Privacy Policy

1. Introduction

1.1 About This Policy

This Privacy Policy explains how E1, operating as Bridge PDF ("we," "us," "our," or "Bridge PDF"), collects, uses, shares, and protects personal information when you use our document sharing and analytics platform.

1.2 Data Controller Information

E1 Société à responsabilité limitée unipersonnelle (EURL) 12 Rue Vauban, 69006 Lyon, France SIREN: 935 101 618 SIRET: 935 101 618 00012 VAT Number: FR70935101618

Privacy Contact: support@bridgepdf.com

1.3 Our Role

Bridge PDF acts in different capacities depending on the data:

• Account Data | Data Controller | We determine how registered user data is processed.

• Visitor Analytics | Data Processor | We process visitor data on behalf of our users (who are the data controllers for their visitors).

1.4 Scope

This policy applies to:

• Our website at bridgepdf.com

• Our application at app.bridgepdf.com

• Document viewers accessed via Shared Links

• All related services and features

2. Information We Collect

2.1 Information from Account Holders (Registered Users)

When you create an account, we collect:

• Identity | Name | Account identification, communications

• Contact | Email address | Account management, notifications, support

• Authentication | Password (hashed), MFA secrets (encrypted) | Account security

• Preferences | Timezone, language/locale | Personalized experience

• Usage | Last login date, account status | Service operation, security

Email normalization: We normalize email addresses by removing "+" aliases (e.g., user+tag@example.com becomes user@example.com) to prevent duplicate accounts.

2.2 Information from Document Visitors

When someone views a document via a Shared Link, we automatically collect:

• Network | IP address | Security, geographic location

• Location | City, region, country (derived from IP via ip-api.com) | Analytics for document owners

• Device | Browser type, operating system, device type | Analytics, compatibility

• Technical | User agent string, screen dimensions | Analytics, viewer optimization

• Engagement | Pages viewed, time on each page, scroll depth | Analytics for document owners

• Interactions | Clicks, text selections, zoom levels, downloads | Detailed engagement analytics

• Referrer | HTTP referrer (how they arrived) | Traffic source analytics

2.3 Lead Capture Data (Form Submissions)

When visitors submit forms before accessing documents, we collect:

• Email address (required for lead identification)

• Phone number (if requested by the form)

• Name (if provided, or auto-generated from email)

• Custom fields (any additional fields configured by the document owner)

2.4 Payment Information

When you subscribe to a paid plan:

• Payment is processed by Stripe.

• We do not store credit card numbers, CVV, or full payment details.

• We store: Stripe customer ID, subscription ID, plan information, and transaction history.

• For billing purposes, Stripe may collect your name, email, and billing address.

2.5 Automatically Collected Information

We automatically collect:

• Cookies and session data (see our Cookie Policy)

• Server logs (IP addresses, access times, pages requested)

• Error reports (via Sentry, for debugging purposes)

3. How We Use Your Information

3.1 To Provide the Service

• Create and manage your account

• Process your subscriptions and payments

• Store and deliver your documents

• Generate and provide analytics on document engagement

• Enable team collaboration features

• Send transactional emails (password resets, notifications, receipts)

3.2 To Improve the Service

• Analyze usage patterns to improve features

• Debug errors and fix issues

• Develop new features based on anonymized usage data

• Monitor and ensure service performance

3.3 To Communicate With You

• Respond to support requests

• Send important service updates

• Notify you of changes to our terms or policies

• Send marketing communications (only with your opt-in consent)

3.4 For Security and Compliance

• Detect and prevent fraud, abuse, and security threats

• Enforce our Terms of Service

• Comply with legal obligations

• Respond to lawful requests from authorities

3.5 Aggregated Data

We may use anonymized and aggregated data for:

• Internal analytics and reporting

• Service improvement

• We do not use aggregated data for external marketing purposes

4. Legal Bases for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process personal data based on the following legal grounds:

• Contract Performance | Processing necessary to provide the Service (account management, document storage, analytics)

• Legitimate Interests | Security monitoring, fraud prevention, service improvement, customer support

• Consent | Marketing communications, optional analytics cookies

• Legal Obligation | Compliance with tax laws (invoice retention), responding to legal requests

4.1 Legitimate Interests Assessment

Our legitimate interests include:

• Operating and improving our Service

• Preventing fraud and abuse

• Understanding how our Service is used

• Providing customer support

We balance these interests against your privacy rights and ensure processing is proportionate and respects your fundamental rights.

