads, Stored Content is retained in your account until you delete it, an automatic retention or cleanup rule described in the Retention section removes it (stored Generated PDFs are deleted no later than approximately 13 months after the render), or your account is closed, and it counts toward your plan's storage allowance. If Stored Content contains personal data, you are responsible for ensuring you have a lawful basis, notices, permissions, and rights to store it.
Paid plans may include Queue functionality. If a request is queued, the Generation Payload may be held temporarily while waiting for an available Concurrency slot. Temporary queue data, render files, buffers, and output files are deleted after the request completes, fails, times out, is rejected, or expires.
Aside from Stored Content you explicitly choose to save, BladePDF is not a file-storage, document-management, backup, or archive service. You are responsible for keeping your own copies of Generated PDFs that you need. After a render completes, we generally cannot retrieve, inspect, reproduce, or restore your Generation Payload or a non-stored Generated PDF unless you submit it again or provide it to us through support.
We may retain non-content metadata about generation requests, such as account ID, request ID, timestamps, API endpoint, render status, approximate payload size, approximate output size, error category, bandwidth usage, queue events, and security events. This metadata is used for billing, plan enforcement, support, debugging, abuse prevention, service reliability, and security.
5. Sensitive and Regulated Data
BladePDF is not designed for highly sensitive or heavily regulated data unless we have expressly agreed to that use in writing. Unless you have a separate written agreement with us, you must not submit:
- health information or medical records;
- payment card numbers or full financial account credentials;
- government identification documents or identity verification documents;
- children's personal data;
- biometric data;
- criminal offense data;
- special-category data under GDPR, such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, health data, or sex life or sexual orientation;
- data subject to sector-specific security or compliance rules that BladePDF has not expressly accepted in writing.
If you include personal data in Generation Payloads, you are responsible for ensuring that you have the required lawful basis, notices, rights, consents, contracts, and permissions.
6. How We Use Personal Data
We use personal data for the following purposes:
- to create, authenticate, manage, secure, and support your account;
- to provide the dashboard, API, Composer package integration, PDF generation, Queue, Concurrency, and related Service features;
- to process Generation Payloads and return Generated PDFs;
- to issue, manage, secure, rotate, revoke, and monitor API Keys;
- to process subscriptions, billing, invoices, taxes, refunds, renewals, cancellations, chargebacks, and payment disputes through Paddle;
- to provide technical support, respond to tickets, investigate errors, and troubleshoot rendering issues;
- to monitor usage, enforce plan limits, Fair Use rules, Payload Limits, queue limits, bandwidth limits, and rate limits;
- to detect, prevent, investigate, and respond to abuse, fraud, attacks, dangerous JavaScript, malicious payloads, unauthorized access, and security incidents;
- to maintain, debug, test, improve, and develop the Service;
- to send transactional emails, account notices, security notices, billing notices, service updates, and legal notices;
- to comply with legal, accounting, tax, regulatory, consumer-protection, and dispute-resolution obligations;
- to enforce our Terms of Service and protect the rights, safety, and security of BladePDF, our users, and third parties.
7. Legal Bases Under GDPR
Where GDPR or similar law applies, we rely on the following legal bases:
| Processing activity | Typical personal data | Legal basis |
|---|---|---|
| Account registration and login | Email, password hash, Google sign-in data, account ID, login events | Performance of a contract; legitimate interests in account security |
| PDF generation | Generation Payloads, Generated PDFs, request metadata | Performance of a contract; where you submit third-party personal data, we generally process it as your processor |
| API and service operation | API Keys, request IDs, usage metadata, endpoint logs, status codes | Performance of a contract; legitimate interests in operating and improving the Service |
| Security and abuse prevention | IP address, logs, rate-limit events, suspicious activity, API key events | Legitimate interests in security, fraud prevention, abuse prevention, and Service reliability |
| Billing and subscriptions | Paddle customer IDs, transaction IDs, invoice data, plan, tax details, payment status | Performance of a contract; legal obligations; legitimate interests in payment administration |
| Tax and accounting records | Invoices, receipts, transaction records, tax data, billing country | Legal obligations |
| Support | Ticket messages, email, troubleshooting details, files you provide | Performance of a contract; legitimate interests in customer support and issue resolution |
| Transactional communications | Email address, account status, billing status, security notices | Performance of a contract; legal obligations; legitimate interests |
| Optional marketing communications | Email address and communication preferences | Consent where required; otherwise legitimate interests where permitted by law |
| Legal claims and compliance | Account records, billing records, logs, support records, dispute records | Legal obligations; legitimate interests in establishing, exercising, or defending legal claims |
Where we rely on legitimate interests, we balance our interests against your rights and freedoms. Our legitimate interests include operating BladePDF, securing the Service, preventing abuse, enforcing plan limits and Fair Use, improving reliability, supporting users, and protecting BladePDF from fraud, security threats, and legal risk.
8. Payments Through Paddle
Paid subscriptions are purchased through Paddle. Paddle acts as Merchant of Record and authorized reseller for paid transactions. This means Paddle processes checkout, payment, tax, invoice, refund, chargeback, fraud-prevention, and buyer-related data in connection with your purchase.
