Legal

General Privacy Notice

When you come into contact with one of the entities of the iText Group, via our website, in person or in any other way, we collect, store and use (or process) your personal data for various purposes, depending on the nature of our relationship. We ensure compliance with the various obligations imposed on us by data protection regulations. Since transparency is key, we have created this privacy notice to explain to you who is responsible for the processing activities, for which purposes your personal data is processed, on which legal grounds this is based, with whom we share it, what the retention periods are, and of course what your rights are.

This privacy notice applies to, regardless of the iText entity that you work with. If you would have additional questions or remarks, feel free to contact us at (legal@itextpdf.com) as they can help you further.

Last modified July 30, 2022

iText recognizes the importance of protecting your personal data and is committed to processing it responsibly and in accordance with applicable data protection legislation, including the General Data Protection Regulation (EU) 2016/679 (hereinafter: “GDPR”).

1. Who is responsible for your personal data

The administration of the three iText entities is centralized within iText Group NV, a Belgian corporation, with registered office at AA Tower, Technologiepark-Zwijnaarde 122, B-9052 Ghent, Belgium, VAT
(also referred to as “ISG” or “we”).

This implies that ISG is the controller of your personal data and thus responsible for the processing activities.

2. Categories of personal data

We process the following categories of personal data.

  • contact information, such as your address, telephone number and email address.
  • identification information, such as your name, job title, company you work for.
  • your use of our website, which includes the pages you visited, the device you use to visit our website, preferences, IP addresses, pages that you share.
  • financial information, such as your bank account number.
  • your communication with iText, whether this is via email or through other communication channels.
  • information on your social media pages that are publicly available.
  • the products that we sell to you or the license agreements that we enter into with you, which includes your feedback on how you use our products and services.
  • the contributions that you make to the iText software.

We process your personal data only for the purposes described here below, and every purpose is based on a specific legal ground:

Purposes that relate to the use of our website

When you use and visit our website, we process the personal data concerning your use of our website to improve our website, make it more user friendly and to keep it safe. This is based on our legitimate interest.

Purposes that relate to the contracts that we enter into with you

When we use your services or products as one of our vendors, we process your identification information, contact information, financial information and the services or products we have purchase from you to be able to perform our contract with you.

When you purchase one or more of our products, we also process your identification information, contact information, financial information, your communication with us, the products you have purchase and your use thereof, to be able to provide you with our services and to perform our license agreement. It goes without saying that the legal ground is

When you make a payment by using a credit card, or electronic wallet such as Google pay or Apple pay, we do not have access to your credit card details. That information is processed by third party service providers. We do use a payment management system to keep track of all the payments done by our clients. That platform is provided to us by Stripe who also uses transaction information, such as the IP address, card details, cardholder names and location, to assess the fraud risk associated with your payments. This is only a risk assessment. If a payment is categorized as a high or elevated risk, we will review the payment first to determine if we can accept the payment or if we have to decline it, when it is in our opinion fraudulent. We will contact you before we decide to decline a payment that is categorized as fraudulent. More information on how Stripe processes your personal data and makes such risk evaluations can be found in Stripe’s privacy policy: Privacy Policy (stripe.com). This is based on our legitimate interest to keep us safe from fraud.

When you wish to make contributions to our software and enter into a contributor agreement with us, we process your identification information, contact information, your communication with us and the contributions that you make. This information is processed to improve our software.

Purposes that relate to our marketing activities

We process your use of our website to know which topics generate the most interest. We also use your feedback and how you use our products to improve our products and services and to create new functionalities. This is based on our legitimate interest to improve our products and services.

When you allow us to use your image, at conferences or at one of our events, we use that on our social media channels to promote our activities. As explained in our consent form, we will never use your image without your consent but once you have given it, the legal basis to process it is our legitimate interest to promote our activities.

We will also process your image for archival purposes, to know which events we attended and seminars we organized. This is also based on our legitimate interest to keep track of our activities.