5. How We Share Your Information

5.1 We Do Not Sell Your Data

Bridge PDF does not sell, rent, or trade your personal information to third parties for their marketing purposes.

5.2 Service Providers (Sub-processors)

We share data with the following third-party service providers who process data on our behalf:

• AWS / Laravel Cloud | Hosting infrastructure | United States | All service data

• Elest.io (ClickHouse) | Analytics database | [Check current location] | Visitor analytics

• Bunny CDN | File storage and delivery | Global (CDN) | Uploaded documents

• Stripe | Payment processing | United States | Payment, billing info

• Brevo | Transactional emails | European Union | Email, name

• Substack | Newsletter | United States | Email (opt-in only)

• Sentry | Error monitoring | United States | Error logs, anonymized usage

• ip-api.com | IP geolocation | Germany | Visitor IP addresses

• DataFast | Marketing analytics (website only) | [Check location] | Website usage

• Google OAuth | Social login (optional) | United States | Email, name (if used)

• PDF.js Express | Document viewer | United States | Document rendering data

All sub-processors are contractually bound to protect your data and use it only for the specified purposes.

User-Configurable Integrations (when enabled by user):

• HubSpot | CRM integration | United States | Lead data

• Salesforce | CRM integration | United States | Lead data

• Pipedrive | CRM integration | European Union | Lead data

• Slack | Notifications | United States | Visit notifications

• Microsoft Teams | Notifications | United States | Visit notifications

• Zapier | Automation | United States | Event data

These services only receive data when explicitly enabled by users. Users control which integrations are active and what data is shared.

5.3 Document Owners

When you view a document via a Shared Link:

• The document owner (our user) receives analytics about your visit.

• Analytics include: location (city/country), device type, pages viewed, time spent, engagement metrics.

• If you submit a form, the owner receives your form responses (email, phone, custom fields).

The document owner is the data controller for the analytics and lead data collected about you.

5.4 User-Configurable Integrations (Scale/Enterprise)

Users on Scale and Enterprise plans can connect Bridge PDF to external services. When enabled, personal data

may be transmitted to these third-party services.

5.4.1 Available Integrations

• HubSpot | Lead contact info (email, name, phone)

• Salesforce | Lead contact info (email, name, phone)

• Pipedrive | Lead contact info (email, name, phone)

• Slack | Visitor name/email, document name, timestamps

• Microsoft Teams | Visitor name/email, document name, timestamps

• Gmail (Chrome Extension) | PDF attachments you select; no email content

• Zapier | Event data (document, visit, user events)

• Webhooks | Event data as configured by user

5.4.2 How Integration Data Sharing Works

CRM Integrations (HubSpot, Salesforce, Pipedrive):

• Lead contact information is sent to the CRM when a visitor submits a form.

• Users can create Bridge PDF documents directly from documents stored in these CRMs.

• Data flows primarily from Bridge PDF to the CRM; document imports flow from CRM to Bridge PDF.

Notification Integrations (Slack, Microsoft Teams):

• Notifications are sent when configured events occur (e.g., new visit, new lead).

• Notification content includes basic visitor information: name, email (if captured), document name, and timestamp.

• Users configure which events trigger notifications.

Automation Integrations (Zapier, Webhooks):

• Events trigger data transmission to user-configured endpoints.

• Available event types: document created/deleted, shared link created, visit created, user created/deleted.

• Data is sent without filtering—all event data fields are transmitted as-is.

Gmail Chrome Extension:

• Only accesses PDF file attachments that you explicitly select.

• Does not read email content, subject lines, or other email data.

• Allows uploading attachments to Bridge PDF and inserting shared links into emails.

5.4.3 Authentication and Credentials

• Integration connections use OAuth or API keys depending on the service.

• Authentication credentials are stored encrypted in our database.

• You can disconnect integrations at any time from your account settings.

5.4.4 Data Retention in Third-Party Services

• Data already transmitted remains in third-party services after you disconnect an integration.

• Bridge PDF cannot delete data from third-party services on your behalf.

• You are responsible for managing and deleting data in connected services according to their policies.

