1. Who is responsible?
FileMorph is operated by Lennart Seidel, Reetwerder 25b, 21029 Hamburg, Germany. Contact: [email protected]. See Impressum for full contact details.
2. What data we process
2a. Uploaded files: Files you upload for conversion or compression are processed entirely server-side and deleted immediately after the converted output is returned to you. No file content is stored, logged, or retained in any form.
2b. User accounts (Cloud Edition): If you register an account, we store your email address, a bcrypt hash of your password (never the plaintext), your subscription tier, your account creation timestamp, and — once you upgrade to a paid tier — the Stripe customer identifier that links your account to Stripe. Account data is persisted in our PostgreSQL database for the lifetime of your account and erased on deletion request (Art. 17 GDPR).
2c. Transactional emails: When you request a password reset, we generate a single-use token (valid for 30 minutes) and send it to your registered email address as a reset link. The outgoing message is delivered from [email protected] via our email provider (see § 3a). We do not send marketing emails.
2d. Server logs: Our web server automatically records standard access log data for each request: IP address, request timestamp, HTTP method, URL path, response status code, and response size. Application-level events (logins, password-reset requests, subscription changes) are logged as structured JSON without plaintext email addresses — only the email domain is kept for debug purposes. Logs are rotated by the hosting infrastructure under standard operational policies (typically up to 30 days) and accessed only for security, abuse-detection, and debugging.
2e. API keys: If you generate an API key (via the dashboard or command-line tool), only the SHA-256 hash of your key is stored. The plaintext key is shown to you exactly once at creation time and is never persisted on our servers.
3. Legal basis (GDPR Art. 6)
Account creation, paid subscriptions, and transactional emails are processed on the basis of Art. 6(1)(b) GDPR (performance of a contract). Server-log processing, rate-limiting, and abuse prevention are based on our legitimate interest (Art. 6(1)(f) GDPR) in operating a secure and reliable service.
3a. External services (Sub-Processors)
To operate FileMorph we rely on the following sub-processors. Each one receives only the minimum data needed for its task:
Stripe (payments): When you upgrade to a paid tier, we create a Stripe customer record containing your email address and an internal user identifier, then redirect you to checkout.stripe.com to complete payment. Stripe handles all card details directly — FileMorph never sees or stores your card data. After checkout, Stripe returns a customer identifier which we store to manage your subscription. Stripe is a US-based company; the transfer is covered by the EU Standard Contractual Clauses under Stripe's Data Processing Agreement. Legal basis: Art. 6(1)(b) GDPR. See Stripe's privacy policy.
Zoho Mail (transactional email): Password-reset and other account-related emails are delivered through Zoho Mail (smtp.zoho.eu, hosted in Frankfurt, EU). Zoho receives the recipient address and the email contents (including the reset link). Legal basis: Art. 6(1)(b) GDPR. See Zoho's privacy policy.
4. Hosting
This service is hosted by Hetzner Online GmbH, Germany (Frankfurt data centre). Your requests are routed through Cloudflare's network for DDoS protection and performance. See Hetzner's privacy policy and Cloudflare's privacy policy for their data processing terms.
5. Your rights (GDPR)
You have the right to access, rectify, erase, and restrict processing of your personal data (Art. 15–21 GDPR). To exercise these rights, contact us at [email protected]. You also have the right to lodge a complaint with your local data protection authority.
Account deletion: Free accounts can be deleted from the API at DELETE /api/v1/auth/account after a three-field re-confirmation (your password, your email, and the literal word DELETE). The cascade removes your login credentials and API keys; conversion-job and usage-record entries are anonymised (your account ID is nulled, the rows are kept as anonymous aggregate data under DSGVO Art. 4(1)). A confirmation email is sent after the row is gone.
Accounts that have ever been linked to Stripe cannot use the self-service path yet — German commercial law (HGB §257, AO §147) requires a 10-year retention of tax-relevant records under Art. 17(3)(b) GDPR. For these accounts, contact [email protected]. Stripe may retain records of past transactions independently of our deletion, to comply with its own legal and tax obligations.
6. No cookies, no tracking
FileMorph sets no cookies on its own domain and runs no tracking or analytics scripts. A small number of keys are written to your browser's localStorage only while you are signed in:
fm_access_token/fm_refresh_token— your JWT session tokens; strictly necessary to keep you signed in.filemorph_api_key— optional; remembers the API key shown in your dashboard across reloads so you don't need to paste it again. Cleared on logout.
These entries fall under the "strictly necessary" exemption of Art. 5(3) ePrivacy Directive / § 25 Abs. 2 Nr. 2 TTDSG and therefore do not require a consent banner. For anonymous usage, nothing is stored in your browser at all.
When you start a paid-tier upgrade, you are redirected to Stripe Checkout on the stripe.com domain, which sets its own cookies. That is outside FileMorph's control and is governed by Stripe's privacy policy.
Our pages load no external resources. All CSS (including Tailwind), JavaScript, fonts, and images are served from the FileMorph domain; your browser never contacts a third-party CDN to render the site.
7. Rate limiting & abuse prevention
We apply a temporary in-memory rate limit (max. 10 requests per minute per IP address) to protect the service from abuse. IP addresses used by the rate limiter are processed transiently in memory only and are never written to disk or logs. Legal basis: Art. 6(1)(f) GDPR — legitimate interest in service stability and security.
8. Changes to this policy
We may update this policy when the service changes. Accounts and billing are live as of April 2026; persistent file history (Cloud Edition Phase 2) is planned but not yet implemented. The date at the top indicates the current version.
9. Admin access (transparency)
Operator staff with the admin role can access an internal cockpit that lists registered email addresses in plaintext, along with subscription tier, account creation date, and Stripe subscription status — strictly for service operation, abuse response, and support. Admin actions (tier changes, role changes, deactivations) are recorded with the admin's user identifier, the target user's identifier, and the change performed, to enable internal auditing. Legal basis: Art. 6(1)(f) GDPR.