Privacy policy
Last updated: 2026-05-24
fits. (“we”, “us”, “the app”) is a free browser-based PDF compressor operated from Bucharest, Romania. We respect your privacy and built the product so the headline claim — your PDF never leaves your device — is true by design.
This page explains, in plain English, what data the app touches and what we do with it, and sets out your rights under the EU General Data Protection Regulation (GDPR).
The short version
Your PDF is processed entirely in your browser. No file data is sent to us or to any third party.
We use Google Analytics to understand how the site is used in aggregate, Google Ads to measure ad campaigns, and Google Search Console to monitor how the site appears in search results. We do not build profiles of individual users, run remarketing campaigns, or sell data. You can decline analytics and advertising cookies via the cookie banner on your first visit, or change your choice later via the “Cookie settings” link in the footer.
What data we touch
Your files
Your PDFs are read, compressed, and saved entirely within your browser tab. None of the file content is sent to our servers or shared with any third party. Saving writes the result to your Downloads folder; closing the tab discards everything.
Server access logs
When you visit a page, our web server records a standard access log line: your IP address, browser user-agent, the URL you requested, the HTTP status code, and a timestamp. This is the same routine logging any web server keeps to stay operational. Entries are automatically rotated and deleted after approximately 14 days.
Analytics, advertising & cookies
With your consent, we use two Google products that set cookies in your browser:
Google Analytics 4 collects anonymised, aggregate usage data — which pages are visited, how visitors flow through the app, broad device and country information, and similar. We use this to understand whether the project is useful and where the rough edges are. We do not connect it to any account, and we have configured it to anonymise IP addresses.
Google Ads conversion trackingmeasures whether visitors who arrived from a Google Ads campaign successfully use the app (the conversion event fires when a PDF finishes compressing). This lets us see which ads work and which don’t. It is not used for advertising targeting or remarketing — fits does not run remarketing campaigns.
Together, these tools may set the following cookies in your browser when you accept the cookie banner:
_ga— distinguishes one visitor from another. Expires after 2 years. (Google Analytics)_ga_*— persists session state for the analytics property. Expires after 2 years. (Google Analytics)_gcl_au— used by Google Ads to measure ad conversions. Expires after 90 days. (Google Ads)
You can change your cookie preferences at any time using the “Cookie settings” link in the footer. Declining a category prevents the corresponding script from loading at all — no replacement tracker is used.
We also use Google Search Console to monitor how fits.tools appears in Google search results. Search Console does not place any code or cookies on the site; it operates on data Google already collects from its own search engine. There is nothing to opt in or out of for this.
Strictly necessary storage
To remember your choice about analytics and advertising cookies, we store the answer itself in your browser’s local storage under the key fits_consent_v1. This is considered strictly necessary under GDPR — without it we would be obliged to ask the same question on every page load. No additional consent is required for this storage entry, and it contains no personal data beyond your own yes/no choices.
Cross-device transfer
The optional “send to device” (QR-beam) feature lets you transfer a compressed file directly between two of your own devices. The two devices briefly exchange the minimum metadata needed to find each other (a temporary session ID and network address information). The file itself flows directly between the devices and is not stored on any server. Session metadata is not retained beyond the transfer.
How we use the data we touch
Server logs are used to keep the site running — monitoring traffic levels, debugging errors, and protecting against abuse. Analytics data (when you opt in) is used to understand aggregate usage and guide improvements. That is the full scope of use.
We do not sell, rent, or otherwise share personal data with third parties for marketing purposes. We do not build profiles of individual users, target advertising, or participate in advertising networks of any kind.
Legal basis for processing
Under Article 6(1) of the GDPR, the processing we perform relies on the following legal bases:
- Consent (Art. 6(1)(a) GDPR) — for analytics cookies. These are only set after you accept the cookie banner.
- Legitimate interest (Art. 6(1)(f) GDPR) — to keep the service running, secure, and reasonably performant. This covers basic server access logs.
- Performance of a service (Art. 6(1)(b) GDPR) — for setting up a cross-device transfer when you initiate one.
Data retention
- Your PDF files: never leave your device — nothing to retain.
- Server access logs: automatically rotated and deleted after approximately 14 days.
- Google Analytics data:retained in Google’s infrastructure for up to 14 months, then deleted.
- Google Ads conversion data:retained per Google Ads defaults, typically a rolling conversion window of 30–90 days for measurement purposes.
- Cross-device transfer metadata: exists only for the duration of the transfer.
Your rights under GDPR
If you are in the European Union, the European Economic Area, or the UK, you have the following rights with respect to your personal data:
- Right of access — to request a copy of any personal data we hold about you.
- Right to rectification — to correct inaccurate data.
- Right to erasure(“right to be forgotten”).
- Right to restrict processing.
- Right to object to processing based on legitimate interest.
- Right to data portability — to receive your data in a structured, machine-readable format.
- Right to withdraw consent at any time, for anything we process under consent — done by changing your cookie preferences in the footer.
- Right to lodge a complaint with a supervisory authority — for example, the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP), or the data protection authority in your own EU country.
To exercise any of these rights, contact us at the address below and we will respond within 30 days.
International data transfers
Our servers are located in the European Union (Germany). Server access logs and any operational data stay within the EU/EEA.
Google Analytics and Google Ads are operated by Google LLC. When you accept the cookie banner, anonymised analytics and conversion-measurement data may be processed by Google on servers outside the EU/EEA, including in the United States. These transfers are covered by the EU–US Data Privacy Framework and Standard Contractual Clauses approved by the European Commission. If you do not accept the corresponding cookie category, no data is collected or transferred for that category.
Children’s privacy
fits is not directed at children under 16 and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it without delay.
Security
The site is served over HTTPS only. Standard server hardening is in place on our infrastructure (firewall, automatic security updates, key-only administrative access).
Changes to this policy
We may update this policy from time to time, typically to reflect changes in the product. The “Last updated” date at the top of this page reflects the most recent revision. Material changes — anything that affects what data we collect, why, or with whom — will be flagged prominently on the homepage for a period of time after they take effect.
Contact
For privacy questions or to exercise any of the rights above, contact:
fits.
Bucharest, Romania
Email: privacy@fits.tools
Curious about the product? Read how fits works →