5.4.5 Your Responsibilities

When using integrations, you are responsible for:

• Ensuring you have the right to share data with third-party services.

• Complying with the privacy policies and terms of connected services.

• Informing affected individuals about data sharing where required by law.

• Securing any custom webhook endpoints you configure.

5.5 Legal Requirements

We may disclose your information if required by law or in response to:

• Court orders or legal processes

• Government or regulatory requests

• To protect our rights, property, or safety

• To investigate potential violations of our Terms

5.6 Business Transfers

If Bridge PDF is acquired, merges, or sells assets, your information may be transferred. You will be notified of any such change and your choices regarding your data.

6. International Data Transfers

6.1 Transfer Locations

Bridge PDF is operated by E1, a French company. However, we use service providers located in:

• United States (AWS, Stripe, Sentry, Substack, Google)

• European Union (Brevo)

• Germany (ip-api.com)

• Global (Bunny CDN)

6.2 Safeguards for Transfers

For transfers outside the European Economic Area (EEA), we ensure adequate protection through:

• Standard Contractual Clauses (SCCs): Approved by the European Commission for transfers to third countries.

• Adequacy Decisions: Where the destination country has been deemed adequate by the European Commission.

• Binding Corporate Rules: Where applicable.

6.3 EU-US Data Privacy Framework

Some of our US-based providers participate in the EU-US Data Privacy Framework, providing additional safeguards for EU data.

7. Data Retention

7.1 Account Data

Data TypeRetention PeriodAccount informationUntil account deletion, then immediately deletedDocumentsUntil deleted by user or account terminationTeam/organization dataUntil account termination

7.2 Visitor Analytics

Retention depends on the document owner's subscription plan:

• Demo | 7 days

• Launch | 30 days

• Scale | 90 days

• Enterprise | Unlimited (or as agreed)

When a document is deleted, all associated analytics data is also deleted.

7.3 Lead Data

Lead data (form submissions) is retained until:

• The document owner deletes it, or

• The document owner's account is terminated

7.4 Legal Requirements

We may retain certain data longer when required by law:

• Invoices and billing records: 10 years (French tax law)

• Legal dispute records: Duration of proceedings plus applicable statute of limitations

8. Your Privacy Rights

8.1 Rights Under GDPR (EEA Residents)

If you are in the European Economic Area, you have the following rights:

• Access | Request a copy of your personal data

• Rectification | Request correction of inaccurate data

• Erasure | Request deletion of your data ("right to be forgotten")

• Restriction | Request limited processing of your data

• Portability | Request your data in a portable format

• Objection | Object to processing based on legitimate interests

• Withdraw Consent | Withdraw consent for consent-based processing

8.2 How to Exercise Your Rights

To exercise your rights, contact us at:

Email: support@bridgepdf.com

We will respond within 30 days (or 60 days for complex requests, with notice).

We may request verification of your identity before processing requests.

8.3 Right to Lodge a Complaint

If you are unsatisfied with our response, you may lodge a complaint with your local data protection authority. In France:

CNIL (Commission Nationale de l'Informatique et des Libertés) 3 Place de Fontenoy TSA 80715 75334 Paris Cedex 07 France Website: cnil.fr

8.4 Data Export

To request an export of your data, contact support@bridgepdf.com. We will provide your data in a commonly used electronic format.

Note: Self-service data export is not currently available but planned for future releases.

9. California Privacy Rights (CCPA/CPRA)

9.1 Applicability

This section applies to California residents and supplements the information in this Privacy Policy.

9.2 Categories of Personal Information

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers | Name, email, IP address, account ID | Yes

• Customer Records | Billing information, subscription details | Yes

• Internet Activity | Browsing history, interactions with our Service | Yes

• Geolocation | City, region, country (from IP) | Yes

• Professional Information | Company name (if provided) | Yes

• Inferences | Engagement scores, behavior patterns | Yes

  
  

  9.3 Sources of Information

We collect personal information from:

• Directly from you (account registration, form submissions)

• Automatically (cookies, analytics, server logs)

• Third parties (payment processors, authentication providers)

9.4 Purposes for Collection

We use personal information for the purposes described in Section 3 of this policy.

9.5 Sale of Personal Information

We do not sell personal information.

