Privacy Policy
1. Introduction
Welcome to PNGtoSVG.online ("the Service", "we", "our", or "us"). We are strongly committed to protecting your personal information and your right to privacy. This Privacy Policy explains what information we collect, how we use it, and what rights you have in relation to it when you use our website and image conversion service at pngtosvg.online.
Please read this policy carefully before using the Service. If you have any questions or concerns about this notice — or about our practices with regard to your personal information — please contact us using the details provided in Section 16.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms set out here, please do not access the site or use the Service.
2. Who We Are
PNGtoSVG.online is a free online tool that converts raster image files (PNG, JPG, WEBP) into Scalable Vector Graphics (SVG) format. The service is offered at no charge and does not require user registration or account creation of any kind.
For the purposes of applicable data protection law, we act as the data controller in respect of any personal data collected through this Service.
3. Information We Collect
3.1 Information You Provide to Us
Uploaded Images. When you use the Service to convert a file, you upload an image directly to our server. We receive and temporarily process this file solely for the purpose of producing an SVG output. Your uploaded file is:
- Stored in a temporary, isolated directory on our server that is not accessible via the web.
- Processed by our conversion engine to produce and return the SVG output to your browser.
- Deleted automatically and permanently from our server immediately after the conversion process completes — whether the conversion succeeds or fails.
- Never shared with any third party for any purpose whatsoever.
- Never used to train machine-learning models or improve any AI system.
- Never retained beyond the active conversion operation.
We strongly advise you not to upload images containing sensitive personal information, confidential documents, or private materials you would not want transmitted over the internet. The Service is designed for converting ordinary graphics such as logos, icons, and illustrations.
3.2 Information Collected Automatically
IP Address. When your browser connects to our server — including page loads and API calls for conversion — your IP address is transmitted as a standard part of internet communication. We use your IP address exclusively to enforce rate limiting: a mechanism that prevents abuse of the free service and ensures equitable access for all users. IP addresses used for rate limiting are stored in temporary server-side files in a non-web-accessible directory and are automatically overwritten or purged within a short rolling window (typically ranging from 1 hour to a maximum of 24 hours). We do not maintain persistent IP address logs, do not link IP addresses to individual identities, and do not use IP addresses for tracking, profiling, or any marketing purpose.
Server Access Logs. Our web server software may automatically record basic access log entries, including the date and time of requests, the URL requested, the HTTP status code, and the HTTP referrer header. These logs are retained for a limited period (not exceeding 30 days) for the purposes of diagnosing server errors and maintaining security. Access log data is not shared with third parties and is not used for marketing, profiling, or advertising.
Session Data. We use PHP server-side sessions to maintain essential security state. A session identifier cookie is placed on your browser in order to link your browser to a session on our server. The session contains only a security token (see Section 5) and does not include any personal information beyond the transient session ID itself.
3.3 Information We Do Not Collect
For complete transparency, we explicitly do not collect the following:
- Your name, email address, username, or any personally identifying account information.
- Payment or financial information of any kind (the Service is entirely free).
- Device fingerprinting data or unique hardware identifiers.
- Behavioural or cross-site tracking data.
- User profiles or persistent usage histories.
- Data from social media platforms or third-party login providers.
- Precise or approximate geolocation beyond what is technically inherent in an IP address.
We do not deploy Google Analytics, Facebook Pixel, Hotjar, or any other third-party analytics or advertising services on this website.
4. How We Use Your Information
We use the information we collect or receive for the following purposes only:
- To deliver the Service. Your uploaded image is processed server-side to produce an SVG file that is returned to your browser. This is the primary and exclusive purpose of processing your image data.
- To protect the integrity and availability of the Service. Your IP address is used to apply rate limits and detect abuse, ensuring the tool remains available and usable for all visitors.
- To secure the Service against web attacks. Session data and CSRF tokens are used to protect conversion requests against cross-site request forgery (CSRF) attacks and related security threats.
- To diagnose and fix technical problems. Server log data may be reviewed by us on an as-needed basis to identify and correct software bugs, server errors, or misconfigurations.
We do not use your information for advertising, marketing, profiling, selling to third parties, or for any purpose other than those expressly stated above.
5. Cookies and Similar Technologies
A cookie is a small text file placed on your device by a website you visit. We use a minimal number of cookies, all of which are strictly necessary for the Service to function securely.