Paddle may process your personal data under its own privacy policy and buyer terms. Paddle may also share buyer and transaction data with BladePDF where needed for product fulfillment, order processing, fraud prevention, accounting, billing support, subscription management, and customer support.
You can review Paddle's privacy information here: Paddle Privacy Policy.
We do not directly store your full payment card number. Payment details are handled by Paddle and its payment providers.
9. Google Sign-In
If you choose to register or log in using Google sign-in, Google may provide us with basic account information needed to authenticate you, such as your Google account ID, email address, name, and profile image if available.
We use Google sign-in data only to create, authenticate, secure, and manage your BladePDF account. We do not sell Google user data, use it for advertising, or share it except as necessary to operate and secure your BladePDF account, comply with law, or as otherwise described in this Privacy Policy.
Your use of Google sign-in is also subject to Google's own privacy terms: Google Privacy Policy.
10. Cookies and Similar Technologies
BladePDF does not currently use analytics cookies, advertising cookies, marketing pixels, behavioral tracking cookies, or similar non-essential tracking technologies.
We may use strictly necessary cookies or similar local storage only where required to provide the website, dashboard, login, account security, session management, CSRF protection, checkout flow, fraud prevention, load balancing, or other functionality you request. These technologies are not used for advertising or behavioral tracking.
Because we do not currently use non-essential cookies, we do not require a granular opt-in/opt-out consent manager. We display a lightweight notice banner for transparency and acknowledgment, and if we later add analytics, advertising, marketing, or other non-essential cookies or tracking technologies, we will update this Privacy Policy, provide additional information, and request consent where required by law.
Third-party services, such as Paddle checkout or Google sign-in, may use their own cookies or similar technologies when you interact with them. Those technologies are controlled by the relevant third party and are governed by that third party's privacy and cookie notices.
11. How We Share Personal Data
We do not sell your personal data. We do not share personal data for cross-context behavioral advertising or targeted advertising.
We may share personal data with the following categories of recipients where necessary:
- Payment and billing providers: Paddle and its payment, tax, invoice, fraud-prevention, and billing partners.
- Authentication providers: Google, if you choose Google sign-in.
- Hosting and infrastructure providers: providers that host, secure, route, monitor, or deliver the Service.
- Email and communication providers: providers used to send transactional emails, security notices, billing notices, and support replies.
- Support and ticketing providers: providers used to manage support tickets and customer communications.
- Monitoring, logging, and security providers: providers used for error monitoring, uptime monitoring, security monitoring, abuse prevention, and incident response.
- Professional advisers: accountants, lawyers, tax advisers, auditors, and compliance advisers where needed.
- Authorities or legal recipients: courts, regulators, law enforcement, tax authorities, or other recipients where required by law or necessary to protect rights, safety, and security.
- Business transfer recipients: a successor, buyer, or transferee in connection with a merger, acquisition, restructuring, sale of assets, change of operator, or similar transaction.
Service providers are allowed to process personal data only as needed to provide services to us, comply with law, protect security, or fulfill the purposes described in this Privacy Policy.
12. International Transfers
BladePDF's main application and rendering servers are located in the European Union.
Some related providers, such as Paddle, Google, email providers, support tools, monitoring providers, security providers, DNS providers, or infrastructure providers, may process personal data outside the European Union, European Economic Area, Switzerland, the United Kingdom, or your country of residence.
Where required, we rely on appropriate safeguards for international transfers, such as adequacy decisions, standard contractual clauses, data processing agreements, contractual protections, or other lawful transfer mechanisms.
13. Retention
We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
| Data category | Typical retention |
|---|---|
| Generation Payloads and non-stored Generated PDFs | Processed temporarily for the requested render and deleted after completion, failure, rejection, timeout, or queue expiration. |
| Queued generation data | Stored temporarily while waiting for an available Concurrency slot and deleted after completion, failure, rejection, timeout, or queue expiration. |
| Stored templates and assets | Retained while stored in your account and deleted when you remove them or after account closure, subject to backups, security logs, and legal requirements. |
| Stored PDFs | Retained until you delete them or an optional workspace retention/storage-limit cleanup removes them; deleted automatically no later than 13 months after the render (with the render history record), and after account closure, subject to backups and legal requirements. |
| Webhook endpoints and delivery logs | Endpoint configuration kept while the endpoint exists; delivery attempt logs deleted automatically after approximately 90 days. |
| Generation metadata (render history) | Render history records (status, timings, request id, reference, metadata) deleted automatically after approximately 13 months; per-render logs after approximately 30 days. Aggregated, non-content usage counters for billing and plan enforcement may be kept longer. |
| Dashboard notifications | Deleted automatically after approximately 90 days. |
| Account data | Kept while your account exists and for a reasonable period afterward for legal, security, billing, backup, dispute, and abuse-prevention purposes. |
| API Key metadata | Kept while keys are active and afterward as needed for security, audit, abuse prevention, and troubleshooting. |
| Billing and tax records | Kept as required by tax, accounting, payment, refund, chargeback, and legal obligations. |
| Support tickets | Kept as needed to provide support, maintain support history, resolve disputes, improve the Service, and protect legal rights. |
| Security logs | Kept for a limited period appropriate for security monitoring, abuse prevention, incident investigation, and legal protection. |
| Legal and dispute records | Kept as needed to comply with law and establish, exercise, or defend legal claims. |
Backup copies and security logs may persist for a limited time after deletion from active systems. We delete or anonymize data when it is no longer needed, unless retention is required or permitted by law.
