Privacy Policy

1. Information We Collect

Files you upload for conversion. These are deleted within 24 hours.

Technical request metadata: IP address, user agent, timestamp, requested URL, response status, and similar log data necessary to operate the Service securely and apply rate limits.

Usage analytics via Google Analytics 4 (collected through Google Tag Manager) and Vercel Analytics. Vercel Analytics is cookieless; GA4 may set cookies subject to your browser settings and consent.

A functional cookie named "lang" that stores your language preference when you change languages. The cookie is set as Secure in production.

2. File Handling

Uploaded PowerPoint files are processed by our converter and stored temporarily on Cloudflare R2 only as long as needed to deliver the converted HTML to you.

Both uploaded files and converted HTML output are automatically deleted within 24 hours.

We do not use your files for any purpose other than fulfilling your conversion request. No machine-learning training. No human review. No third-party sharing.

3. Third-Party Service Providers

We rely on the following service providers, each of whom processes data on our behalf in accordance with their own privacy policies:

Google Tag Manager and Google Analytics 4 — anonymized usage analytics.

Vercel — hosting, Vercel Analytics, and Speed Insights.

Cloudflare — content delivery network and Cloudflare R2 object storage for converted HTML.

Resend — transactional email delivery (only when you submit our contact form).

Cloudflare Turnstile — bot-protection challenge on the contact form.

Some of these providers operate infrastructure outside Japan, including in the United States and the European Union.

4. Cookies and Consent

lang — functional cookie storing your language preference. Strictly necessary for the language picker; not used for tracking.

GA4 cookies — set by Google Analytics 4 when the analytics script is active.

For visitors located in the European Economic Area, the United Kingdom, and other jurisdictions with prior-consent requirements, analytics cookies are loaded only after explicit consent. Until consent is given, GA4 operates in Google Consent Mode v2 with anonymized signals only. You may withdraw consent at any time via your browser settings or our cookie controls (when available).

5. Security and Breach Notification

All connections use HTTPS with HTTP Strict Transport Security (HSTS) preload.

A strict Content Security Policy (CSP) restricts script sources to our own origin and approved analytics endpoints.

Converted HTML is rendered inside an iframe with a sandbox that prevents scripts from accessing the parent origin.

Forwarded client-IP headers are only trusted from the configured upstream proxy CIDR ranges, preventing rate-limit bypass via spoofed headers.

In the event of a personal-data breach affecting your data, we will notify the relevant supervisory authority and (where required by applicable law) affected users without undue delay, in accordance with Article 33-34 of the GDPR, Article 26 of Japan's Act on the Protection of Personal Information (APPI), and other applicable breach-notification laws.

6. Your Rights

Under the EU General Data Protection Regulation (GDPR), the UK GDPR, and Japan's Act on the Protection of Personal Information (APPI), you may have the following rights:

Right of access — to request a copy of the personal data we hold about you.

Right to rectification — to ask us to correct inaccurate data.

Right to erasure — to ask us to delete your personal data.

Right to restriction — to ask us to restrict processing.

Right to data portability — to receive your data in a structured, machine-readable format.

Right to object — to object to processing on legitimate-interest or direct-marketing grounds.

Right to withdraw consent — where processing is based on consent.

Right to lodge a complaint — with a supervisory authority in your country.

Because uploaded files are automatically deleted within 24 hours, we typically have no personal data to retrieve or delete after that period. To exercise these rights, please contact us via /contact.

7. International Data Transfers

Some of our third-party providers (Vercel, Cloudflare, Google, Resend) operate infrastructure outside your country of residence, including in the United States and the European Union.

Where such transfers involve personal data, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), or equivalent mechanisms recognised under the relevant laws.

8. Children

The Service is not intended for users under 13 years of age, or the higher "age of digital consent" applicable in your jurisdiction (for example, 16 in some EU member states such as Germany, the Netherlands, and Luxembourg).

We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

9. Lawful Basis for Processing (GDPR / UK GDPR)

For visitors subject to GDPR or UK GDPR, we process personal data on the following legal bases:

Performance of a contract (Article 6(1)(b)) — processing your file to deliver the converted HTML you requested.

Legitimate interests (Article 6(1)(f)) — operating the Service securely (server logs, abuse prevention, rate limiting). Our legitimate interests are balanced against your rights and freedoms.

Consent (Article 6(1)(a)) — analytics cookies and similar non-essential technologies, where consent is required.

Legal obligation (Article 6(1)(c)) — compliance with applicable laws (for example, responding to lawful requests from public authorities).

You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

10. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law:

Uploaded PowerPoint files and converted HTML — automatically deleted within 24 hours of conversion.

Server access logs (IP address, user agent, request metadata) — retained for up to 30 days for security and abuse prevention, then anonymized or deleted.

Google Analytics 4 data — retained according to GA4's default retention setting (currently 14 months for user-level identifiers).

Vercel Analytics — aggregated, cookieless metrics retained according to Vercel's policy.

"lang" cookie — stored on your device until cleared by you or until expiry (currently up to 1 year).

Contact form submissions and related correspondence — retained for up to 12 months to handle follow-up inquiries, then deleted.

11. Automated Decision-Making

Pivota does not engage in automated individual decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you, within the meaning of Article 22 of the GDPR / UK GDPR.

Rate limiting and abuse-protection systems use technical signals (IP, request rate, behaviour) to throttle or block requests, but do not produce decisions with legal or similarly significant effects on individuals.

12. Disclosures Required under Japan's Act on the Protection of Personal Information (APPI)

Personal Information Handling Business Operator (個人情報取扱事業者): Pivota.

Purposes of use (利用目的): (i) providing the file-conversion service requested by the user; (ii) operating the Service securely (rate limiting, abuse prevention, server logs); (iii) anonymized usage analytics; (iv) responding to inquiries submitted via the contact form.

Provision of personal data to third parties (第三者提供): we provide personal data to the service providers listed in Section 3 strictly as our processors, in accordance with their own privacy policies. We do not sell personal data.

Cross-border transfers (越境移転): personal data is transferred to and processed by infrastructure located in the United States and the European Union, as described in Section 7.

Procedures for disclosure / correction / deletion / suspension of use (開示等の請求方法): you may submit such requests via /contact. We will verify your identity by reasonable means before responding.

Contact for personal-information inquiries (個人情報相談窓口): /contact.

13. Changes to this Policy

We may update this Policy from time to time. Significant changes will be highlighted with a revised "Last updated" date at the top of this page.

14. Contact

For privacy-related inquiries, please contact us via the contact form at /contact.