We use your contact information to keep you informed about our products and services and about our upcoming activities and webinars. If we have obtained your email address through a purchase you made, we use our legitimate interest to promote our products. In any other case, we will only contact you if you have given us your consent.

Purposes that relate to iText’s legal status

Your personal data can be processed to prepare for a potential merger our acquisition. It is in our legitimate interest to be able to disclose to a potential buyer what our client base is, who are vendors and contributors are and what our commercial activity is.

We process your personal data to comply with legal obligations or to meet requests from the authorities. The legal basis is of course our obligation to comply with legal obligations that are imposed on us.

All your personal data is processed to exercise our legal rights and to be able to defend us in legal claims should this be necessary. This is based on our legitimate interest to be ensure our legal position.

4. Transfer of personal data

We share your personal data with the following categories of recipients, when this is necessary to fulfill the processing purposes:

Other iText entities

When you have applied for a job opening at another iText entity, we share your personal data with that iText entity:

  • For employees of iText Asia (“ISA”), your personal data is shared with iText Software Asia, Pvt Ltd, a company incorporated in Singapore, with its registered office at 3 Fraser Street, Duo;
  • For employees of iText USA (“ISB”), your personal data is shared with iText Software Corp., a California corporation with an office at 530 Harrison Ave, Floor 2, Boston, MA 02118;

Since this is a transfer to third countries that do not yet have received an adequacy decision of the European Commission (meaning that the European Commission is not yet convinced that those countries have similar data protection legislation in place to protect your), we have safeguarded the transfer by implementing the standard contractual clauses, set forth by the European Commission in its decision of 4 June 2021.

Third party controllers
If it is necessary for one of our purposes, we share your personal data with third party controllers. These are for example our distributors, external marketeers, external counsel, auditors, or other service providers, such as Stripe. These transfers will always meet one of the purposes described hereabove and we will do this with the utmost care for the safety of your personal data.

Transfers to third countries outside the EEA will only occur when the necessary safeguards are in place, such as an adequacy decision or the standard contractual clauses.

Third party processers
To organize and carry out our business activities and to ensure the continuity of our services, we use third party service providers to assist us with certain tasks. This is for instance Microsoft Office, our CRM system, etc. We ensure you that we will only work with reputable third party service providers, who work on our instruction and who respect data protection obligations. The necessary data processing agreements are in place with those providers and likewise to transfers to third party controllers, if it entails a transfer to third countries outside the EEA and without an adequacy decision, we ensure that the necessary safeguards are implemented.

5. Retention periods

We do not keep your personal data longer than what is necessary to fulfill the purposes for which your personal data is processed. To give you an idea:

  • The personal data that we process for the purposes that relate to your use of our website will be processed during the lifespan of the cookies. We refer to our cookie policy https://itextpdf.com/en/how-buy/legal/cookies-policy for more information.
  • The personal data that we process based on your consent, will be processed until you withdraw your consent.
  • The personal data that we process for the performance of our agreement, will be retained for a period of 10 years after the expiration date of that agreement. The personal data that we process following the contributor’s agreement will be processed for as long as the intellectual property rights on your contributions are valid.
  • Information with regard to fraudulent payments will be retained for a period of 5 years.
  • The personal data that we process for marketing activities will be processed will be retained for a period of 2 years.
  • The personal data that we process for the purpose that relates to iText’s legal status will be retained until they are no longer necessary for that purpose. This can vary depending on the legal necessity for which they would be processed. If this is for example in the context of a court case, that personal data will be retained for as long as that court case is ongoing.

Security of personal data

iText acknowledges its responsibility to ensure an appropriate level of security with regard to the information you provide. Therefore iText has implemented various measures in order to protect the personal data against loss, alteration, accidental or unlawful destruction, unauthorized disclosure of, or access to the personal data. On organizational level measures are taken such as the limitation of access to and monitoring of the buildings and systems, while on technical level firewalls and encryption is in place, personal passwords are used and verified and verification requirements regarding access to personal data on a ‘need-to-know’-basis are provided.

