Privacy Policy

Last Updated: December 3, 2025

Privacy Policy

Wordize is operated by Smallize Pty Ltd. This policy covers Wordize-specific data practices. For comprehensive information about data protection, security, and privacy across all Smallize services, please visit the Smallize Privacy Policy.

Age Requirement

You must be at least 13 years old to use this service. Wordize is not intended for children under 13 years of age, and we do not knowingly collect personal information from children under 13. If you are under 13, please do not use this service. If we learn that we have collected personal information from a child under 13, we will delete that information as quickly as possible. Parents or guardians who believe a child under 13 has provided us with personal information should contact us at privacy@smallize.com.

Prohibited Use for Protected Information

HIPAA Disclaimer: This service is not HIPAA compliant and must not be used for Protected Health Information (PHI), medical records, patient data, or any healthcare-related documents containing personal health information. Healthcare providers and organizations subject to HIPAA must not upload PHI to this service.

FERPA Disclaimer: This service must not be used for student education records protected under the Family Educational Rights and Privacy Act (FERPA) without proper safeguards and agreements. Educational institutions should not upload student records, transcripts, grades, or other educational documents containing personally identifiable information.

For more information about acceptable use, see our Acceptable Use Policy.

Wordize.com - Anonymous Document Processing

This website (wordize.com) operates as an anonymous document processing service. We do NOT require user accounts or authentication to use the document processing tools on this site.

What we collect on Wordize.com:

No personal data: You can use all document processing tools without providing any personal information
No file storage: All files are processed in memory and immediately deleted (see "Data Retention & File Processing" section below)
IP address & usage logs (necessary for service security): We collect your IP address and basic usage data for fraud prevention, bot detection, abuse prevention, and security monitoring. This data is essential for protecting our service and all users. See "Security & Fraud Prevention" section below.
Analytics (with consent): We collect additional anonymous usage statistics only if you accept analytics cookies (see our Cookie Policy)
Cookie preferences: We store your cookie consent choices in your browser's local storage

Purchase.Wordize.com - User Accounts for Product Purchases

If you wish to purchase licenses or create an account, you will be directed to purchase.wordize.com, which is our separate e-commerce platform.

Authentication System:

Identity Management: We use Keycloak, an open-source authentication system hosted at auth.wordize.com (servers located in Australia)
What we collect: Email address, name (optional), password (securely hashed), authentication logs
Purpose: Account management, license delivery, customer support
Legal Basis: Contract performance (GDPR Article 6(1)(b)) and legitimate interests for security (Article 6(1)(f))

International Data Transfers

Wordize is operated by Smallize Pty Ltd, based in Australia. When you use our services from the European Economic Area (EEA), your data may be transferred internationally:

Where your data goes:

Authentication data (Keycloak): Stored on servers in Australia at auth.wordize.com
Analytics: PostHog (EU - Frankfurt, Germany) and Google Analytics (USA)
Document processing: Files processed in memory only, not stored (see "Data Retention & File Processing" section below)

Safeguards for EU data transfers:

Standard Contractual Clauses (SCCs): EU Commission-approved contract clauses with our data processors (replacing the invalidated Privacy Shield framework)
Encryption: All data encrypted in transit and at rest
Access Controls: Strict limitations on who can access personal data
Security Audits: Regular security assessments and compliance reviews
Data Minimization: We only collect data necessary for service operation

Third-party safeguards:

Payment Processors: PCI-DSS certified with appropriate safeguards (handled by purchase.wordize.com)

Your rights:

You can request a copy of the Standard Contractual Clauses we use by emailing privacy@smallize.com
You have the right to object to international data transfers

Jurisdictional Compliance

This privacy policy complies with data protection and privacy laws in multiple jurisdictions where we operate or serve users. Wordize is committed to protecting your privacy rights regardless of where you are located.

Australia

This privacy policy complies with the Australian Privacy Principles (APPs).

Wordize is operated by Smallize Pty Ltd, an Australian company subject to the Privacy Act 1988 (Commonwealth of Australia) and the Australian Privacy Principles (APPs). If you have concerns about how we handle your personal information, please contact our Data Protection Officer at dpo@smallize.com. We will investigate and respond within 30 days.

European Union & European Economic Area (GDPR)

This privacy policy complies with the General Data Protection Regulation (GDPR) for users in the EU and EEA. See the "Your Rights Under GDPR" section below for your data subject rights.

United Kingdom & Switzerland

This privacy policy complies with the UK GDPR (as retained in UK law) and the Swiss Federal Act on Data Protection (FADP). UK and Swiss users have the same rights as EU users under GDPR.