14. Security
We use reasonable technical and organizational measures designed to protect personal data, Generation Payloads, API Keys, accounts, and service infrastructure. These measures may include access controls, encryption in transit, secret management, logging, monitoring, abuse controls, network protections, least-privilege access, and temporary processing of Generation Payloads.
No internet-connected service can be guaranteed to be perfectly secure. You are responsible for securing your own account, email address, devices, servers, applications, repositories, logs, environment files, deployment systems, API Keys, and integrations.
If you believe your account, API Key, or data may have been compromised, contact us immediately at support@bladepdf.com and rotate or revoke affected API Keys.
15. API Keys and Customer-Side Security
API Keys are confidential credentials. You must not expose API Keys in client-side code, public repositories, screenshots, support forums, logs, browser code, mobile apps, or other places where unauthorized parties may access them.
BladePDF is not responsible for unauthorized access, usage, charges, service disruption, or data exposure caused by your failure to protect API Keys, passwords, servers, logs, repositories, or deployment environments.
16. Children's Privacy
BladePDF is intended for developers, businesses, and adults. The Service is not directed to children. You must not create an account or use the Service if you are under 18 years old or under the age of legal majority in your jurisdiction.
You must not submit children's personal data in Generation Payloads unless you have a separate written agreement with us and all required legal bases, notices, permissions, and safeguards.
17. Automated Decision-Making
BladePDF does not use personal data to make decisions that produce legal or similarly significant effects based solely on automated processing.
We may use automated systems to detect abuse, enforce rate limits, block suspicious requests, reject dangerous payloads, prevent fraud, protect API Keys, or secure the Service. Paddle and other providers may also use automated fraud-prevention or risk systems in connection with payments and checkout.
18. Your Privacy Rights
Depending on your location and applicable law, you may have rights regarding your personal data, including the right to:
- request access to personal data we hold about you;
- request correction of inaccurate or incomplete personal data;
- request deletion of personal data;
- request restriction of processing;
- object to processing based on legitimate interests;
- request data portability;
- withdraw consent where processing is based on consent;
- opt out of marketing emails;
- complain to a data protection authority.
To exercise your rights, contact us at support@bladepdf.com. We may need to verify your identity before responding. We will respond within the time required by applicable law.
Some data may be retained where required or permitted by law, including for tax, accounting, billing, fraud-prevention, security, dispute-resolution, or legal-claims purposes.
Because BladePDF does not permanently store Generation Payloads or Generated PDFs, we may be unable to access, export, correct, or delete specific payload content after the render request has completed and the temporary processing data has been deleted.
19. EU/EEA Complaints
If you are in the European Union or European Economic Area, you have the right to lodge a complaint with your local data protection authority.
Because BladePDF is established in the Czech Republic, the relevant Czech supervisory authority is the Office for Personal Data Protection / Úřad pro ochranu osobních údajů: https://uoou.gov.cz/en.
We encourage you to contact us first so we can try to resolve your concern directly.
20. United States Privacy Rights
Depending on your U.S. state of residence, you may have rights to access, correct, delete, or obtain a copy of personal information, and to opt out of certain processing activities.
BladePDF does not sell personal information and does not share personal information for cross-context behavioral advertising or targeted advertising. BladePDF does not use sensitive personal information for purposes that require a right to limit such use under applicable U.S. state privacy laws.
You may exercise applicable U.S. privacy rights by contacting support@bladepdf.com. We will not discriminate against you for exercising privacy rights required by applicable law.
21. Emails and Communications
We may send transactional and service-related emails, such as account emails, password reset emails, security notices, API notices, billing notices, subscription notices, support replies, downtime notices, and legal notices. These are necessary for the Service and you may not be able to opt out of them while you have an active account or subscription.
If we send optional marketing emails, you may unsubscribe using the unsubscribe link in the email or by contacting us. We do not currently use marketing cookies or advertising pixels.
22. Third-Party Links and Services
The Service may contain links to third-party websites, documentation, package registries, payment pages, authentication providers, or other services. We are not responsible for the privacy practices, security, content, or terms of third-party services.
You should review the privacy policies of third-party services you choose to use, including Paddle and Google where applicable.
23. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The updated version will be posted with a new effective date. If changes are material, we may provide additional notice through the website, dashboard, email, or another appropriate method.
Your continued use of the Service after an updated Privacy Policy takes effect means that you acknowledge the updated Privacy Policy.
24. Contact
For privacy questions, requests, complaints, support issues, or legal notices, contact BladePDF:
- Operator: Karel Talich
- Identification Number: 19409516
- Registered address: Nálepkova 298, 405 05 Děčín, Czech Republic
- Email: support@bladepdf.com
- Dashboard: ticket system available inside your BladePDF account
- Contact page: /contact