Data Processing Agreement
Effective Date: 17 March 2026
This Data Processing Agreement (“DPA”) is entered into between OVR Technologies LLC (“Processor,” “we,” “our”) and the controller identified as the user or organisation accessing the Service (“Controller,” “you”).
This DPA forms part of, and is subject to, the Terms of Service and supplements the Privacy Policy. It governs the processing of personal data that the Controller transmits to OVR in connection with the Convert Webpage to PDF browser extension and https://convert-webpage-to-pdf.com (the “Service”) to the extent such processing is subject to the General Data Protection Regulation (EU) 2016/679 (“GDPR”) or equivalent applicable data protection law.
1. Definitions
- “Controller” — the natural or legal person who determines the purposes and means of processing personal data and uses the Service.
- “Processor” — OVR Technologies LLC, which processes personal data on behalf of the Controller.
- “Data Subject” — any identified or identifiable natural person whose personal data is processed under this DPA.
- “Personal Data” — any information relating to a Data Subject as defined under GDPR Art. 4(1).
- “Processing” — any operation performed on Personal Data as defined under GDPR Art. 4(2).
- “Sub-processor” — any third party engaged by OVR to process Personal Data on the Controller’s behalf.
- “Security Incident” — any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
- “SCCs” — the Standard Contractual Clauses adopted by the European Commission under GDPR Art. 46(2)(c) for transfers of personal data to third countries.
- “GDPR” — General Data Protection Regulation (EU) 2016/679, including any national implementing legislation.
2. Scope and purpose
2.1 This DPA applies to Personal Data processed by OVR when providing the Service, including the activities described in §3 below.
2.2 OVR acts as Processor with respect to Personal Data submitted to the Service by or on behalf of the Controller. Each party undertakes to comply with its respective obligations under applicable data protection law.
2.3 This DPA does not apply to data for which OVR acts as an independent Controller (for example, OVR’s own analytics described in §3.4 below, which OVR operates under its own legitimate interest).
3. Processing activities, data categories, and data subjects
The following table describes the specific processing activities covered by this DPA.
| Activity | Personal data categories | Data subject categories | Location | Retention |
|---|---|---|---|---|
| PDF optimisation | PDF file content (may contain personal data at Controller’s discretion) | End-users of the Controller’s Service | Hetzner dedicated server, Germany (EU) | Deleted immediately after the processed PDF is returned; not retained |
| Share-link feature | PDF file content (as above) | End-users of the Controller’s Service | Cloudflare R2, Eastern North America | 30 days, then auto-deleted |
| Authentication | Email address; session cookie (session_id) | Registered users / subscribers | Hetzner dedicated server, Germany (EU) | While subscription active + 24 months |
| Transactional email | Recipient email address and message metadata | Registered users / subscribers | Amazon SES, Germany (eu-central-1) | Per AWS retention; OVR does not retain copies beyond delivery |
| Analytics (Processor role) | Hostname of converted page; country (derived from IP, IP discarded); browser and OS information | End-users of the Controller’s Service | Hetzner dedicated server, Germany (EU) | 1 year, then deleted |
Where a PDF file or other data submitted through the Service contains special categories of Personal Data (GDPR Art. 9), the Controller is responsible for ensuring a valid legal basis exists for that processing before using the Service.
4. Controller obligations
4.1 The Controller shall ensure that Personal Data is processed in compliance with applicable data protection law before transmitting it to OVR.
4.2 The Controller shall ensure that Data Subjects have been provided with appropriate privacy information (including information about OVR’s role) and, where required, that valid consent or another lawful basis exists for the processing described in this DPA.
4.3 The Controller shall promptly notify OVR of any instructions that, in the Controller’s view, might conflict with applicable data protection law.
4.4 The Controller shall maintain an up-to-date record of processing activities to the extent required under GDPR Art. 30.
5. Processor obligations
5.1 Documented instructions. OVR shall process Personal Data only on documented instructions from the Controller, including those set out in this DPA and the Terms of Service, unless required to do so by applicable law (in which case OVR shall inform the Controller before processing, unless that law prohibits such notification).
