Privacy

Version 2026.06.2 · Last updated 2026-06-06. Plain English. The version string above is the one stamped on your consent log when you signed up; your account shows which version you accepted.

Your PDFs never leave your browser by default

When you use AttachKitto fill, sign, or redact a PDF, the document bytes are parsed and edited entirely in your browser — using JavaScript libraries (pdf-lib, pdf.js) for the PDF manipulation itself and WebAssembly only for OCR (Tesseract.js, when you scan a non-searchable PDF). We don't upload, store, or transmit the PDF itself. You can verify this by opening your browser's network tab while you work.

For the technical detail — exactly which paths touch our server, which cryptography we use, and how to verify each claim yourself — see our security page.

What we do see

• Your email if you sign in for a free or paid account (stored to authenticate you).
• Your saved profile data (name, address, etc.) — only the fields you explicitly enter at /account/profile. Stored in our database when you're signed in, in your browser's localStorage when you're not.
• Form-field names + types (not PDF bytes) and your profile data when you click Auto-fill from profile. These are sent to our AI sub-processor, Anthropic, PBC (the Claude API, US-based), to compute the mapping. We do not log the request or response.
• Extracted text spans (not PDF bytes) when you click Scan for PII on the redact tool. Sent to our AI sub-processor, Anthropic (the Claude API), for PII detection; coordinates stay client-side.
• Browser type, IP address, and timestamp for API calls — short-lived web-server request logs for abuse prevention, and (when you're signed in) your session records, so you can review and revoke active sessions. Retention periods are listed under How long we keep your data below.
• The name, email, and message you type into our contact form (general questions, bug reports, feature requests, or security disclosures), stored so we can respond and triage. No document content is involved.
• If someone sends you a document to signthrough AttachKit: the email address they entered (so we can deliver the request), and — only if they turned on identity verification — a one-time code we email you to confirm it's you. We use a recipient's email solely to deliver and verify that one signing request.

Legal bases for processing (GDPR / UK GDPR)

If you're in the EU or UK, here's the lawful basis under Article 6 for each way we use personal data:

• Running the service — your account email, saved profile, the fill/sign/redact you perform, and send-for-signature ciphertext: performance of a contract (Art. 6(1)(b)).
• AI auto-fill & PII detection — sending field names/labels and your profile, or extracted text, to our AI sub-processor (Anthropic, the Claude API) when you click the feature: contract / your request. It only runs on demand.
• Security, abuse prevention & logging — IP, user-agent, timestamps, rate-limit and AI-spend counters: legitimate interests (Art. 6(1)(f)) in keeping the service available and affordable.
• Payments — via Stripe: contract, plus a legal obligation (Art. 6(1)(c)) to keep tax/accounting records.
• Analytics — cookieless Plausible, and any non-essential cookies: consent (Art. 6(1)(a)). Opt-in and withdrawable any time.
• Transactional email — sign-in codes, sign-request notifications, and billing/trial notices via Resend: contract. These are required to use the service and can't be turned off.
• Reminders & marketing email — contract-renewal reminders (legitimate interest, Art. 6(1)(f) — for contracts you chose to track) and any product news (consent, Art. 6(1)(a) — off unless you opt in). Manage both in your notification settings or with the one-click unsubscribe link in any such email.

Send-for-signature is end-to-end encrypted

When you use the Send-for-signature feature, the PDF is encrypted in your browser with AES-GCM-256 before any upload. The decryption key is embedded in the URL fragment (the part after #), which browsers do not include in HTTP requests. Our servers only ever hold ciphertext. We could not read your document even if compelled to.

Note: anyone who has the full link (including the fragment) can decrypt and sign in your place if the request is still pending. Treat the link like a password.

Third parties we share with

• Anthropic, PBC(the Claude API; US-based) — our AI sub-processor for auto-fill mapping + PII-detection text. We use Anthropic's commercial API, which does not train on the data sent through it, and don't pass anything unless you invoke an AI feature.
• Resend — email delivery (magic links, sign-request notifications).
• Stripe — payments.
• Google Cloud — hosting + logs.
• Neon — Postgres database.
• Plausible — privacy-respecting analytics (no cookies, no personal data).

