Privacy Policy

1. Who We Are

TeraConvert is a file conversion product operated by Yogendra Singh, an independent software developer based in Pune, Maharashtra, India. For the purposes of the EU/UK General Data Protection Regulation (GDPR), Yogendra Singh is the Data Controller for personal data processed through teraconvert.com and the TeraConvert desktop application. For the purposes of India's Digital Personal Data Protection Act, 2023 (DPDP Act), Yogendra Singh acts as the Data Fiduciary.

This Privacy Policy explains what we collect, why we collect it, where it goes, how long we keep it, and the rights you have over it. It applies to the website at teraconvert.com, all subdomains, and the TeraConvert desktop application for macOS.

2. The Core Promise: Your Files Never Leave Your Device

Every file conversion performed through TeraConvert, whether on the web application or the desktop application, happens entirely on your own machine. We do not upload, copy, store, scan, train on, share, or analyse the contents of files you convert.

Web application: conversions run inside your browser tab using in-browser APIs (Canvas, WebCodecs, WebAssembly, Web Workers). The file bytes never reach a server.

Desktop application: conversions run on your local operating system using Apple's built-in conversion tools on macOS (sips, textutil, qlmanage) together with standard open-source engines (FFmpeg, ImageMagick, Pandoc, Ghostscript, Tesseract, LibreOffice, Calibre, qpdf) installed through your operating system's package manager. The desktop application requires an internet connection only for one-time license activation, for receiving software updates, and, if you opt into crash reporting, for sending crash reports. None of these exchange your files; activation and updates carry only entitlement metadata, and crash reports never include file content, file names, or conversion data.

Where we say "personal data" or "your data" elsewhere in this policy, we are referring to the account, billing, analytics, and diagnostic information described below. We are not referring to the files you convert.

3. Information We Collect

We collect only what is necessary to run the service. Specifically:

Account data (via Clerk). When you create a TeraConvert account or sign in, our authentication provider Clerk collects your email address, your name (if provided), the OAuth provider identifier if you sign in with Google or another social provider, your IP address, and standard session metadata (device, browser, sign-in timestamps). This data is processed by Clerk on our behalf. We use it to create your account, authenticate sessions on the web and desktop apps, and handle the cross-app sign-in handoff between teraconvert.com and the desktop application.

Billing and license data (via Polar.sh). When you purchase a TeraConvert license, our payments provider Polar.sh collects your billing email, billing country, and payment instrument details (handled directly by Polar's PCI-DSS compliant payment processors; we never see or store your card number). Polar records your purchase and entitlement state. We read your customer record from Polar on demand when you visit your dashboard. We do not maintain a separate copy of your payment history on our own database.

License activation telemetry. When the desktop application activates, validates, or checks for an update, it sends a signed entitlement receipt, a machine label (for example "MacBook Pro"), and the current application version to our update proxy at teraconvert.com. We use this only to verify entitlement, deliver the correct platform build, and prevent over-activation. The standard web request metadata (IP address, user agent, timestamp) is logged by our hosting provider for short-term security and rate-limiting purposes.

Product analytics (Google Analytics 4). On the website, with your consent where required by law, we use Google Analytics 4 to understand which pages are viewed, which formats are popular, where visitors come from, and roughly where in the world they are located (city-level, derived from a truncated IP address). Google Analytics sets the _ga and _ga_* cookies in your browser. IP addresses are anonymised by Google Analytics 4 before storage.

Error and performance monitoring (Sentry). We use Sentry to capture unhandled exceptions, crash reports, and performance traces from the website, and from the desktop app only if you opt into crash reporting, so we can find and fix bugs. Sentry receives the technical context of the error (stack trace, browser or OS version, application version, route, and a redacted breadcrumb trail of recent actions). We do not use Sentry Session Replay; no recording of your screen, form fields, or the files you convert is ever captured. We do not deliberately send personal data to Sentry; if any reaches it through an error payload, it is incidental and subject to the retention rules below.

