This is a convenience translation. The German version is the legally binding one.
Privacy Policy
Information under Art. 13 and 14 GDPR. Version: 2026-07-13.
1. Our zero-retention promise (the central commitment)
We never retain your document. While it is being converted your file exists only as an encrypted blob we cannot read without the per-job key (which we discard) plus the worker’s RAM-backed scratch, and it is destroyed immediately afterward.
Concretely, for every conversion:
- RAM-only processing: The worker’s scratch is RAM-backed (tmpfs) and is purged after each job; nothing of your document is written to durable disk on the worker.
- No content in logs: No document bytes, OCR text, or original filename ever appear in any log stream (BFF, worker, or edge) — only metadata (job id, byte/page counts, timing, status).
- Source purged after processing: The encrypted source is deleted from the inbox after processing; a subsequent fetch returns 404/410 (≈1-hour effective lifetime, with a 1-day object-lifecycle backstop).
- Result delivered at most once: The encrypted result is delivered at most once — the first read deletes it and a subsequent read returns 410 (≈15-minute effective lifetime, with a 1-day object-lifecycle backstop).
- Signed deletion audit: A content-free, cryptographically-signed deletion-audit event is recorded for every job (job id + event + timestamp + HMAC signature; never any content).
Carve-out: inbound e-invoices (ZUGFeRD/XRechnung) you send us are business records and are archived for 10 years under §147 AO. This is the only durable store that holds document-derived content of any kind — and that content is business records you send us, never a converted document; it is kept separate from the conversion plane. Our other durable data (the content-free page-usage record, the signed deletion-audit events, and the record of Terms acceptance) consist only of counters, hashes, and timestamps. Your converted documents themselves are never durably retained.
This commitment is falsifiable: each of the properties above is verified by automated checks against the running system; the public commitment can never out-run the provable behavior.
2. Controller
Controller within the meaning of Art. 4 (7) GDPR:
HexWorld Solutions GmbH, Altmarkt 10 B/D, 01067 Dresden, Germany.
Email for privacy matters: info@hexworld.eu
HexWorld Solutions GmbH is the controller for all personal data processed in the course of the service — for the content of converted documents as well as for account, sign-in, usage and billing data, and the limited, content-free abuse-prevention data. Document content is processed exclusively to provide the service and exclusively transiently (zero-retention, section 1). Records of processing activities (Art. 30 GDPR) are maintained.
3. Data protection officer
We have not appointed a data protection officer. We are not required to appoint one under Art. 37 GDPR or §38 BDSG: we do not, as a rule, permanently employ at least 20 persons in the automated processing of personal data, and our core activity requires neither extensive regular and systematic monitoring of individuals nor extensive processing of special categories of data (Art. 9, 10 GDPR) — document content is, moreover, processed only transiently and without any evaluation of its content (zero-retention, section 1). For privacy requests, contact us at info@hexworld.eu.
