← Back to product

Privacy Policy

Last updated: 8 May 2026

This Privacy Policy describes how AESHA Technology Services Limited ("we", "us", "our") handles personal information in connection with the FlippablePDF website, the FlippablePDF JavaScript library, and the FlippablePDF WordPress plugin (together, the "Service").

FlippablePDF is built privacy-first. Our default architecture is to keep your data on your machine. The short version of this policy is: we do not collect, store, sell or share your documents, your reading behaviour, or your identity.

01Summary

02What we don't collect

We want to be unambiguous: when you use the FlippablePDF library or WordPress plugin, none of the following are collected, stored, or transmitted to AESHA:

The library is open source, and you can audit this for yourself in the source code.

03How files you open are handled

When you drop a PDF into the demo on this website, or open a PDF through the library or plugin on any other site, the file is read directly by your browser through the standard Web File API or as an in-page URL fetch. The bytes are passed to PDF.js (which runs locally in a Web Worker), and the resulting page bitmaps are drawn into <canvas> elements in your browser.

At no point in this process does the file leave your device. Refresh the page and the document is gone from memory.

04How files you upload via the Share feature are handled

If you choose to upload a PDF through flippablepdf.com/upload.php to obtain a shareable link, that file is transmitted to our server and stored on disk so that people who follow the link can view it. This is the only feature on this site that retains your data on our servers.

What we store about each upload. For each successful upload we record:

Retention. Uploaded files are deleted automatically thirty (30) days after upload. After deletion, only the database row metadata (filename, size, hashed uploader IP, upload timestamp) is retained for up to a further sixty (60) days for abuse-handling purposes, and is then deleted entirely.

What we record when somebody opens a share link. Each successful view increments a counter on the row, and we log the salted hash of the viewer’s IP and the host portion of the HTTP Referer header (for example, twitter.com). We do not record the URL or the path. We do not run any third-party analytics on the viewer page.

Hotlink protection. The PDF stream itself is gated behind short-lived HMAC-signed tickets minted by the viewer page. This means the actual PDF bytes can’t be reliably embedded into a third-party website that you didn’t intend to host them on.

Deletion on request. Email abuse@flippablepdf.com with the share link and we will delete the file and the associated database row promptly, typically within one business day.

05Cookies and local storage

This website does not set any cookies. It does not use localStorage, sessionStorage, or IndexedDB for any purpose. The only browser storage that is touched is the standard HTTP cache for static assets (HTML, CSS, JavaScript, images), which you control through your browser settings.

06Third-party services

On this website: all assets are served from the same origin as the page you're reading. There are no embedded third-party scripts, no analytics, no advertising networks, no social-media trackers.

In the WordPress plugin: by default, the plugin loads PDF.js (a Mozilla open-source library) from the public cdnjs CDN. This means cdnjs receives a request from your visitor's browser when the plugin runs on a page. cdnjs (operated by Cloudflare) has its own privacy policy. If you want to avoid this entirely, use the flippdf_pdfjs_url filter to self-host PDF.js — instructions are in the plugin readme.

07Server logs

Our hosting provider may keep standard web-server logs (IP address, user agent, requested URL, timestamp) for short periods, for security and abuse-prevention purposes. We do not analyse these logs for behavioural insights, do not link them to identities, and do not share them with third parties except where required by law.

08Children's privacy

The Service is not directed at children under the age of 13, and we do not knowingly collect information from children. Because we do not collect personal information from anyone, this is largely moot — but we want to state it explicitly.

09International users and data transfers

Because we do not collect personal data through the Service, no cross-border transfer of your personal data occurs through your use of the Service.

Where you contact us (for example by email), the contents of your message will be processed in the Republic of Seychelles, where AESHA Technology Services Limited is incorporated. By contacting us you consent to this processing.

10Your rights (GDPR / CCPA / similar)

Depending on where you live, you may have rights under the EU General Data Protection Regulation, the UK GDPR, the California Consumer Privacy Act, or other comparable laws — including the right to access, correct, port or delete personal data we hold about you, and the right to object to or restrict processing.

Because we do not maintain any database of users or visitors, we typically have no personal data about you to access, correct, port or delete. If you have nevertheless contacted us by email and wish to exercise your rights regarding that correspondence, write to us at the address below.

11Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. If we ever change our architecture in a way that would cause us to begin collecting personal information, we will say so prominently — both on this page and on the website's home page — before doing so.

12Contact

Questions or concerns about this Privacy Policy can be sent to:

AESHA Technology Services Limited
1032 Office House of Francis Ilu de Port
00000 Mahe, Seychelles (SC)
CRN: 210193

© 2026 AESHA Technology Services Limited. All rights reserved.