onvert ("we", "us") is built on a simple principle: your files never leave your device. Image conversion runs entirely in your web browser using WebAssembly. We do not receive, upload, store, or have any access to the images you convert. This policy explains the limited personal data we do process, and your rights under the EU General Data Protection Regulation (GDPR).
1. Data controller
The controller responsible for your data is Luca Vittorio Bartoccini, operator of onvert (onvert.app). You can contact us at any time at [email protected].
2. The data we process
- Your files (free converter): processed locally in your browser and never transmitted to us. We have no copy of, and no access to, your images.
- Technical & security data: when you load the site, our hosting and network provider (Cloudflare) processes standard technical information such as IP address, browser type, and request timestamps to deliver the site and protect it from abuse.
- Usage analytics: we use Umami, a privacy-friendly, cookieless analytics tool that we self-host. It records aggregate, anonymous usage (such as page views and approximate country) without cookies, without cross-site tracking, and without building advertising profiles. This data is not shared with any third party.
- Correspondence: if you email us, we process the contents of your message to respond.
- Future Pro features (PDF / OCR): these optional, paid features will require uploading a file to a server for processing. They will operate only with your explicit consent, files will be deleted immediately after processing, and this policy will be updated before they launch.
3. Legal bases
- Technical/security data and cookieless analytics: our legitimate interest in providing and securing the service (Art. 6(1)(f) GDPR).
- Responding to your correspondence: legitimate interest (Art. 6(1)(f)).
- Paid Pro features (when available): performance of a contract (Art. 6(1)(b)) and your explicit consent for any file upload.
4. Cookies
We use only strictly necessary technical storage and cookieless analytics. We do not use tracking or advertising cookies. Because no information is stored on or read from your device for tracking purposes, no cookie consent banner is required.
5. Recipients & processors
We keep third parties to a minimum. We rely on Cloudflare (website hosting, CDN, security, and email forwarding) as a processor. Our analytics is self-hosted (Umami) and not shared. When paid plans launch, payments will be handled by Paddle as merchant of record, and any OCR/AI processing vendor used for Pro features will act as a processor under a data processing agreement.
6. International transfers
Where a provider processes data outside the European Economic Area, appropriate safeguards apply (such as the European Commission's Standard Contractual Clauses or an adequacy decision).
7. Retention
Technical and security logs are retained only as long as necessary for security and then deleted or anonymised. Aggregate analytics contain no identifying information. Any files uploaded for future Pro features are deleted immediately after processing.
8. Your rights
You have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing based on legitimate interest. To exercise these rights, contact [email protected]. You also have the right to lodge a complaint with your local supervisory authority — in Italy, the Garante per la protezione dei dati personali (garanteprivacy.it).
9. Changes
We may update this policy from time to time. Material changes will be reflected here with a new "last updated" date.