United States - State Privacy Laws

California (CCPA/CPRA)

This privacy policy complies with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

California Residents Have the Following Rights:

Right to Know: What personal information we collect, use, disclose, and sell
Right to Delete: Request deletion of your personal information
Right to Opt-Out: Opt-out of the sale or sharing of your personal information
Right to Non-Discrimination: We won't discriminate against you for exercising your rights
Right to Correct: Request correction of inaccurate personal information
Right to Limit Use of Sensitive Personal Information: Limit use and disclosure of sensitive personal information

Do Not Sell or Share My Personal Information

We do not "sell" your personal information in the traditional sense of exchanging data for money. However, sharing data with analytics providers (Google Analytics) for advertising or analytics purposes may be considered a "sale" or "share" under California law.

To opt-out of data sharing:

Click "Cookie Settings" in the website footer
Disable "Analytics Cookies"
Click "Save Preferences"

When you disable analytics cookies, we will not share your information with Google Analytics for analytics purposes.

Categories of Personal Information We Collect (California Users):

Identifiers (Security): IP address collected for all users for fraud prevention and security monitoring (see "Security & Fraud Prevention" section)
Identifiers (Analytics): IP address shared with analytics providers only if you consent to analytics cookies
Internet Activity (Analytics): Pages viewed, buttons clicked, features used (only if analytics consent given)
Device Information: Browser type, operating system, device type via User-Agent string (collected for security purposes; shared with analytics only if consent given)
Uploaded Files: Documents you upload for processing (processed in memory only, immediately deleted, never stored)

Business Purposes for Collection:

Providing document processing services
Security and fraud prevention (essential service operation - not subject to opt-out)
Improving service quality and user experience (with consent)
Analytics and usage statistics (with consent)

We Do Not Sell Personal Information for Money. We share analytics data with PostHog (EU - Frankfurt, Germany) and Google Analytics (USA) only when you consent to analytics cookies. PostHog uses first-party cookies and does not track across different sites. Security logs containing IP addresses are not sold or shared with third parties and are used exclusively for fraud prevention and security purposes.

To Exercise Your California Privacy Rights:
Email: privacy@smallize.com
Subject: California Privacy Request - [specify: Access, Delete, Opt-Out, etc.]

Other US States

This privacy policy also complies with privacy laws in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy laws. Residents have similar rights to California residents.

Canada & Brazil

This privacy policy complies with Canada's PIPEDA and Brazil's LGPD. Canadian and Brazilian residents have rights similar to GDPR, including access, correction, deletion, and data portability. Contact our Data Protection Officer at dpo@smallize.com.

Asia-Pacific Region

This privacy policy complies with privacy laws in Japan (APPI), India (DPDPA 2023), Thailand (PDPA), Indonesia (UU PDP), and Vietnam (Decree 13/2023). Residents of these jurisdictions have similar rights to GDPR users, including access, correction, deletion, and data portability. Contact our Data Protection Officer at dpo@smallize.com.

Note: For cross-border data transfers, your personal information may be transferred to servers in Australia and the United States. We use Standard Contractual Clauses and encryption to protect your data.

Middle East

This privacy policy complies with privacy laws in the United Arab Emirates (Federal Decree-Law No. 45/2021), Saudi Arabia (PDPL), and Turkey (KVKK). Residents have similar rights to GDPR users. Contact our Data Protection Officer at dpo@smallize.com.

Other Jurisdictions

We are committed to complying with applicable data protection and privacy laws in all jurisdictions where we operate. If you have questions about how your jurisdiction's privacy laws apply to our services, please contact privacy@smallize.com.

Security & Fraud Prevention

To protect our service and all users from abuse, fraud, and security threats, we collect certain data based on our legitimate interests (GDPR Article 6(1)(f) and similar provisions in other privacy laws).

What We Collect:

IP Address: Collected from all requests to our service
User-Agent: Browser and device information from HTTP headers
Request Metadata: Timestamp, requested URL, HTTP method, response status
Usage Patterns: Number of requests, file processing operations, service interactions

Why This Data Is Necessary:

We use this data to detect and prevent bot attacks, identify abuse patterns, protect against denial-of-service attacks, prevent unauthorized data extraction, investigate security incidents, respond to legal requests, and ensure fair resource allocation among all users.

Legal Basis:

Legitimate Interest (GDPR Article 6(1)(f)): We have a legitimate interest in protecting our service and users from abuse and security threats. The data collection is necessary and proportionate, and we implement data minimization principles. Where legitimate interest is not recognized by law, we collect this data based on contract performance or legal obligation.

Your Rights:

Right to Access: Request a copy of security logs by emailing dpo@smallize.com
Right to Object: You can object to processing based on legitimate interests, but we may be unable to provide service access without these security measures
Right to Erasure: Request deletion after 12-month retention period (except logs required for active investigations)

Data Protection:

Security logs are encrypted in transit and at rest, accessible only to authorized personnel, automatically deleted after 12 months, and never sold or shared with third parties for marketing purposes.