5.1 Essential Cookies We Use
| Cookie / Storage Key | Purpose | Duration | Type |
|---|---|---|---|
PHPSESSID |
Standard PHP session identifier. Links your browser to a server-side session that holds the CSRF security token. No personal information is stored in the session. | Session (deleted when browser is closed or session expires) | Strictly Essential |
csrf_token |
A cryptographically generated security token that protects conversion API requests from cross-site request forgery attacks. The token is read by our JavaScript and sent in request headers, then validated server-side. | 2 hours from issuance | Strictly Essential |
pngtosvg_cookie_consent (localStorage) |
Records your cookie consent preference (whether you accepted all cookies or essential-only). Stored in your browser's localStorage, not as a server-set cookie. |
Persistent until cleared by you | Consent Management |
theme-preference (localStorage) |
Stores your chosen colour scheme (dark or light mode) so that your preference is remembered between visits. This is stored in your browser's localStorage only; nothing is sent to our server. |
Persistent until cleared by you | Functional Preference |
5.2 Non-Essential Cookies
We do not currently use any non-essential cookies, including marketing cookies, advertising cookies, or third-party analytics cookies on our own domain. If this changes in the future, this Privacy Policy and our consent mechanism will be updated accordingly, and your consent will be sought before any non-essential cookies are placed.
5.3 Third-Party Resources That May Set Cookies
To render the website interface, we load the Manrope typeface from Google Fonts (fonts.googleapis.com and fonts.gstatic.com). Your browser makes a direct connection to Google's servers to retrieve these font files. Google may log this request and may set cookies in accordance with their own policies. We have no control over these cookies. For full details, please review the Google Privacy Policy. If you wish to prevent this, you may use a browser extension that blocks third-party font requests.
5.4 How to Manage or Disable Cookies
You can control and manage cookies through your browser settings. Most modern browsers allow you to refuse new cookies, delete existing cookies, or be alerted before cookies are set. Disabling the strictly essential cookies listed above (PHPSESSID and csrf_token) will prevent the conversion feature from functioning. Refer to your browser's support documentation:
- Google Chrome: Settings → Privacy and security → Cookies and other site data
- Mozilla Firefox: Settings → Privacy & Security → Cookies and Site Data
- Microsoft Edge: Settings → Cookies and site permissions
- Apple Safari: Preferences → Privacy → Manage Website Data
To clear the localStorage entries (consent preference, theme preference), open your browser's developer tools (F12), navigate to Application → Local Storage, and delete the relevant keys.
6. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), we collect and process personal data only where a lawful basis exists under the General Data Protection Regulation (GDPR). The legal bases we rely on are as follows:
- Contractual Necessity (Article 6(1)(b) GDPR): Processing your uploaded image and session data is necessary to perform the image conversion service you have requested.
- Legitimate Interests (Article 6(1)(f) GDPR): We process your IP address and server log data based on our legitimate interest in preventing abuse, maintaining server security, ensuring service availability, and diagnosing technical issues. We have assessed that these legitimate interests are not overridden by your privacy rights and freedoms, given the limited, non-persistent, and non-personalised nature of this data.
- Legal Obligation (Article 6(1)(c) GDPR): We may retain certain data where required to comply with applicable law or a court order.
- Consent (Article 6(1)(a) GDPR): Where we ask for consent (for example, for any future non-essential cookies), we will only process data on that basis if you have freely, specifically, and unambiguously consented. You may withdraw consent at any time by contacting us or clearing your browser data, without affecting the lawfulness of prior processing.
7. Data Retention
We apply strict data minimisation and retention limitation principles:
- Uploaded images and temporary conversion files: Deleted immediately and permanently upon completion of the conversion process. We retain no copies of your original image or the produced SVG file.
- IP addresses for rate limiting: Retained in temporary server-side flat files for a rolling window of up to 24 hours, after which they are automatically overwritten or deleted.
- Server access logs: Retained for a maximum of 30 days for operational and security purposes, then automatically deleted or overwritten.
- Session data (server-side): Deleted when your browser session ends or when the PHP session expires server-side, whichever occurs first. The default server session timeout is 24 hours of inactivity.
- CSRF token cookie: Expires automatically 2 hours after issuance.
8. Data Sharing and Third-Party Disclosures
We do not sell, rent, trade, or otherwise transfer your personal information to third parties for their own commercial use. We may share limited technical data only in the following limited circumstances:
8.1 Hosting and Infrastructure Providers
The Service operates on third-party web hosting infrastructure. Our hosting provider may have access to server log data as a technical consequence of providing server infrastructure. Hosting providers are bound by contractual data processing agreements and applicable law.
8.2 Google Fonts
Loading fonts from Google's CDN causes your browser to connect directly to Google's servers. Google may log technical request data (including your IP address) in accordance with the Google Privacy Policy. We do not control this data and it is not shared by us with Google — the connection is initiated directly by your browser.
8.3 Legal Requirements
We may disclose personal information if required to do so by applicable law, regulation, legal process, or enforceable governmental authority. We may also disclose information in the good-faith belief that such action is necessary to protect our rights, property, or safety, or those of our users or the public.