Your rights with regard to personal data

It goes without saying that you have the possibility to exercise the rights as described in the GDPR. These can be exercises by contacting the HR department or the responsible for privacy and data protection (see below)

  • Right to information

You always have the opportunity to request all collected personal data (including processing purposes, categories of personal data, estimated retention period) for inspection.

  • Right to rectification, erasure, restriction and objection

You are entitled to have incorrect personal data corrected or completed and, under certain circumstances, the right to have your personal data removed from our files. Moreover you have the right to object to or ask for the restriction of the processing of your personal data. In that case, we ask you to motivate why you are objecting to the processing of your personal data.

Keep in mind, however, that in certain cases the processing of the personal data is necessary to comply with a legal obligation or to be able to realize contractual obligations. In that case, compliance with those obligations will prevail over your right to object or restriction. Therefore, iText Group will evaluate case by case whether or not the request can be complied with.

  • Right to withdraw consent

If the processing of personal is based on your consent, you have the right to withdraw this consent at any time. Please note that the withdrawal of consent will not affect the lawfulness of the processing based on this consent before its withdrawal.

  • Right to data portability

You have the right to receive your personal data, processed by iText, in a structured, commonly used and machine-readable format and/or to transmit those data to another controller.

  • Right to lodge a complaint

If, at any time, you are of the opinion that iText infringes your privacy, you have the right to lodge a complaint with the Belgian supervisory authority: Data Protection Authority, Drukpersstraat 35, 1000 Brussels, Tel +32 (0)2 274 48 00, e-mail: contact@apd-gba.be.

Changes to this policy

Changes to this privacy policy can be made from time to time, this in accordance with the GDPR. When we change the content of this policy we will change the date and version number of the ‘last update’ of this privacy policy. You will be informed about these changes in an appropriate manner.

Contact

If you have any questions with regard to the content of this policy, the processing of your personal data or the exercise of your rights in relation to this data processed by iText, you can contact the HR department or the responsible for privacy and data protection by sending an e-mail to legal@itextpdf.com.

12. Additional Disclosures for California Residents
California residents may have additional rights under the California Consumer Privacy Act (“CCPA”) with respect to certain personal data that is not covered under a federal law. If you are a California resident, this section details your rights under the CCPA, how you may exercise those rights, and what we will do in response.

The CCPA requires us to disclose information regarding the categories of personal data we have collected about California consumers (as that term is defined in the CCPA) during the preceding twelve (12) months, the categories of sources from which the Personal information was collected. the business or commercial purposes for collecting the Personal Information. In the preceding 12 months, we collected the following Personal Information about California consumers:1

Categories of Personal Information We Collected Categories of Sources Examples of Uses / Business Purposes
Identity data Direct interactions with you Providing you the information, products and services you request; respond to enquiries from you; schedule meetings with you; manage our relationship with you; carry out agreements entered into between you and us
Contact data Direct interactions with you Providing you the information, products and services you request; respond to enquiries from you; schedule meetings with you; manage our relationship with you; carry out agreements entered into between you and us
Financial data Direct interactions with you; third party service providers (e.g., financial institutions) Carry out any agreements entered into between you and us
Transaction data Automatically collected (including using Hotjar) Carry out any agreements entered into between you and us
Technical data Automatically collected (including using Hotjar); digital markers, online tracking technologies  
Product data Automatically collected (including using Hotjar); digital markers, online tracking technologies  
Marketing & Communications data Automatically collected (including using Hotjar); digital markers, online tracking technologies  

iText does not sell any personal data and does not have actual knowledge that it sells the personal data of users under 16 years of age. However, the CCPA also requires us to disclose the categories of personal data, if any that we have disclosed for a business purpose in the preceding 12 months and the categories of third parties to whom the personal data was disclosed.