We do not share personal information with third parties for monetary consideration. We share data with service providers only to operate our Service.

9.6 Your California Rights

As a California resident, you have the right to:

• Right to Know | Request disclosure of personal information collected about you

• Right to Delete | Request deletion of your personal information

• Right to Correct | Request correction of inaccurate information

• Right to Opt-Out | Opt out of the sale of personal information (not applicable: we don't sell)

• Non-Discrimination | We will not discriminate against you for exercising your rights

9.7 Exercising Your Rights

To exercise your California privacy rights:

• Email: support@bridgepdf.com

• Subject line: "California Privacy Request"

We will verify your identity using your account email. Authorized agents may submit requests on your behalf with written authorization.

9.8 Response Timing

We will respond to verified requests within 45 days (or 90 days with notice for complex requests).

10. Cookies and Tracking

10.1 Cookies We Use

We use the following types of cookies:

• Essential | Required for Service functionality | Session cookies, CSRF tokens, authentication

• Analytics | Understand usage and improve Service | First-party usage tracking

• Functional | Remember preferences | Language, timezone

10.2 Third-Party Cookies

Third-party services may set their own cookies:

• Stripe: Payment processing

• DataFast: Marketing website analytics

10.3 Managing Cookies

You can manage cookies through:

• Your browser settings

• Our cookie consent banner (where applicable)

Blocking essential cookies may affect Service functionality.

For full details, see our Cookie Policy.

11. Security Measures

11.1 Technical Safeguards

We implement industry-standard security measures:

• Encryption: All data transmitted via HTTPS/TLS

• Password Security: Passwords are hashed using bcrypt/argon2

• Sensitive Data Encryption: MFA secrets and recovery codes are encrypted at rest

• Access Controls: Role-based access to systems and data

• Regular Backups: Automated backups with encryption

11.2 Organizational Safeguards

• Limited access to personal data on a need-to-know basis

• Contractual data protection obligations with service providers

• Regular security reviews

11.3 Incident Response

In the event of a data breach:

• We will investigate promptly

• We will notify affected users without undue delay (within 72 hours for GDPR-relevant breaches)

• We will notify relevant supervisory authorities as required

• We will take steps to mitigate harm

11.4 No Absolute Security

While we take security seriously, no system is 100% secure. We cannot guarantee absolute security of your data.

12. Children's Privacy

12.1 Age Requirement

Bridge PDF is intended for business use by individuals aged 16 years or older.

12.2 No Collection from Children

We do not knowingly collect personal information from children under 16. If we learn that we have collected data from a child under 16, we will delete it promptly.

12.3 Reporting

If you believe we have collected information from a child under 16, please contact us immediately at support@bridgepdf.com.

13. Document Viewer and Visitor Consent

13.1 Tracking Notice

When visitors access documents via Shared Links, Bridge PDF:

• Collects analytics data as described in Section 2.2

• Provides a consent mechanism through the document viewer

• Informs visitors about data collection

13.2 Visitor Choices

Visitors viewing documents have limited choices:

• View the document with tracking enabled (required for analytics features)

• Close the document to avoid further tracking

13.3 Document Owner Responsibility

Document owners (our users) are data controllers for visitor analytics. They are encouraged to:

• Inform their recipients about tracking when sharing documents

• Use optional consent fields in lead capture forms when appropriate

• Handle visitor data in compliance with applicable laws

14. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

15. Changes to This Policy

15.1 Notification of Changes

We may update this Privacy Policy from time to time:

• Minor changes: Posted on this page with updated date

• Material changes: We will notify you via email at least 30 days before they take effect

15.2 Continued Use

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

15.3 Previous Versions

Previous versions of this policy are available upon request.

16. Data Processing Agreement (DPA)

16.1 Availability

A Data Processing Agreement (DPA) is available for Enterprise plan customers who require one for GDPR compliance.

16.2 Request a DPA

To request a DPA, contact us at support@bridgepdf.com with subject line "DPA Request."

17. Contact Us

For questions, concerns, or requests regarding this Privacy Policy:

E1 (Bridge PDF) 12 Rue Vauban 69006 Lyon, France

Email: support@bridgepdf.com Website: bridgepdf.com

We aim to respond to all inquiries within 5 business days.

By using Bridge PDF, you acknowledge that you have read and understood this Privacy Policy.