PDFOnly
Get started

GDPR-compliant PDF processing

PDF tools that respect GDPR: data minimization, purpose limitation, user rights, EU data residency on Enterprise. No AI training on your files.

Open Compress PDF

GDPR sets a high bar for processing personal data — including the personal data inside the PDFs you upload to a tool. Compliance isn't just about ticking a box; it's about substantive controls: data minimization (we hold only what's needed), purpose limitation (we use it only for processing, not analytics or AI training), user rights (you can export or delete your data on request), and breach notification within 72 hours of detection.

PDFOnly is GDPR-compliant out of the box. Files auto-delete within an hour by default — that's data minimization in action. We don't analyze your files for marketing, advertising, or AI model training — that's purpose limitation. You can request export or deletion of your account data at [email protected] and we respond within 30 days. For organizations needing formal data residency in the EU, Enterprise provides EU-only data processing. For organizations needing a Data Processing Agreement (DPA), we sign the standard EU Commission template.

Related tools

Frequently asked questions

Where is my data processed?

Standard tier: in our primary processing region (currently US). Enterprise tier: pick EU, US, or other regions for data residency. EU residency is required for some GDPR contexts (especially when handling EU citizen data combined with restricted-transfer concerns under post-Schrems II rules).

Do you sign a Data Processing Agreement?

Yes — we'll sign the standard EU Commission DPA template, or your own DPA if it's reasonable. Contact [email protected] to start the process. Free tier users typically don't need a DPA (you're a controller for your own personal use). Pro and above for business use cases that require one.

How do I request deletion of my data?

Email [email protected] from the email associated with your account. We confirm identity, then delete all account data, files, and processing history within 30 days. Anonymized aggregate analytics (e.g. 'X compress jobs ran in March') are retained because they don't contain personal data; everything else is removed.