Categories of Personal Information we disclosed to Third Parties Business purpose(s)
Identity data Our other group companies, business partners and suppliers when this is necessary to provide our services to our users or for the performance of any contract we enter into with you;
Contact data Our other group companies, business partners and suppliers when this is necessary to provide our services to our users or for the performance of any contract we enter into with you;
Financial data Our service providers who provide certain services on our behalf such as data hosting or processing services. We will use contractual arrangements to protect personal data disclosed to these service providers
Transaction data Our service providers who provide certain services on our behalf such as data hosting or processing services. We will use contractual arrangements to protect personal data disclosed to these service providers
Technical data Analytics and search engine providers that assist us in the improvement and optimisation of our products; our service providers who provide certain services on our behalf such as data hosting or processing services. We will use contractual arrangements to protect personal data disclosed to these service providers
Product data Analytics and search engine providers that assist us in the improvement and optimisation of our products;
Usage data Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others. Such disclosures are typically aggregate information about our users and analyses of our server logs, traffic, or information relating to customer leads, including details regarding usage of our websites or apps and general information about our audience, and are not generally considered to be personal data; analytics and search engine providers that assist us in the improvement and optimization of our products
Marketing and Communications data Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others. Such disclosures are typically aggregate information about our users and analyses of our server logs, traffic, or information relating to customer leads, including details regarding usage of our websites or apps and general information about our audience, and are not generally considered to be personal data; analytics and search engine providers that assist us in the improvement and optimisation of our products

In addition, we may share personal data of California consumers:

  • in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets or (subject to confidentiality restrictions) during the due diligence process, in accordance with applicable law;
  • if iText or substantially all of its assets (or any group company or its assets) are acquired by a third party, in which case personal data held by it about its customers and users of its products will be one of the transferred assets, in accordance with applicable law;
  • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or as we believe in good faith may be reasonably necessary to comply with any law, regulation, rule, court order, or other lawful requests from governmental, regulatory or administrative agencies or law enforcement authorities (including in response to law enforcement or national security requirements), or in order to enforce or apply any terms of use applicable to a specific product, and other agreements; or to protect the rights, property, or safety of iText, our customers, or others.
  • as otherwise may be required or permitted by applicable law.

California residents have the right to access and request:

  • The categories of personal data that we collect.
  • The categories of personal data we collected in the previous 12 months.
  • The categories of data we sold in the previous twelve months.
  • The categories of data disclosed for a business purpose in the previous twelve months.
  • The specific pieces of personal data we collected about you.

California residents have the right to request the deletion of their personal data. However, this right does not apply to personal data that we need in order to:

  • Complete the transaction for which the personal information was collected
  • Detect or resolve security issues, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for the activity;
  • Address any functionality-related issues
  • Comply with any applicable federal or state law
  • Conduct research in the public interest
  • Ensure the right to free speech
  • Carry out actions for internal purposes.

California residents have the right to not be discriminated against (as provided for in applicable law) for exercising certain of your rights hereunder.

To exercise any of your rights as a consumer please submit a verifiable consumer request to us. You may submit a verifiable consumer request by emailing us at privacy@itextpdf.com, or contacting us at our contact us form: https://itextpdf.com/contact-us. A California consumer may only make a verifiable request to exercise their rights twice within a 12 month period. The verifiable request must: (1) provide sufficient information for us to verify your identity, and (2) be in sufficient detail that we can reasonably understand the request, evaluate it, and respond. You may have an authorized agent submit a request to know, or a request to delete so long as you provide the authorized agent with written permission to submit the relevant request and you verify your own identify directly with us. Such restrictions do not apply where you provide your authorized agent with power of attorney pursuant to California Probate Code sections 4121 to 4130. If we are unable to verify your request then we will be unable to provide you with the information you seek or delete any personal data we retain.

13. Accessibility

2 This Privacy Policy uses industry-standard technologies and was developed in connection with the World Wide Web Consortium’s Web Content Accessibility Guidelines, version 2.1. If you wish to print this privacy policy, please do so from your web browser or by saving the page as a PDF.

Contact

Still have questions? 

We're happy to answer your questions. Reach out to us and we'll get back to you shortly.

Contact us
Stay updated

Join 11,000+ subscribers and become an iText PDF expert by staying up to date with our new products, updates, tips, technical solutions and happenings.

Subscribe Now