5.2 Confidentiality. OVR shall ensure that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
5.3 Security. OVR shall implement and maintain the technical and organisational security measures described in §6 of this DPA and in §6 of the Privacy Policy.
5.4 Sub-processors. OVR shall engage Sub-processors only in accordance with §7 of this DPA.
5.5 Data subject rights. OVR shall assist the Controller, by appropriate technical and organisational measures and to the extent possible, to fulfil the Controller’s obligations to respond to Data Subject rights requests under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection). Requests received directly by OVR that appear to relate to the Controller’s processing will be forwarded to the Controller without undue delay.
5.6 Impact assessments and prior consultation. OVR shall provide reasonable assistance to the Controller in carrying out data protection impact assessments (GDPR Art. 35) and, where applicable, prior consultation with supervisory authorities (GDPR Art. 36), where such assessments relate to processing carried out by OVR under this DPA.
5.7 Records. OVR shall maintain records of processing activities carried out under this DPA to the extent required by GDPR Art. 30(2).
5.8 No independent use. OVR shall not process Personal Data covered by this DPA for its own commercial purposes or disclose it to any third party other than as set out in this DPA or as required by applicable law.
6. Security measures
OVR implements the following technical and organisational measures to protect Personal Data against unauthorised access, loss, or destruction. Full details are set out in §6 of the Privacy Policy.
- TLS 1.2+ encryption in transit for all data flows.
- Disk encryption at rest on all servers handling Personal Data.
- Least-privilege access controls; only authorised personnel may access production systems.
- Daily encrypted backups stored within the EU.
- Regular patching and vulnerability scanning.
- Immediate deletion of PDF optimisation files after delivery (no persistent storage of processed content).
- Unguessable nanoid URLs for share-links; no directory listing.
OVR reviews and updates these measures periodically. In the event of a material reduction in the level of protection, OVR will notify the Controller in advance.
7. Sub-processors
7.1 The Controller provides general written authorisation for OVR to engage the Sub-processors listed in §5 of the Privacy Policy and repeated for convenience below.
| Sub-processor | Role | Location | Safeguard |
|---|---|---|---|
| Hetzner Online GmbH | Dedicated server (API, analytics, optimisation) | Germany (EU) | Data stays in EU |
| Amazon Web Services – SES | Transactional email | Germany (eu-central-1) | Data stays in EU |
| Lemonsqueezy, Inc. | Merchant of Record & billing | EU & US | Standard Contractual Clauses |
| Cloudflare, Inc. | Object storage (share-links) | Eastern North America | Standard Contractual Clauses |
7.2 Changes to Sub-processors. OVR shall provide the Controller with at least 14 days’ prior written notice (by updating the Privacy Policy and/or notifying registered users) before adding or replacing a Sub-processor. If the Controller objects on legitimate data protection grounds, the Controller may terminate the affected Service by written notice to OVR before the change takes effect, and OVR shall work in good faith to provide an alternative.
7.3 OVR shall impose data protection obligations on each Sub-processor substantially equivalent to those in this DPA and shall remain liable to the Controller for the Sub-processor’s performance of its obligations.
8. International transfers
8.1 Personal Data is primarily stored and processed within the EU/EEA (Hetzner, Germany; Amazon SES, eu-central-1).
8.2 Where processing by Sub-processors requires transfer of Personal Data outside the EU/EEA (currently Lemonsqueezy, Inc. and Cloudflare, Inc.), OVR relies on the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as the transfer mechanism under GDPR Art. 46(2)(c). Copies of the relevant SCCs are available from OVR upon request at [email protected].
8.3 If OVR’s reliance on a particular transfer mechanism becomes invalid or inapplicable, OVR will implement an alternative lawful mechanism as soon as reasonably practicable and will notify the Controller.
9. Data breach notification
9.1 OVR shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Security Incident affecting Personal Data processed under this DPA.
9.2 The notification will include, to the extent then known:
- a description of the nature of the Security Incident, including, where possible, the categories and approximate number of Data Subjects and Personal Data records affected;
- the name and contact details of OVR’s Data Protection Officer ([email protected]);
- a description of the likely consequences of the Security Incident;
- a description of the measures taken or proposed to address the Security Incident and, where appropriate, to mitigate its effects.