4. Processing activities, purposes and legal bases
| Activity | Purpose | Legal basis | Retention |
|---|---|---|---|
| Document conversion (signed-in users) | Providing the service (PDF/image → Markdown) | Art. 6 (1) b (contract) | Zero-retention — see section 1 (source ~1 hour, result ~15 minutes with a single read; backstop deletion after 1 day at the latest) |
| Account + sign-in (self-hosted Zitadel) | Sign-in, sessions, account security (incl. sign-in history and security notification emails) | Art. 6 (1) b | For the lifetime of the account; the sign-in history (pseudonymized IP, coarse device info, country) and API keys (checksums only) are deleted with the account |
| Page-usage record | Billing the monthly page allowance, billing traceability | Art. 6 (1) b + c | Durable as billing evidence — content-free counters only (page counts, timestamps, account pseudonym); retained in pseudonymized form even after account deletion |
| Billing + tax (Stripe) | Payment processing, invoices and receipts, VAT/OSS | Art. 6 (1) b + c (statutory tax retention) | Statutory retention periods (e.g. §147 AO) |
| Abuse and fraud prevention | Protecting the service: bot defense at sign-in (ALTCHA, sign-up throttling) and content-free flagging of unusually compute-heavy usage (see section 8) | Art. 6 (1) f (legitimate interest: operational and fraud security) | Short-lived technical metadata; review flags content-free, account status for the lifetime of the account |
| Deletion audit (signed events) | Proof of deletion for every job (accountability, Art. 5 (2)) | Art. 6 (1) f / c (legitimate interest: accountability) | Content-free; retained durably as evidence |
| Inbound e-invoices (ZUGFeRD/XRechnung) | Business records (accounts payable) | Art. 6 (1) c | 10 years (§147 AO) — deliberately durable, separated from conversion |
| Operational logs + short-lived data | Operating, securing and debugging the service | Art. 6 (1) f (legitimate interest: secure, stable operation) | Logs 7 days, metrics 30 days — never containing document content; session and cache data hours to a few months |
| Contact by email | Handling your enquiries (support, sales, security, privacy) — see section 6 | Art. 6 (1) b or f (legitimate interest: answering enquiries) | As long as needed to handle the enquiry; business correspondence subject to statutory retention 6 or 10 years (§257 HGB, §147 AO) |
| Record of terms acceptance | Evidence that the Terms were accepted at sign-up | Art. 6 (1) f (legitimate interest: evidence of contract formation) | Durable, content-free (email and IP as checksums only, terms version, timestamp); retained as contract evidence even after account deletion |
| Prevention of repeated free trials | Abuse prevention: stop a new free trial from being opened with the same email after an account deletion | Art. 6 (1) f (legitimate interest: abuse and fraud prevention) | Kept for 3 months after account deletion, then deleted (data minimisation); content-free — only a one-way hash of the email address |
Five data categories, clearly separated: (1) document content — never stored (transient, encrypted, deleted right after conversion; guaranteed within 24 h by an automatic clean-up rule, typically within minutes); (2) short-lived technical metadata (job ids, byte/page counts, timestamps, pseudonymized IP) — hours to days; (3) durable, content-free evidence and billing records (page counters, deletion audit, terms acceptance, trial-abuse hash — checksums, counters and timestamps only, never content); (4) identity (email, passkeys, sign-in history) — for the lifetime of the account; (5) billing/tax (invoices, e-invoices) — 10 years under §147 AO / §257 HGB. Backups exist only for the durable account, evidence and billing data (the cloud provider's database backups) and never contain document content — the transient hand-over stores of the conversion have no versioning, no replication and no backups.
Source of the data (Art. 14 (2) f GDPR)
Where we do not collect personal data directly from the data subject, we state its source: data about suppliers/business partners comes from the inbound invoices or business records themselves; billing/payment data may come from our payment provider (Stripe). Document content is processed exclusively to provide the service and exclusively transiently (zero-retention, section 1).
5. Recipients and service providers; third-country transfers
We engage the following service providers (full list and roles: /en/subprocessors):
- Scaleway SAS — EU cloud infrastructure — compute (incl. GPU), object storage, databases, and queues. All document processing and platform operations run on this infrastructure. (France (Paris, fr-par-2))
- Stripe Payments Europe, Ltd. — Subscription billing, payment processing (cards + SEPA Direct Debit), and VAT calculation (Stripe Tax). HexWorld is the merchant of record. Stripe receives account, billing, and payment data only — never document content. (Ireland)
- Scaleway S.A.S. (Transactional Email / TEM) — Delivery of transactional email — sign-in one-time codes (OTP), security and account notifications, billing receipts; no marketing. Same legal entity as the infrastructure entry above. (France (Paris, fr-par))
- mailbox.org (Heinlein Hosting GmbH) — Business email mailboxes — receiving and answering messages sent to our published contact addresses (privacy, support, security, and sales enquiries). (Germany (Berlin))
Document processing takes place entirely in the EU/EEA (Scaleway, fr-par-2); our email mailboxes are also located in the EU (mailbox.org, Berlin). Data is transferred to a third country only as part of payment processing (Stripe, Inc., USA), and only with documented safeguards (EU Standard Contractual Clauses + EU-US Data Privacy Framework — see the service-provider list). You can obtain a copy of these safeguards (in particular the EU Standard Contractual Clauses) from us on request at info@hexworld.eu (Art. 13 (1) f GDPR).
