Privacy policy
Last updated: 27 June 2026
This policy describes how CSVall (“we”, “us”) handles information when you use csvall.com and related subdomains (the “Site”). We wrote it for readers who skim and for reviewers who audit. The short version: our converters and viewers run in your browser; we do not operate a cloud copy of your uploaded file contents for routine processing. When we integrate advertising or analytics, those vendors may process technical data as explained below.
Who controls the data
The data controller for personal data processed in connection with the Site is CSVall, operated by founder Khalid Danishyar, reachable at hello@csvall.com and through the Contact page. We update the Company page if the operating entity changes.
Information you give us directly
If you email us, we store your message, headers, and attachments strictly for handling that conversation—support, legal process, or commercial enquiry. We do not sell email lists. We delete routine support mail within a reasonable retention window unless the law or a dispute requires longer storage.
The Site does not require you to create an account to use the public tools.
Information your browser sends automatically
Like almost every website, our hosting and edge infrastructure creates server logs. Those logs typically include your IP address, user agent, request time, status code, and referrer URL. We use logs for security, abuse prevention, capacity planning, and debugging. We rotate and trim logs; we do not use raw access logs to build behavioural profiles on named individuals.
If you load third‑party scripts (for example from Google to serve ads or measure performance), those providers receive standard HTTP information they document in their own policies. We minimise the number of such tags and load them only where necessary.
How file processing works on CSVall
When you use a browser‑based tool on the Site, your file is ordinarily read with standard Web APIs (such as FileReader) inside your device memory. The transformed output stays available to you locally until you close the tab or clear site data. We do not run a default “upload everything to our cluster for conversion” pipeline for those tools.
Some workflows may cache derived content in sessionStorage so a results page survives a refresh. That storage lasts for the browser session unless we state otherwise on the tool page. Clear your browser data if you need an immediate wipe.
If we ever offer a clearly labelled server‑side option in the future, we will disclose it in the UI and update this policy before switching the default.
Cookies, local storage, and similar technologies
We may store preferences (such as language or theme) in localStorage. Advertising partners may set cookies or advertising IDs subject to your consent where the law requires it. Read our Cookie policy for a plain inventory and management tips.
Advertising (including Google AdSense)
We may monetise some pages with display ads. Google and other networks may process data to measure impressions, cap frequency, fight fraud, and personalise ads where permitted. Those vendors act as independent controllers or processors depending on the product; consult Google’s Advertising Policies and Privacy & Terms for details.
You can control ad personalisation through industry tools (for example Google’s Ads Settings) and through browser‑level cookie controls. Turning off personalised ads does not always remove all network calls.
Legal bases (EEA / UK reference)
Where GDPR‑style rules apply, we rely on: (i) legitimate interests for securing the Site, understanding aggregate traffic, and improving performance, balanced against your rights; (ii) performance of a contract when you correspond with us commercially; (iii) consent where we must obtain it for non‑essential cookies or certain marketing. You may object to processing based on legitimate interests and may withdraw consent at any time without affecting earlier lawful processing.
Retention
Retention periods depend on the data category: ephemeral processing in your browser ends when you destroy the session; server logs roll off on a shorter schedule than legal holds; support email follows the mailbox policy described above. We keep aggregate, non‑identifying metrics longer for product planning.
Security
We apply reasonable administrative and technical measures—TLS in transit, restricted access to production systems, and least‑privilege accounts. No online service can promise perfect security. If we learn of a breach that affects personal data we control, we will notify regulators and affected users when the law requires it.
Children
The Site targets adults handling work or study data. We do not knowingly collect personal information from children under the age where parental consent is required. Contact us if you believe a minor supplied data and we will delete it promptly where verifiable.
International transfers
We may process data in multiple countries where our providers maintain facilities. Your information could move to jurisdictions with different protection standards. We use contractual safeguards recognised by regulators where required.
Your rights
Depending on your location, you may have rights to access, rectify, erase, restrict, port, or object to certain processing, and to lodge a complaint with a supervisory authority. Email us to exercise a right; we may need to verify your identity before disclosing records.
Changes
We post updates on this page and bump the “Last updated” date. Material changes may also appear in a short on‑site notice for a reasonable period.