Skip to main content

Your files. Your device. Your control.

This page explains exactly how Purgit processes your documents, what data we store, what we never store, and how you can delete everything.

How Purgit processes your documents

Free Tier — Local Processing

Your File → Browser (local JS) → Scan Engine (WASM) → Clean File (on disk)

When you use Purgit on the free tier, your document never leaves your device.

  1. 1.Your file is read into browser memory — it is not uploaded anywhere.
  2. 2.The scan engine (TypeScript compiled to WebAssembly) runs entirely in your browser tab.
  3. 3.Findings are generated locally. The cleaned file is generated locally.
  4. 4.You download the clean file from your browser — nothing is sent to our servers.
  5. 5.When you close or refresh the tab, all file data is cleared from browser memory.

What the server receives during a free tier scan:

  • Your anonymous session identifier (to enforce the 3/day limit)
  • The number of scans you've completed today
  • The file type (e.g., "pdf") and approximate file size bracket
  • No file content. No file name. No findings. No report content.

Pro Tier — Opt-In Cloud Processing

Your File → HTTPS upload → Server (ephemeral) → HTTPS download → Clean File

Cloud processing is opt-in only. It is not enabled by default.

  1. 1.Your file is encrypted in transit (HTTPS TLS 1.3).
  2. 2.The file is received into server memory — it is not written to disk.
  3. 3.The scan engine processes the file in memory.
  4. 4.The clean file and report are returned to you.
  5. 5.The server memory is cleared — there is no retention of the file, findings, or report.
  6. 6.The audit log records metadata only — never file content.

Technical guarantee: Temp file cleanup is implemented in a finally block — cleanup runs even if processing fails. Server-side processing code is reviewable on request (enterprise customers).

Exactly what we store about you

We believe you should know precisely what data we hold — not in a privacy policy written by lawyers for lawyers, but in plain English.

What we storeWhyHow long
Your email addressAccount login, subscription managementUntil you delete your account
Your subscription statusGate paid featuresActive subscription lifetime
Scan quota usage (count only)Enforce free tier limits24 hours rolling
Shared policies you've created (JSON)Team members access your org's policiesUntil you delete the policy
Audit log entries: user ID, file type, policy, result, file hashCompliance evidence for Team/Enterprise90 days rolling (configurable)
Per-document unlock tokensVerify $4.99 purchase, prevent replay30 days

Your name and password are managed by Clerk (our authentication provider), not stored in our database.

Your payment information is managed by Stripe, not stored by Purgit. We only receive: subscription status, Stripe customer ID, and payment confirmation signals.

What we never store — under any circumstances

  • ×Your files (originals or sanitized outputs) — ever
  • ×The contents of your scan report
  • ×The text content of your documents
  • ×The specific findings identified in your documents
  • ×Your file names
  • ×IP addresses (Cloudflare may log IPs per their policy, but Purgit does not store them)

Technical security practices

File type verification

Every file's binary signature (magic bytes) is verified against its declared MIME type. A file claiming to be a PDF but with a different binary signature is rejected.

HTTPS everywhere

All connections use HTTPS with TLS 1.3. HTTP requests are automatically redirected. HSTS header enabled with 1-year max-age.

Content Security Policy

Strict CSP headers on all pages: no inline scripts (except Next.js hydration), no untrusted external resources.

Rate limiting

API endpoints are rate-limited per API key and per IP. Scan endpoints have separate limits for free/paid tiers.

Input size validation

File size is validated before parsing begins. Malformed headers, incorrect byte counts, and ZIP bomb patterns are detected.

Dependency scanning

npm dependencies are scanned for known CVEs in CI/CD pipeline. Automated alerts for new vulnerabilities.

Safe error messages

Error messages returned to users do not include stack traces, internal paths, or database error messages.

No Google Analytics

We do not use Google Analytics, Facebook Pixel, or any third-party tracking. Analytics is Plausible — privacy-first, no cookies.

Delete your account and all your data

Under GDPR Article 17 (Right to Erasure), you have the right to have your data deleted. We honor this right for all users, regardless of location.

  1. 1Go to Settings → Account → Delete Account.
  2. 2Confirm by entering your email address.
  3. 3All data associated with your account is permanently deleted within 24 hours: your email, subscription record, scan quota counters, shared policies, audit log entries, and all associated Clerk authentication data.
  4. 4You will receive a confirmation email when deletion is complete.
  5. 5This action is irreversible. Shared policies you've created will be removed from your team members' access.

Alternative: Send a deletion request to privacy@purgit.io. We will process all deletion requests within 72 hours.

If something goes wrong

In the event of a security incident affecting user data, Purgit commits to:

  • Notifying affected users within 72 hours of confirmed breach (GDPR Article 33 timeline)
  • Publishing a public incident report at purgit.io/security/incidents within 7 days
  • Coordinating with relevant supervisory authorities (EU GDPR DPA, as applicable)
  • Offering affected users immediate account suspension and data deletion on request

Responsible Disclosure

If you discover a security vulnerability in Purgit, please email security@purgit.io. We will acknowledge within 24 hours and aim to resolve critical issues within 72 hours. We do not pursue legal action against good-faith security researchers.