Security Logging vs Analytics:

Security Logging (No Consent Required): IP address, User-Agent, request metadata for fraud prevention and security monitoring. Retained 12 months. Legal basis: Legitimate interest.

Analytics (Consent Required): Page views, clicks, feature usage for improving user experience. PostHog (EU-hosted, first-party cookies) and Google Analytics (26 months). Legal basis: Consent. Opt-out via "Cookie Settings" in footer.

Important: Even if you reject analytics cookies, security logging continues as it is essential for service operation and fraud prevention.

Data Retention & File Processing

File Processing (No Storage)

Important: Wordize does not store your files on our servers. All file processing happens entirely in memory.

When you use Wordize to process documents:

Upload: Files are received and loaded into server memory
Processing: Files are processed in memory to perform the requested operation (conversion, merging, etc.)
Download: Processed files are immediately returned to you
Automatic Deletion: Files are removed from memory once the processing session ends

Your files exist only during the active processing session and are never written to disk. This ensures:

Your files are never stored on our servers
No file copies remain after processing completes
Complete data minimization - we retain nothing
Maximum privacy and security for your documents

User Responsibility: You must download your processed files during the active session. Files cannot be recovered after processing completes, and we do not maintain archives or backups of user files.

Processing Metadata: We may retain limited metadata about processing operations for operational and security purposes (timestamp, file sizes/types, operation performed, success/failure status). This metadata does not include file contents or personally identifiable information and is retained only as long as necessary for system operation and security monitoring (up to 12 months).

Data Retention Periods

For Wordize.com (this website):

Document files: Immediately deleted after processing (never stored on disk)
Cookie preferences: Stored in your browser until you clear them (1 year expiry)
Security logs (IP addresses, User-Agent, request metadata): Retained for up to 12 months for fraud prevention and security monitoring (see "Security & Fraud Prevention" section above)
Analytics data: PostHog (EU-hosted) and Google Analytics (26 months) - only if you consent
Stats logs: Anonymous usage statistics retained for 12 months (only collected with analytics consent)
Processing metadata: Retained for up to 12 months for security and operational purposes

For user accounts (purchase.wordize.com):

Active account data: Retained until you delete your account
Transaction records: Retained for 7 years (legal requirement for tax compliance)
Authentication logs: Retained for 1 year for security purposes
Deleted account data: 30-day grace period, then permanently deleted (except transaction records required by law)

For complete retention details for user accounts, see purchase.wordize.com.

Your Rights Under GDPR (EU/EEA Users)

If you only use wordize.com for document processing without creating an account:

Cookie Settings: Click "Cookie Settings" in the footer to manage analytics cookies
Opt-out of Analytics: Reject analytics cookies or enable browser Do Not Track
No Personal Data Collected: We don't collect personal data from website visitors beyond anonymous analytics (with consent)
Files Not Stored: All uploaded files are processed in memory and immediately deleted (see above)

If you have created an account on purchase.wordize.com, you can exercise your GDPR rights by contacting our Data Protection Officer:

Email: dpo@smallize.com
Subject Line: GDPR Request - [specify type: Access, Erasure, Rectification, Data Export, etc.]
Response Time: Within 1 month (may extend to 3 months for complex requests)
Cost: Free of charge for reasonable requests

What You Can Request:

Access Your Data: Complete copy of account information, purchase history, license keys, and authentication logs
Rectify Your Information: Update your email address or name
Erase Your Account: Delete your account and personal data (Note: Transaction records must be retained for 7 years for tax compliance but will be anonymized)
Export Your Data: Receive your data in JSON format for transfer to another service
Restrict Processing: Temporarily limit how we process your data
Object to Processing: Object to processing based on legitimate interests

Verification Process:

To protect your privacy, we may ask you to verify your identity before processing requests. This typically involves confirming access to the email address associated with your account.

Data Breach Notification

In the event of a data breach that poses a high risk to your rights and freedoms, we will:

Notify relevant authorities within 72 hours of becoming aware of the breach
Notify affected users without undue delay if the breach is likely to result in a high risk to your rights and freedoms
Provide information about: The nature of the breach, likely consequences, and measures taken to address the breach
Contact: In case of suspected security incidents, contact security@smallize.com

Related Policies

Please also review these related policies:

Cookie Policy - Cookies used on Wordize.com and authentication cookies
Security Practices - Wordize security measures
purchase.wordize.com - User accounts, payments, and licensing

Contact Information

Privacy Inquiries: privacy@smallize.com
Data Protection Officer: dpo@smallize.com
General Support: support@wordize.com