9.3 OVR shall co-operate fully with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any Security Incident.
9.4 Notification under this §9 is to inform the Controller and does not constitute an acknowledgement by OVR of fault or liability.
10. Audit rights
10.1 OVR shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:
- The Controller shall give OVR at least 30 days’ prior written notice of an audit, except where required earlier by a supervisory authority.
- Audits shall be conducted during normal business hours, no more than once per 12-month period unless a Security Incident has occurred or a supervisory authority requires otherwise.
- The Controller and any mandated auditor shall execute a confidentiality undertaking acceptable to OVR before the audit commences.
- The Controller shall bear all costs of any audit unless findings reveal a material breach of this DPA by OVR.
10.2 OVR may satisfy audit obligations by providing a current third-party certification, security audit report, or written responses to a standard security questionnaire in lieu of an on-site inspection, at OVR’s reasonable discretion.
11. Data deletion and return
11.1 Upon termination or expiry of this DPA, or upon the Controller’s written request, OVR shall, at the Controller’s election, either:
- securely delete or destroy all Personal Data processed under this DPA; or
- return the Personal Data to the Controller in a common machine-readable format.
11.2 OVR shall complete deletion or return within 30 days of the request or termination date and shall provide written confirmation to the Controller.
11.3 OVR may retain Personal Data to the extent required by applicable law, in which case OVR shall inform the Controller of such requirement (to the extent permitted by law) and shall isolate and protect that data from any further processing.
11.4 For clarity: PDF optimisation files are deleted immediately after delivery and are not subject to a separate deletion request. Share-link files are auto-deleted after 30 days.
12. Liability
12.1 Each party’s liability to the other under this DPA is subject to the limitations and exclusions set out in the Terms of Service.
12.2 Where both OVR and the Controller are responsible for the same damage to a Data Subject (GDPR Art. 82), liability shall be apportioned between the parties in accordance with their respective degree of responsibility.
12.3 Nothing in this DPA limits either party’s liability to Data Subjects or supervisory authorities under applicable data protection law.
13. Term and termination
13.1 This DPA enters into force on the Effective Date and remains in force for as long as OVR processes Personal Data on behalf of the Controller under the Terms of Service.
13.2 Either party may terminate this DPA on written notice if the other party commits a material breach of this DPA and fails to remedy that breach within 30 days of written notice identifying the breach in reasonable detail.
13.3 Termination of this DPA does not affect obligations that by their nature survive termination, including §9 (Data breach notification), §11 (Data deletion), §10 (Audit rights exercised prior to termination), and §12 (Liability).
13.4 Termination or expiry of the Terms of Service automatically terminates this DPA.
14. Governing law and jurisdiction
14.1 This DPA is governed by Wyoming law, consistent with the Terms of Service, except to the extent that applicable EU data protection law mandates otherwise.
14.2 For disputes involving GDPR obligations, the parties agree to submit to the jurisdiction of the supervisory authority in the EU member state of the Controller’s establishment, or, if the Controller is not established in the EU, to the Irish Data Protection Commission as lead supervisory authority for OVR’s EU-facing operations.
15. General provisions
15.1 Order of precedence. In the event of any conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA shall prevail.
15.2 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
15.3 Amendments. OVR may update this DPA to reflect changes in applicable law or the Service. Material changes will be announced at least 14 days in advance. Continued use of the Service after the effective date of the updated DPA constitutes acceptance.
15.4 Entire agreement. Together with the Terms of Service and Privacy Policy, this DPA constitutes the entire agreement between the parties regarding the processing of Personal Data and supersedes all prior agreements or arrangements on that subject.
16. Signatures
By signing below, each party confirms that it has read, understood, and agrees to be bound by this Data Processing Agreement.
Processor — OVR Technologies LLC
| Name | |
| Title | |
| Signature | |
| Date |
Controller
| Company | |
| Name | |
| Title | |
| Signature | |
| Date |
17. Contact
OVR Technologies LLC
5830 E 2nd St, Ste 7000 #17374
Casper, WY 82609, USA
General • [email protected]
Privacy/DPO • [email protected]
Legal/DMCA • [email protected]
Thank you for using Convert Webpage to PDF!