Support correspondence. If you email [email protected] or fill in a contact form, we receive whatever you put in your message (your email, your name if you sign it, and the contents of your message). We use it only to reply.

We do not collect: the contents of the files you convert, biometrics, health data, your contacts, your microphone or camera streams, or your location beyond a coarse city-level estimate from analytics.

4. Purposes of Processing

We process the data above to:

- create and authenticate your TeraConvert account, - sell, deliver, validate, and update the TeraConvert desktop application, - respond to your support requests, - understand aggregate website usage so we can decide what to build next, - detect, debug, and fix software defects and performance regressions, - prevent abuse, fraud, and over-activation of device entitlements, - comply with our legal, accounting, and tax obligations.

We do not use your personal data to train machine learning models. We do not sell your personal data. We do not share it with advertising networks.

5. Legal Basis for Processing

Under the DPDP Act, 2023, we process personal data for the lawful purposes of providing the service you have requested, with your consent where consent is required.

Under GDPR, our legal bases are:

- Contract (Article 6(1)(b)): to provide the TeraConvert service you have signed up for, including account creation, license delivery, and desktop application updates. - Consent (Article 6(1)(a)): for non-essential analytics and marketing cookies, and for any optional communications. - Legitimate interests (Article 6(1)(f)): to keep the service secure, prevent abuse, debug software defects, and understand aggregate usage. We have weighed these interests against your rights and concluded the processing is proportionate. - Legal obligation (Article 6(1)(c)): to retain transaction records for the period required by tax and accounting law.

You can withdraw consent at any time using the cookie preferences control on the website or by contacting us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

6. Cookies and Similar Technologies

We use a small number of cookies and equivalent browser storage mechanisms. They fall into three groups:

Strictly necessary: Clerk sets session cookies (__session, __client_uat and related) so we can keep you signed in across pages. Without these the service cannot function. These do not require consent under GDPR or DPDP.

Analytics: Google Analytics sets _ga and _ga_* cookies (retention up to 13 months) to record an anonymous identifier and aggregate page-view data. These load only after you choose "Accept all" on our consent banner; nothing analytics-related runs before then.

Preferences: localStorage entries store your theme (light or dark), language, and cookie consent choice so we do not ask you again on every visit.

When you first visit, a consent banner gives you "Accept all" and "Essential only" options, and Google Analytics loads only if you choose "Accept all". We apply that choice everywhere, not only where opt-in is legally required, so no analytics cookies are set until you accept. You can change your choice at any time by clicking "Manage cookie preferences" in the website footer.

7. Third-Party Services and Subprocessors

We use the following third-party services to operate TeraConvert. Each is contractually bound to process personal data only on our instructions and under a Data Processing Addendum (DPA) where applicable.

Clerk (Clerk Inc., USA): authentication, account management, sign-in token issuance. Privacy policy: https://clerk.com/legal/privacy.

Polar.sh (Polar Software Inc.): checkout, payment processing, entitlement management, customer portal, and distribution of desktop binaries. Polar relies on PCI-DSS compliant payment processors for card data. Privacy policy: https://polar.sh/legal/privacy.

Google Analytics 4 (Google LLC, USA): aggregate website analytics. Data is processed in the United States and other countries under the EU-US Data Privacy Framework and Standard Contractual Clauses. Privacy policy: https://policies.google.com/privacy. You can opt out site-wide by installing the Google Analytics opt-out browser add-on at https://tools.google.com/dlpage/gaoptout.

Sentry (Functional Software, Inc. dba Sentry, USA): error monitoring and performance tracing. Sentry self-certifies to the EU-US Data Privacy Framework and offers Standard Contractual Clauses. Privacy policy: https://sentry.io/privacy/. DPA: https://sentry.io/legal/dpa/.

Vercel (Vercel Inc., USA): hosting and content delivery for teraconvert.com. Standard web request logs are processed for security and rate-limiting. Privacy policy: https://vercel.com/legal/privacy-policy.

We will keep this list current. Material changes to our subprocessor roster will be reflected here with at least 30 days' notice where the change introduces a new category of data flow.

