Data retention
What we store, for how long, and why. The short version: the documents you send and the PDFs we return are never persisted — we keep only the metadata needed to bill, audit, and operate.
Render content — never persisted
The HTML you submit, any URL we fetch, and the PDF we return all live in process memory for the
duration of the request only. Nothing is written to disk — the only writable mount on our
render containers is an in-memory tmpfs scoped to a
single request. Worker processes are recycled after a bounded number of requests to prevent
cross-request residue. See /security for the underlying controls.
Retention schedule
| Data | Retention | Purpose |
|---|---|---|
| Submitted HTML / URL body | 0 — process memory only | Render the request. |
| Generated PDF output | 0 — process memory only | Stream back in the response. |
| Render audit entry (timestamp, status, byte count, duration, API key prefix) | 90 days, then auto-deleted | So you can see your render history in the dashboard, and so we can investigate abuse. |
| Monthly usage counter | Indefinite (rolled up per calendar month) | Plan-limit enforcement and billing. |
| Account record (email, hashed password) | For the life of the account; 30 days after deletion request | Authentication; recovery window after deletion. |
| API key (Argon2id hash only) | Until revoked by the account holder | Authenticate render calls. |
| Access log (metadata only) | 30 days at the platform layer | Operational debugging. Contains no request body and no PDF. |
| Error report (Bugsink, self-hosted) | 90 days | Triaging exceptions. PII, request bodies, and local variables are scrubbed before submission. |
| Billing record (Mollie invoices) | 10 years | EU statutory accounting requirement. |
Deletion & export
Email dpo@pdfserve.eu from your account address to request deletion or export. Because we hold no document content, most requests reduce to deleting your account record and audit entries. We respond within 30 days as required by the GDPR.