Privacy Policy

1. Introduction

Silva Node Ab ("we", "us", "our") operates the BIMI SVG Converter service. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.

We are committed to protecting your privacy and being transparent about our data practices. This policy complies with the General Data Protection Regulation (GDPR) and applicable Finnish data protection laws.

2. Data Controller

3. Information We Collect

3.1 Information You Provide

• Uploaded Images: PNG and JPG files you upload for conversion. These are processed in memory and immediately discarded after conversion.
• Image Adjustments: Brightness, contrast, saturation, and blur settings you apply (used only for conversion processing).

3.2 Automatically Collected Information

• IP Address: Used for rate limiting (5 requests per minute) to prevent abuse. Not permanently stored.
• Browser Data (localStorage): Used to track your free conversion usage. Stored locally in your browser only.
• Analytics Data: Anonymous traffic statistics via Vercel Analytics (no personal identification).

3.3 Payment Information

Payment processing is handled entirely by Stripe, Inc. We do not collect, process, or store your payment card information. Stripe's privacy policy applies to payment data:

https://stripe.com/privacy

4. How We Use Your Information

We use collected information for the following purposes:

• Service Delivery: Converting your images to BIMI-compliant SVG format
• Rate Limiting: Preventing abuse and ensuring fair usage
• Payment Processing: Facilitating transactions via Stripe
• Service Improvement: Anonymous analytics to improve user experience
• Legal Compliance: Meeting legal obligations and enforcing our Terms

5. Data Storage and Retention

5.1 Uploaded Images

Storage: Not stored. Images are processed in server memory and immediately discarded after conversion completion.

Retention: Zero seconds (ephemeral processing only).

5.2 Free Conversion Tracking

Storage: Browser localStorage (client-side only, not transmitted to our servers).

Retention: Until you clear your browser data or we update the tracking mechanism.

5.3 IP Addresses

Storage: In-memory rate limiting cache (not persisted to disk).

Retention: Cleared automatically when rate limit window expires (1 minute).

5.4 Payment Data

Storage: Handled exclusively by Stripe (PCI DSS Level 1 compliant).

Retention: Subject to Stripe's retention policies.

6. Data Sharing and Disclosure

We do not sell, rent, or share your personal information with third parties, except in the following limited circumstances:

6.1 Service Providers

• Stripe: Payment processing (subject to their privacy policy)
• Vercel: Hosting infrastructure and anonymous analytics

6.2 Legal Requirements

We may disclose information if required by law, court order, or to:

• Comply with legal processes
• Protect our rights and property
• Prevent fraud or abuse
• Ensure user safety

7. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your personal data
• Right to Restriction: Request limitation of data processing
• Right to Data Portability: Receive your data in a structured format
• Right to Object: Object to certain processing activities
• Right to Withdraw Consent: Withdraw consent at any time

Important Note: Since we do not permanently store uploaded images or personal information (beyond what Stripe collects), there is typically no personal data for us to provide, rectify, or erase. For payment-related data, contact Stripe directly.

8. Data Security

We implement industry-standard security measures to protect your data:

• HTTPS Encryption: All data transmission is encrypted via TLS/SSL
• Ephemeral Processing: Images processed in memory, not written to disk
• Rate Limiting: Prevents brute force and abuse attempts
• Security Headers: CSP, HSTS, and other protective headers enabled
• PCI Compliance: Payment data secured by Stripe's Level 1 PCI DSS certification

However, no method of transmission over the Internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

9. Cookies and Tracking

9.1 Cookies We Use

Our Service uses minimal cookies and tracking mechanisms:

• localStorage: Tracks free conversion usage (client-side only, not transmitted)
• Vercel Analytics: Anonymous traffic analytics (no personal identification)

9.2 Third-Party Cookies

Stripe may set cookies during payment processing. Refer to:

https://stripe.com/cookies-policy/legal

10. International Data Transfers

Our Service is hosted on Vercel's infrastructure, which may process data in various global regions. By using the Service, you consent to the transfer of your information to countries outside the EU/EEA that may have different data protection standards.

Vercel complies with GDPR and uses Standard Contractual Clauses (SCCs) for data transfers outside the EEA.

11. Children's Privacy

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Updating the "Last Updated" date at the top of this page
• Posting a notice on our website (for significant changes)

Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your GDPR rights, please contact us:

14. Supervisory Authority

If you are located in the EU/EEA and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

For Finland: Office of the Data Protection Ombudsman