8. International Data Transfers

TeraConvert operates from India and uses service providers based primarily in the United States and the European Union. As a result, your personal data may be transferred to and processed in countries outside your country of residence.

Where personal data of individuals in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country that has not received an adequacy decision, we and our subprocessors rely on the EU-US Data Privacy Framework (where the recipient is self-certified) and on the European Commission's Standard Contractual Clauses (SCCs) as the transfer mechanism. For individuals in India, transfers are made to countries notified or otherwise permitted under the DPDP Act and applicable rules.

By using TeraConvert you understand that your data may be processed outside your home country under the safeguards described above.

9. Data Retention

We keep personal data only as long as we need it for the purpose for which it was collected, or as long as the law requires.

- Account data (Clerk): retained for the lifetime of your account. Deleted within 30 days of an account deletion request, except where we are required to retain transaction-linked records for tax purposes. - Billing and license records (Polar): retained for the period required by Indian tax and accounting law (currently 7 years from the financial year of the transaction). - License activation telemetry: retained for 90 days, then aggregated or deleted. - Web request logs (Vercel): retained for up to 30 days for security and rate-limiting. - Google Analytics: 14 months (the GA4 default we configure). - Sentry error events: 90 days on our plan. - Support correspondence: up to 3 years from the last message in the thread, or until you ask us to delete it, whichever is sooner.

10. Data Security

All traffic to and from teraconvert.com and the desktop update endpoints is encrypted in transit using HTTPS (TLS). Account passwords are never seen by us; they are hashed by Clerk before storage. Payment card data is handled entirely within Polar.sh and its underlying PCI-DSS compliant payment processors and never reaches our systems. Desktop application updates are cryptographically signed and verified before installation, so a tampered or substituted binary is rejected.

We follow the principle of least privilege when granting access to operational dashboards. Access is restricted to Yogendra Singh and is reviewed periodically.

No system connected to the internet is perfectly secure. We will notify you and the relevant regulator without undue delay if we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, in line with Article 33 GDPR and Section 8(6) of the DPDP Act.

11. Your Rights

Subject to the conditions set out in the DPDP Act, GDPR, and other applicable laws, you have the following rights over your personal data:

- Right of access: ask us what personal data we hold about you and receive a copy. - Right to correction: ask us to correct inaccurate or incomplete personal data. - Right to erasure: ask us to delete personal data we no longer need to process. - Right to restrict or object to processing: in particular, processing based on legitimate interests or direct marketing. - Right to data portability: receive your personal data in a structured, commonly used, machine-readable format. - Right to withdraw consent: at any time, for any processing that relies on consent. - Right to nominate (DPDP Act): nominate another person to exercise your rights in the event of death or incapacity. - Right to grievance redressal (DPDP Act): raise a grievance with our Grievance Officer (see below). - Right to lodge a complaint with a supervisory authority: the Data Protection Board of India (under the DPDP Act) or your local EU/UK supervisory authority (under GDPR).

To exercise any of these rights, email [email protected] from the address associated with your account. We will respond within 30 days. We may ask you to verify your identity before we act on a request.

12. Children's Privacy

TeraConvert is not directed at, and is not intended for use by, individuals under the age of 18. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us and we will delete it as soon as possible.

13. Grievance Officer (India)

In compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023, the Grievance Officer for TeraConvert is:

Yogendra Singh Email: [email protected] Location: Pune, Maharashtra, India

We acknowledge grievances within 48 hours and resolve them within 30 days of receipt, in line with the timelines set by Indian law.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the service, the subprocessors we rely on, or the law. The "Last updated" date at the top of this page shows when the current version took effect. For material changes that affect how we process your personal data, we will notify you by email (where we have your address) or by a prominent notice on the website at least 14 days before the change takes effect, where reasonably practicable. Your continued use of the service after a change takes effect constitutes acceptance of the updated policy.

15. Contact

For any privacy-related question, request, or complaint, please email [email protected]. We read every message and aim to respond within 5 business days.