Cookies + analytics

We set only strictly-functional cookies, and never for advertising:

• better-auth.session_token — your sign-in session. Strictly necessary (HTTP-only); cleared when you sign out.
• attachkit-cookie-consent — records which cookie-policy version you answered and whether you accepted analytics. 1-year expiry; a plain version string (the year-month it was published), not a tracking identifier.
• ak_counsel — set only if you turn on Counsel Mode (a Premium privileged-AI setting). Records that preference so AI processing stays on your own device; functional, not a tracking identifier. 1-year expiry; cleared when you turn Counsel Mode off.

Analytics are opt-in. We use Plausible — cookieless, no cross-site tracking, no third-party fingerprinting, aggregate page-view counts only — and its script loads only after you choose "Accept analytics" on the cookie banner. Choose "Essential only" and it never loads. You can withdraw consent any time from your account, and the banner re-appears whenever the policy version changes. We record your choice to a server-side ledger (see DPA).

How long we keep your data

• Account & profile, saved signatures/templates, API keys, tracked contracts — until you delete them or close your account (self-service, immediate — see below).
• Sessions (with IP + user-agent) — for the life of the session; cleared when you sign out or it expires.
• Web-server request logs (IP, user-agent, timestamp) — up to 30 days, for abuse prevention.
• One-time login / signing codes — deleted on use and swept shortly after they expire.
• Billing & webhook records (Stripe event payloads) — 90 days, then purged; your rows are erased immediately if you delete your account.
• AI-usage cost telemetry (route, model, token counts, a hashed caller key — never document content) — about 13 months, then purged.
• Contact-form messages (your name, email, and message text) — up to 24 months, then purged; erased immediately if you delete your account.
• Consent receipts — kept for the life of the account as the audit trail GDPR Art. 7 requires.

We never retain your PDF bytes — they're processed in your browser and never reach our servers. Send-for-signature stores only ciphertext we can't read, deleted when the request is completed or expires.

Your rights (GDPR / UK GDPR)

Wherever you live, you can ask us to honor the rights the law gives you over your personal data:

• Access a copy of what we hold (Art. 15).
• Rectify inaccurate data (Art. 16).
• Erase your data — be forgotten (Art. 17).
• Restrict or object toprocessing, including anything we base on legitimate interests (Art. 18 & 21).
• Portability — receive your data in a machine-readable format (Art. 20); our JSON export does exactly this.
• Withdraw consent at any time, as easily as you gave it (Art. 7(3)) — e.g. analytics, from the cookie banner or your account.

Access, erasure, and portability are self-service and immediate at /account; for anything else, use our contact form and we'll respond within 30 days. You also have the right to lodge a complaint with your local data-protection authority (in the EU, your national DPA; in the UK, the ICO) — though we'd appreciate the chance to put things right first.

California privacy rights (CCPA / CPRA)

We do not sellyour personal information, and we do not "share" it for cross-context behavioral advertising — we run no ad trackers and our analytics are cookieless. California residents have the right to know, access, correct, and delete the personal information we hold, and not to be discriminated against for exercising those rights. To make any of these requests — including telling us not to sell or share, though we already don't — use our contact form; we verify from your signed-in address and respond within 30 days.

Children

AttachKitis a tool for adults handling their own documents. It is not directed to children, and we don't knowingly collect personal data from anyone under 16 (or under 13 in the US, per COPPA). If you believe a child has provided us personal data, use our contact form and we'll delete it.

Your data, your control

Sign in and visit /account to export everything we hold about you as a JSON file, or permanently deleteyour account — both are self-service and take effect immediately. Deleting erases your profiles, saved signatures, templates, tracked contracts, signing and encryption keys, API keys, sessions, billing metadata, and any messages you've sent us. Documents you sent others for signature keep working from the recipient's link but are de-identified — your name and email are removed. Use our contact form for anything not covered.

Changes

We'll update this page if the privacy posture changes meaningfully. The last-updated date at the top reflects the most recent change.