Most online PDF tools have a privacy policy somewhere that says, in lawyer-speak, "we delete your files eventually." That's a promise. What we actually do is enforce deletion in code — every minute, on every file, with no human in the loop.
Here's why, and how.
The promise vs. the system
A privacy policy says: "we will delete your file." A privacy system says: "this file cannot continue existing past T+24h."
Those are very different things. A policy can be quietly updated. A system either works or it doesn't, and you can verify it.
Our retention is implemented as a background worker — cleanup_worker.py —
that runs every 60 seconds. It walks the upload and output directories,
checks each file's age against the retention policy for its type, and
unlinks anything past the cutoff. Logs record only the deletion event, never
the file contents.
If the worker stops, the next deploy restarts it. If the disk fills up because retention failed, alerts fire. The whole point is that "we forgot to delete it" is not a thing that can happen quietly.
The actual retention windows
| File type | Window |
|---|---|
| Trial uploads | 1 hour |
| Trial output PDFs | 1 hour |
| Paid uploads | Deleted right after processing |
| Paid output PDFs | 24 hours |
If you want a copy of the output PDF longer than 24 hours, download it and store it yourself. We don't keep it as a convenience. That's deliberate.
Why so short?
Three reasons:
1. We don't have any reason to keep it
Once you've downloaded the searchable PDF, our job is done. Holding on to the file longer adds zero value to you and infinite risk to both of us.
2. Document leaks happen to companies that retain documents
If a database is breached, the attackers get whatever was in it. The only documents that can't leak from XRPpdf are the ones that aren't there. By the time anything bad happens, your file is already gone.
3. It forces good engineering hygiene
When deletion is enforced by code, every file we touch has a clear lifecycle. There are no orphaned uploads sitting around from 2023. There's no quiet data buildup. The system stays small, observable, and honest.
What we do keep
We're not pretending we keep nothing. For your account, we retain:
- Your wallet address (so credits go to the right place)
- Your destination tag (so we route incoming XRP correctly)
- Job metadata: page count, processing time, completion status
- Payment records: XRP transaction hashes, amounts, timestamps
That's it. No file contents. No extracted text. No images. IP addresses are hashed before storage so they can't be traced back to a specific network in plain text.
Verifying the claim
You don't have to take our word for it. A few things you can check:
- Try the trial, wait an hour, then look for the file. The download URL will return a 404. That's the cleanup worker doing its job.
- Check
/healthfor system status. If anything's wrong with retention, it'll show up there. - Inspect the source. XRPpdf's retention enforcement isn't proprietary magic — it's a small Python file you can audit.
The takeaway
A privacy policy is what a company says it does. A retention system is what a company cannot avoid doing. We chose the second one.
If you're processing sensitive documents — medical, legal, financial — the fact that the file is gone in 24 hours is the entire reason XRPpdf exists. Use it accordingly.
Try it free → — no signup, files gone in an hour.