Legal

Privacy Policy

Last updated: 14 May 2026 (rev. 2)

Summary: Ragify processes your email address, uploaded PDF documents, and usage data to provide the service. Files are automatically deleted after 24 hours. We do not sell or share your data with third parties for marketing purposes. You have full rights over your data under the GDPR.

1. Data Controller

The data controller responsible for your personal data is Ragify. For any privacy-related requests or questions, contact us at privacy@ragify.it.

2. Data We Collect

2.1 Account data

When you register, we collect:

  • Email address used as your account identifier and for service communications.
  • Password stored and managed exclusively by Clerk (our identity provider) using industry-standard hashing. Ragify never stores or has access to your password.
  • Plan & usage subscription tier, pages processed, and billing status.

2.2 Uploaded documents

When you submit a PDF for processing, we temporarily store the file on secure cloud object storage (Cloudflare R2) solely to perform the parsing operation. This includes:

  • The PDF file itself, which may contain confidential, commercially sensitive, or legally privileged content.
  • Password-protected PDFs: the password you provide is used only during processing and is never stored in our database.
  • Parsed output files (JSON, Markdown, HTML, Tagged PDF) generated from your document.

All uploaded files and output files are automatically and permanently deleted from our servers within 30 days of processing. We recommend downloading your results promptly. Job records (metadata only, no file content) remain visible in your history after deletion.

2.3 Payment data

Payments are processed by Lemon Squeezy LLC, who acts as the Merchant of Record for all transactions. We do not store card numbers, CVV codes, or full payment details on our servers. We retain only a LemonSqueezy customer identifier to manage your subscription. LemonSqueezy's privacy policy applies to payment data: lemonsqueezy.com/privacy.

2.4 Technical and usage data

  • Session cookies set by Clerk to manage your authenticated session (see Cookie Policy for details).
  • Job metadata: processing options selected, page count, timestamps.
  • Server-side request logs (IP address, user agent) retained for up to 30 days for security monitoring.

3. Legal Bases for Processing (GDPR Art. 6)

  • Performance of a contract (Art. 6.1.b): Processing your account data and uploaded documents is necessary to provide the service you signed up for.
  • Legitimate interest (Art. 6.1.f): Server logs and security monitoring to protect the integrity of the platform.
  • Legal obligation (Art. 6.1.c): Retaining billing records as required by applicable tax and accounting laws.
  • Consent (Art. 6.1.a): Any optional marketing communications, where explicitly opted in.

4. Data Retention

Data typeRetention period
Uploaded PDF files30 days — auto-deleted on the 1st of each month
Parsed output files30 days — auto-deleted on the 1st of each month
File passwordsNot stored — used in-memory only
Account data (email, plan, usage)Until account deletion
Identity data (password, sessions)Managed by Clerk — see clerk.com/privacy
Job metadata (options, page count)Until account deletion
Payment / billing records7 years (legal obligation)
Server request logs30 days

5. Data Sharing and Third Parties

We do not sell your personal data. We share data only with the following service providers, who act as data processors under GDPR-compliant agreements:

  • Clerk Inc. — identity and authentication provider. Stores your email address, password (hashed), and session data on their infrastructure. Privacy policy: clerk.com/privacy.
  • Cloudflare R2 — cloud object storage for temporary file storage during processing.
  • Lemon Squeezy LLC — Merchant of Record, payment processing and tax collection for Pro and Business plans.

We may disclose data to competent authorities if required by law.

6. International Data Transfers

Our service providers may process data outside the European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission (GDPR Art. 46).

7. Your Rights (GDPR Chapter III)

As a data subject in the EEA, you have the following rights:

  • Right of access (Art. 15): Request a copy of your personal data.
  • Right to rectification (Art. 16): Correct inaccurate data — via Account Settings.
  • Right to erasure (Art. 17): Delete your account and all associated data.
  • Right to restriction (Art. 18): Request that we limit processing of your data.
  • Right to data portability (Art. 20): Receive your data in a machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interest.
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at privacy@ragify.it. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

8. Security

We implement appropriate technical and organisational measures to protect your data, including: TLS encryption in transit, encrypted storage at rest, authentication and session management delegated to Clerk (SOC 2 Type II certified), and automatic file deletion. However, no system is completely secure — you should use a strong, unique password for your account.

9. Children's Privacy

Ragify is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has registered, contact us at privacy@ragify.it and we will delete the account promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email or by a prominent notice on the site at least 14 days before taking effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.