Skip to content
Falcon Pdf

Compliance · The position

Compliant by design.

The architecture decides this before any clause does. Every operation runs on your computer; file contents never reach our servers. That one fact satisfies California’s CCPA, the EU GDPR, India’s DPDP Act 2023, and Singapore’s PDPA 2012 at the same time.

Last reviewed: May 2026

What our servers receive when you process a PDF: nothing.

Pages you redact, signatures you sign, passwords you set, scans you produce — every byte stays in your browser. The PDF is built via pdf-lib and pdf.js on your device and downloaded directly. Per our invariants I2/I3/I4: zero network requests after the initial bundle, no remote keys, no telemetry on file contents.

CCPA compliant

California, USA · California Consumer Privacy Act

CCPA

The CCPA (Cal. Civ. Code §1798.100 et seq., as amended by the CPRA) grants California residents rights over their personal information. Falcon Pdf does not collect, sell, or sharepersonal information from California residents (or anyone else) through its PDF tools — the browser-only architecture means no "personal information" as defined in §1798.140(v) is ever transmitted to or held on our servers.

CCPA posture:

  • §1798.100 — Right to know: we hold no personal information to disclose.
  • §1798.105 — Right to delete: nothing to delete — we never received it.
  • §1798.120 — Right to opt out of sale: we do not sell personal information. No data-broker relationships, ever.
  • §1798.125 — Non-discrimination: no price or service differential based on exercise of CCPA rights — none of our tools require identity, sign-in, or any persistent identifier.

For the statute text, see the California Attorney General's CCPA portal and the CPPA regulations.

EU GDPR compliant

European Union · General Data Protection Regulation

EU GDPR

Falcon Pdf serves users worldwide, including EU data subjects. The browser-only architecture satisfies GDPR's data-minimisation, purpose-limitation, and storage-limitation principles (Articles 5(1)(b), (c), (e)) at the strongest possible level: we cannot minimise what we never collect.

Article-by-article posture:

  • Art. 5(1)(c) — Data minimisation: we process no personal data server-side from any tool.
  • Art. 6 — Lawful basis: not applicable to file contents (none received). Aggregate counters operate under legitimate interest (Art. 6(1)(f)) for service reliability.
  • Art. 13 — Information to data subjects: see our Privacy policy.
  • Art. 15–22 — Data-subject rights: we hold no document data — access, rectification, erasure, and portability requests have nothing to act on. For aggregate counter data, request via hello@falcon.enterprises.
  • Art. 28 — Processors: Vercel (hosting), Cloudflare (CDN). No other sub-processors. Razorpay is invoked only on the sibling site hrareceipt.in for payment, not on pdf.falcon.enterprises.
  • Art. 32 — Security: TLS in transit, HSTS, no plain-text secrets at rest.
  • Art. 33 — Breach notification: no document-data breach surface exists; any infrastructure breach would be reported within 72 hours per the Article.
DPDP Act 2023 compliant

India · Digital Personal Data Protection Act 2023

DPDP Act 2023

India's DPDP Act 2023 regulates how Data Fiduciaries process personal data of Data Principals in India. The DPDP Rules 2025 are being rolled out in phases; full compliance is required by 13 May 2027.

Falcon Pdf is architected so that the categories of personal data the DPDP Act regulates (name, address, PAN, financial details, employment data — to the extent any of those appear in a PDF you process) never leave your browser. We are not a Data Fiduciary with respect to your document contents because we never receive them.

What our servers do hold:

  • Anonymous, aggregate operation counters (e.g., "merge succeeded" with no file metadata) per invariant I4.
  • Static bundle artefacts served via Vercel CDN. No per-user identifiers, no session state, no document logs.

For the legal text, see the MeitY DPDP framework and the Act text via PRS Legislative Research.

Singapore PDPA — PDPC regulator logo

Singapore · Personal Data Protection Act 2012

PDPA 2012

Singapore's PDPA 2012 (administered by the Personal Data Protection Commission, PDPC) governs the collection, use, and disclosure of personal data by organisations in Singapore. The Act applies to any organisation collecting, using, or disclosing personal data of individuals in Singapore, regardless of the organisation's own location.

Falcon Pdf does not collect, use, or disclose any personal data from Singapore residents through its PDF tools — the browser-only architecture means the categories of personal data the PDPA regulates (name, NRIC, financial particulars, employment data) are never transmitted to our servers.

PDPA posture:

  • Consent Obligation (§13–17): we do not collect personal data, so the consent regime does not attach to document fields. Razorpay (on the sibling site hrareceipt.in) handles its own consent flow as a separate organisation.
  • Purpose Limitation (§18): none of the categories of data we do hold (aggregate counters, payment refs on the sibling site) are personal data as defined in §2.
  • Notification Obligation (§20): see our Privacy policy.
  • Access and Correction (§21, §22): no personal data held — nothing to access or correct. Requests via hello@falcon.enterprises.
  • Protection Obligation (§24): TLS in transit, HSTS, no plain-text secrets at rest.
  • Data Breach Notification (§26A–E, in force 2021): no document-data breach surface exists; any qualifying breach would be reported to PDPC within 3 calendar days as required.

The PDPC logo shown above is the regulator's logo and is used here to identify the applicable regime; it is not a certification or endorsement by the PDPC.

For the statute text, see the PDPA 2012 on Singapore Statutes Online and the PDPC homepage.

Disclosure and contact

Falcon Pdf is operated by Enso Art Studio, Pune, India. The claims above describe architectural invariants of the live site as of the last-reviewed date — see invariants I2/I3/I4 in /security. For compliance inquiries: hello@falcon.enterprises.