6. Contacting us by email
When you contact us by email (e.g. support, sales, security or privacy enquiries), we process your sender address, the subject line and the content of your message in order to handle the enquiry. The legal basis is Art. 6 (1) b GDPR (initiating or performing a contract) or Art. 6 (1) f GDPR (legitimate interest in answering enquiries). Our mailboxes are operated by a German provider (mailbox.org, Berlin — see the service-provider list); processing takes place in the EU. We keep correspondence for as long as needed to handle it; business correspondence is subject to statutory retention periods (6 or 10 years, §257 HGB / §147 AO).
7. Your rights
You have the right of access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18) and data portability (Art. 20). We do not store document content (section 1) — requests therefore concern account, sign-in, usage, billing, log and correspondence data. You can delete your account yourself at any time in your account settings (Account → Delete account), or request deletion informally by email to info@hexworld.eu; we respond within one month (Art. 12 (3) GDPR). After account deletion, only content-free, pseudonymized evidence and counter records remain (billing counters, deletion audit, terms acceptance — checksums only), plus a one-way hash of your email address to prevent repeated free-trial sign-ups (abuse prevention) and invoice data within statutory retention periods (§147 AO). You have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR): Sächsische Datenschutz- und Transparenzbeauftragte, Maternistraße 17, 01067 Dresden (www.datenschutz.sachsen.de).
Right to object (Art. 21 GDPR): Where we process data based on Art. 6 (1) f GDPR (e.g. abuse prevention, operational logs), you have the right to object at any time, on grounds relating to your particular situation. We will then no longer process the data concerned unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims. Contact: info@hexworld.eu.
8. Automated decision-making (Art. 22 GDPR)
We make no solely automated decisions that produce legal effects concerning you or similarly significantly affect you. For abuse prevention, our system automatically flags unusually compute-heavy usage for an internal review — this flag is purely internal and has no effect whatsoever on your account. Any restriction or suspension of an account is decided exclusively by a human, and every such decision is traceably documented.
9. Obligation to provide data (Art. 13 (2) e GDPR)
Using HexRead requires an account, for which an email address is needed. Paid subscriptions additionally require payment details, which are collected directly by our payment provider. Without this information we cannot enter into or perform the respective contract. Beyond that, there is no statutory or contractual obligation to provide us with data.
10. Cookies and local storage
HexRead sets no tracking or advertising cookies and embeds no third-party trackers. The only items used are:
- a strictly necessary, first-party
__Host-session cookie (HttpOnly, Secure, SameSite; 24-hour lifetime) for signed-in users, plus a short-lived__Host-sign-in cookie (10 minutes) during the sign-in flow (§ 25 (2) no. 2 of the German TDDDG); - an optional theme cookie
hx-theme(lifetime up to 1 year), set only when you explicitly choose the light or dark design — it carries your choice over to the sign-in page and is removed as soon as you follow the system setting; the same preference is kept as a "theme" entry in your browser's localStorage (never leaves your device); - ALTCHA as a cookieless, self-hosted proof-of-work protection at the sign-in/sign-up boundaries (no third-party transmission).
Since only strictly necessary or explicitly requested first-party storage is used (§ 25 (2) TDDDG), no consent banner is required; this notice suffices.
11. Technology used
Document conversion runs exclusively on EU infrastructure using one of the following open-source AI models (selected per job by you or automatically), operated under cleared open-source licenses (Apache-2.0/MIT):
- MinerU 2.5 — "Powered by MinerU"
- Granite-Docling — "Powered by Granite-Docling (IBM)"
- PaddleOCR-VL — "Powered by PaddleOCR-VL (PaddlePaddle)"
12. Changes to this policy
We update this privacy policy when the service or the legal situation changes. The version published here applies; the date of the last revision is shown at the top of the page. We will inform signed-in users of material changes in an appropriate manner.