Privacy Policy
Last updated: 2026-06-26
Blink PDF is operated by Diego Cesar Lerma Torres, an individual (“I”, “me”, or “my”). This Privacy Policy explains what personal data I collect when you use Blink PDF (“the Service”), why I collect it, how I use it, and what choices you have.
By using the Service, you agree to the collection and use of information described in this policy.
1. Who I am
- Service name: Blink PDF
- Website: https://blinkpdf.io
- Operated by: Diego Cesar Lerma Torres, an individual
- Country of operation: Mexico
- Hosting / server location: United States (Virginia — Render.com US East)
- Privacy contact: [email protected]
- Support contact: [email protected]
2. What data I collect and why
2.1 Account data
When you create an account, I collect and store:
- Name — your first name, last name, and a display name associated with your account.
- Email address — to identify your account, send transactional emails (email verification, password reset), and contact you about the Service.
- Password — stored only as a one-way hash produced by my authentication library (Better Auth). I never store or have access to your plain-text password.
- Account timestamps — when the account was created and last updated, and whether your email is verified.
If you sign in through a third-party identity provider, I also store the provider’s account identifier and the OAuth tokens that provider issues for your account.
2.2 Session data
When you are signed in to the web dashboard, I store a session record containing a session token, its expiry, your user ID, and the IP address and browser user-agent string associated with the session. This data is used to keep you signed in and to help secure your account.
2.3 Billing data
Payments are processed by Stripe, Inc. When you subscribe to a paid plan, Stripe collects your payment details (such as card number and billing address) directly. I do not store, see, or have access to your full card number or CVV at any point.
From Stripe, I store:
- A Stripe Customer ID (a reference token).
- Subscription metadata — subscription ID, status, the price/plan you are on, the current period end date, whether the subscription is set to cancel at period end, and the included and hard-cap volumes for your plan.
2.4 API keys
When you create an API key, I store:
- A SHA-256 hash (base64url) of the key — used to validate requests. The key has the prefix
bp_. - An AES-256-GCM encrypted copy of the key, so the dashboard can reveal the key to you on demand.
- The key’s name, whether it is enabled, its expiry, permissions, and metadata.
2.5 Usage and audit data
When you successfully render a PDF (via API key, the dashboard playground, or the MCP server), I record metadata so I can meter usage and bill you accurately:
- Usage events (an append-only ledger): your user ID, the API key ID, the metric (
pdf_render), the quantity of render units (1–16), when it occurred and was recorded, the billing period it belongs to, an idempotency key, a content digest, the source (api, playground, or mcp), and a request ID. - Usage aggregates: running counters per billing period.
- Render audit events: the status of a render, an error indicator, output byte size, render duration in milliseconds, a diagnostics count, and metadata.
None of these records contain the Markdown you submit or the PDF you receive. The content digest is a non-reversible fingerprint used for deduplication, not the content itself.
2.6 Hosted PDFs and uploaded assets
If you use the MCP server to generate a PDF via a hosted download link, the rendered PDF is temporarily stored in Cloudflare R2 object storage so your automation workflow can retrieve it. I also store an inventory record for each link (user ID, key ID, key name, title, byte size, tier, storage key, link expiry, and a deletion timestamp). These files are stored for 24 hours, after which they are automatically removed. You can revoke (soft-delete) a hosted link from the dashboard before it expires.
If you upload image assets (for example, via the MCP upload-batch tool), those files are stored in Cloudflare R2 for 24 hours; the presigned upload URLs are valid for 15 minutes.
Direct API renders (non-MCP) are zero-retention — see Section 3.
2.7 Technical logs
My hosting provider (Render.com) automatically collects standard server logs, which may include IP addresses, user-agent strings, and request timestamps. These are used for security monitoring and debugging and are retained according to the hosting provider’s policy.
3. Zero-retention architecture for document content
Blink PDF is built so that document content is not retained.
What this means in practice:
- Markdown you submit to the rendering API is loaded into memory, processed, and the resulting PDF is returned in the HTTP response.
- The Markdown input and the PDF output are never written to disk, never stored in a database, never logged, and never transmitted to any third party (except as described below for MCP-hosted PDFs and uploaded image assets).
- To avoid charging you twice for identical requests, content may be held in volatile memory for up to approximately 60 seconds in a per-account in-process deduplication cache. It is never written to disk and is evicted automatically.
There is no mechanism in the Service to retrieve a document you previously rendered via the direct API, because it was never stored.
Images you reference by URL are fetched into memory and embedded in the PDF at render time; they are not stored. Images you explicitly upload as assets, and PDFs generated through MCP hosted links, are stored as described in Section 2.6.
4. How I use your data
I use the data described above to:
- Create and manage your account.
- Process payments and meter usage for billing.
- Send transactional emails (email verification, password reset).
