Privacy Policy

The data controller for this site and the reader.me suite is:

• Color Vivo Internet S.L.
• Tax ID (CIF): ESB13340724
• Calle Mesones 9, 13640 Herencia (Ciudad Real), Spain
• Corporate website: colorvivo.com
• Contact for privacy queries: [email protected]

reader.me's core promise — your documents never leave your device — is not a marketing claim, it is the only way the architecture is built. Every PDF you select is opened in your browser's memory, processed with WebAssembly modules (PDF.js, pdf-lib, Tesseract.js), and discarded when you close the tab.

We do not run an upload endpoint, we do not have a database of user documents, we do not run server-side OCR. You can verify this in your browser's DevTools → Network tab: zero document requests leave your machine while a tool is running. See also /how-it-works for the 30-second verification recipe.

We do not collect any of the following:

• Document images, page contents, text or metadata of the PDFs you process.
• Biometric data, signatures captured by the Sign tool (they stay in-memory).
• Personal identifiers: name, ID number, address, date of birth.
• User accounts or payment data — there is no sign-up.
• Precise location or geolocation.
• Screen recordings, editing history, undo/redo trails.
• Contact data unless you voluntarily email us.

To keep the service available, secure, and to understand aggregate usage, the following technical data is processed:

• Server logs (Cloudflare): IP address, browser, request URL, timestamp — kept maximum 24h for security and DDoS mitigation.
• Aggregated analytics (Google Analytics 4): page views, language, country (country level only, IP anonymized), browser type. Opt-in via consent banner; if you reject, no analytics cookies are set.
• LocalStorage: your language and theme preference, list of last-visited tools for the /offline page. Stays on your device, never transmitted.
• Service Worker: caches static assets (HTML, CSS, JS) so the site works offline after first visit. No document data cached.

Each data category has a documented legal basis under Regulation (EU) 2016/679 (GDPR) and Spanish LOPDGDD (LO 3/2018):

• Art. 6.1.f (legitimate interest): Cloudflare security logs, anti-DDoS. Balanced against your fundamental rights — minimal scope, 24h retention.
• Art. 6.1.a (consent): Google Analytics cookies. Banner on first visit, withdraw anytime via cookie settings.
• Art. 6.1.b (contract): when you contact us by email to request support, your message is processed to reply to you.

The following data processors act on our behalf under signed agreements (Article 28 GDPR):

• Cloudflare, Inc. (USA) — CDN, DDoS protection, edge caching. Standard Contractual Clauses (SCCs) in place.
• Google LLC (USA) — Google Analytics 4 with IP anonymization. SCCs in place. Activated only with your consent.
• Stackscale / Grupo Aire (Spain, EEA) — hosting of static assets. Data remains in the EEA.

We never sell, rent or share your data with third parties for marketing or commercial purposes.

Transfers to the United States (Cloudflare, Google) rely on the EU-U.S. Data Privacy Framework and on Standard Contractual Clauses approved by the European Commission. Both vendors publish their privacy policies and DPAs publicly.

Retention periods are kept to the minimum strictly necessary:

• Documents: NOT retained — only present in RAM, deleted when the tab closes.
• Cloudflare access logs: 24 hours maximum.
• Cloudflare security cookies (__cf_bm, cf_clearance): 30 minutes.
• Consent cookie: 12 months.
• Google Analytics data: 14 months maximum at Google's side; cookies (_ga, _ga_*) up to 2 years on your device, deletable anytime.
• LocalStorage preferences: until you clear your browser data or delete them yourself.

Under GDPR you have the following rights, exercisable for free at any time by emailing [email protected]:

• Access — request a copy of the data we hold about you.
• Rectification — correct inaccurate data.
• Erasure — request deletion ("right to be forgotten").
• Restriction — limit processing of your data.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interest.
• Withdraw consent at any time for cookie-based processing (analytics).
• Lodge a complaint with the Spanish Data Protection Agency (AEPD) or your national supervisory authority.

Because we do not collect personal identifiers tied to individual users, in most cases we have no data linked to a specific person to act upon — but we will respond to every request in good faith within 30 days.

reader.me is not directed at children under 16 years old. Under Article 8 GDPR and Article 7 LOPDGDD, consent for processing personal data of minors under 14 years requires parental authorisation in Spain. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, write to [email protected] and we will delete it.

We may update this policy to reflect legislative, technical or service changes. The "Last updated" date at the top of the page indicates the version. Material changes are communicated via the site banner.

For any privacy-related question, write to [email protected]. You can also reach the data controller by post at Color Vivo Internet S.L., Calle Mesones 9, 13640 Herencia (Ciudad Real), Spain, or via colorvivo.com.

See also our Cookies policy for cookie-specific details.