Security and GDPR Controls
- PDF uploads are page-counted before conversion to enforce plan limits.
- Temporary input/output folders are deleted after conversion.
- Free trials are limited using email, hashed IP/browser data and a signed strictly necessary cookie.
- Paid access requires an email and access key generated after successful Stripe payment/subscription.
- Stripe Checkout is used so card details are handled by Stripe, not this application.
- Production deployment should use HTTPS, strong APP_SECRET_KEY, Render environment variables and persistent database storage.