9. International Data Transfers
Your data may be processed on servers that are located outside your country of residence. If you are based in the European Economic Area, please be aware that data may be transferred to countries that may not have data protection laws equivalent to those in the EEA. Where such transfers occur, we take appropriate steps to ensure your data is protected, including reliance on Standard Contractual Clauses (SCCs) approved by the European Commission, or other recognised transfer mechanisms.
10. Your Privacy Rights
10.1 Rights Under the GDPR (EEA Residents)
If you are located in the European Economic Area, you have the following rights under the GDPR:
- Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you and information about how we process it.
- Right to Rectification (Article 16): You have the right to request correction of any inaccurate personal data we hold.
- Right to Erasure (Article 17 – "Right to be Forgotten"): You have the right to request deletion of your personal data, subject to certain legal exceptions.
- Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data under certain circumstances.
- Right to Data Portability (Article 20): You have the right to receive personal data you have provided to us in a structured, commonly used, and machine-readable format.
- Right to Object (Article 21): You have the right to object to processing of your personal data where we rely on legitimate interests as our legal basis.
- Rights Related to Automated Decision-Making (Article 22): We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on you.
- Right to Withdraw Consent (Article 7(3)): Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us using the details in Section 16. We will respond to all verifiable requests within 30 calendar days.
10.2 Rights Under the CCPA / CPRA (California Residents)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights:
- Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, the business or commercial purposes for collecting it, and the categories of third parties with whom it is shared.
- Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to Correct: You may request correction of any inaccurate personal information we maintain about you.
- Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioural advertising. No opt-out is required.
- Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than those permitted under the CPRA.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
To submit a California privacy request, please contact us at the address in Section 16.
10.3 Rights Under UK GDPR
If you are located in the United Kingdom, substantially equivalent rights apply under the UK GDPR and the Data Protection Act 2018. You may also contact the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113 if you have a concern about our data practices that we have failed to resolve to your satisfaction.
11. Security
We implement a range of technical and organisational security measures designed to protect your personal data against unauthorised access, accidental loss, unlawful destruction, or alteration. These include, but are not limited to:
- TLS/HTTPS encryption for all data transmitted between your browser and our server.
- Server-side isolation of uploaded files in dedicated temporary directories with restricted filesystem permissions, inaccessible via the web.
- Cryptographically strong CSRF token validation on all conversion requests.
- Strict Content-Security-Policy (CSP) headers that restrict the sources from which scripts, styles, and other resources may be loaded, mitigating cross-site scripting (XSS) attacks.
- File type validation using binary signature checking rather than extension-based checks, preventing disguised file uploads.
- Automatic and immediate deletion of all uploaded and temporary conversion files after processing.
- Server-side rate limiting to mitigate abuse and denial-of-service attempts.
- Sanitisation of SVG output to strip potentially malicious content such as embedded scripts or event handlers.
While we apply commercially reasonable security measures, no method of internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security and disclaim responsibility for security breaches beyond our reasonable control.
12. Children's Privacy
The Service is not directed at, nor intended for, children under the age of 13 (or, in the European Economic Area and the United Kingdom, under the age of 16). We do not knowingly collect personal information from individuals below these ages. If you are a parent or legal guardian and believe your child has provided personal information to us, please contact us immediately. Upon becoming aware that personal data from a child below the applicable age threshold has been collected without verified parental consent, we will take prompt steps to delete that information.
13. Links to Third-Party Websites
This website may contain links to external websites operated by third parties (for example, browser documentation or external privacy authorities). We are not responsible for the content or privacy practices of those third-party sites. We encourage you to review their privacy policies independently. Our Privacy Policy applies solely to information collected through the PNGtoSVG.online website.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable legal requirements. When we do, we will revise the "Last updated" date at the top of this document. We encourage you to review this page periodically to stay informed about how we protect your information.
Where changes are material, we will make reasonable efforts to bring them to your attention — for example, by posting a prominent notice on our website prior to the change taking effect. Your continued use of the Service following the posting of changes constitutes your acceptance of the revised Privacy Policy.
15. Supervisory Authority
If you are located in the EEA and believe we have not handled a concern about your personal data appropriately, you have the right to lodge a complaint with your local data protection supervisory authority. A directory of national data protection authorities can be found on the European Data Protection Board website.
16. Contact Us
If you have any questions, requests, or concerns about this Privacy Policy, about your personal data, or about your privacy rights, please reach out to us:
PNGtoSVG.onlineEmail: [email protected]
Website: pngtosvg.online
We aim to acknowledge all privacy-related enquiries within 5 business days and to provide a substantive response within 30 calendar days of receipt.