- Operate, secure, and debug the Service, including abuse prevention and rate limiting.
- Comply with legal obligations.
I do not use your data for advertising or retargeting, I do not sell or share it with data brokers, and I do not use your document content to train machine learning models. The Service uses no analytics, advertising, or tracking technologies of any kind.
5. Third parties and sub-processors
I do not sell your personal data. I share data with the following providers only as necessary to operate the Service:
| Provider | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Payment details (collected directly by Stripe), email | stripe.com/privacy |
| Render.com | Application hosting and the PostgreSQL database | Account, session, billing metadata, usage/audit data, logs | render.com/privacy |
| Cloudflare, Inc. | Object storage (R2) for hosted PDFs, uploaded assets, fonts | Hosted PDFs (24h), uploaded image assets (24h), cached fonts | cloudflare.com/privacypolicy |
| Resend | Transactional email (verification, password reset) | Your email address and the message contents | resend.com/legal/privacy-policy |
| Google Fonts | Serving font files when you request a Google font | Only the font-family name and a BlinkPDF user-agent (no PII) | policies.google.com/privacy |
Transactional email is sent from [email protected]. Google fonts are fetched from fonts.googleapis.com and fonts.gstatic.com only when a render requests a Google font; no personal data is sent. Because fonts are fetched by my server at render time rather than by your browser, your IP address is not exposed to Google. Cached font files are stored in Cloudflare R2 for up to 365 days and are not user content.
6. Data retention
| Data type | Retention |
|---|---|
| Account data (name, email, hashed password) | Until your account is deleted (see Section 8) |
| Sessions | Until the session expires or is revoked |
| API keys | Until you delete the key or it expires |
| Billing metadata | Retained for billing and audit purposes |
| Usage events, aggregates, and audit records | Retained for billing and audit purposes |
| MCP-hosted PDFs | 24 hours, then automatically removed |
| Uploaded image assets | 24 hours, then automatically removed |
| Email-verification tokens | 24 hours |
| Cached Google-font files (not user content) | Up to 365 days |
| Direct API render content | Not stored (held only briefly in memory; see Section 3) |
| Server logs | Per the hosting provider’s policy |
The Service does not currently apply an automatic purge to usage, aggregate, or audit records; they are retained for as long as needed for billing and audit.
7. International data transfers
The Service is hosted in the United States (Virginia). If you are located outside the United States, your data is transferred to and processed there, as well as by the sub-processors listed in Section 5.
8. Your choices and rights
Depending on your location, you may have rights to access, correct, or delete your personal data, and to object to or restrict certain processing.
There is no self-service data-export or account-deletion feature in the Service. To request access to or deletion of your data, contact me at [email protected]. Deletion is performed manually; when your account record is removed, the database cascades that deletion to your sessions, API keys, subscriptions, usage events, aggregates, audit records, and MCP hosted-link inventory. I may need to verify your identity before acting on a request.
EEA/UK residents may have rights under the GDPR and UK GDPR. California residents may have rights under the CCPA. I do not sell or share personal data.
9. Cookies
When you sign in to the web dashboard, my authentication library sets a session cookie to keep you signed in. In production this cookie is marked Secure and HttpOnly. It is strictly necessary for the dashboard to function and is not used for tracking, advertising, or analytics.
The API and MCP server do not use cookies — they authenticate via API keys and OAuth tokens transmitted in request headers. If you use the API directly, no cookies are set or read.
10. Children’s privacy
The Service is not directed to children. I do not knowingly collect personal data from children. If you believe a child has provided personal data to the Service, please contact me and I will delete it.
11. Security
I implement the following technical measures:
- Passwords are stored only as a one-way hash via my authentication library (Better Auth), never in plain text.
- API keys are stored as a SHA-256 hash and compared using timing-safe functions; a separately encrypted copy (AES-256-GCM) is held only to support on-demand reveal.
- Session cookies are Secure and HttpOnly in production.
- All data in transit is encrypted via TLS.
- Document content is never written to disk (see Section 3).
- Rate limiting is applied to authentication endpoints and to the API, and pre-authentication per-IP limits apply.
- API responses are returned with hardening headers, including
Cache-Control: no-store,X-Content-Type-Options: nosniff,Referrer-Policy: no-referrer, and a strict Content-Security-Policy (default-src 'none'). - When the Service fetches an image you reference by URL, requests to private IP addresses and insecure (mixed-content) redirects are blocked.
No method of transmission or storage is completely secure.
12. Changes to this policy
I may update this Privacy Policy from time to time. When I do, I will update the date shown on this page. Your continued use of the Service after a revised policy takes effect constitutes your acceptance of the changes.
13. Contact
For any privacy-related questions or requests:
Diego Cesar Lerma Torres
- Email: [email protected]
- Website: https://blinkpdf.io