1. Scope of This Policy
This Privacy Policy applies exclusively to the Vexifa PDF Suite desktop application ("the App") for Windows. It describes every network call the App makes, every piece of data it collects or processes, and how that data is handled. It does not apply to other Vexifa products, which have separate policies.
This policy is written with the needs of healthcare professionals, legal professionals, and regulated-industry users in mind. Where relevant, we address the specific compliance frameworks that govern your use of the App.
2. What Vexifa PDF Suite Does Not Do
The following is an explicit list of what the App never does — not by policy alone, but by architectural design. There is no server-side infrastructure to which these operations could be routed:
- Does not upload document content. No page of any PDF you open is transmitted to Vexifa or any Vexifa-operated server.
- Does not transmit AI conversations. When you use the local AI sidebar via Ollama, all prompts and responses stay on your machine. The App communicates only with localhost (127.0.0.1), never with an external AI endpoint unless you explicitly configure one.
- Does not send OCR results to Vexifa. Tesseract OCR runs locally. The extracted text is never transmitted externally.
- Does not upload redaction content. When you redact text or apply pattern-based redaction, the content being removed is processed entirely on-device and never seen by Vexifa.
- Does not transmit PII scan findings. The PII scanner operates locally on your document's text. Findings — including any SSNs, credit card numbers, or other sensitive data it detects — are displayed only to you and never sent externally.
- Does not send audit log data to Vexifa. Audit logs are stored as encrypted local files on your device. They are never transmitted to Vexifa.
- Does not collect usage analytics or telemetry. The App does not track which features you use, how long you use the App, which files you open, or any behavioral data.
- Does not collect crash reports automatically. If the App crashes, a report is written locally. It is only sent if you explicitly choose to email it — your default email client opens with the report pre-filled, and you decide whether to send it. Nothing is transmitted without your deliberate action.
3. Every Network Call the App Makes
The table below is a complete, exhaustive list of all network communication initiated by the App. No calls are made beyond those listed.
| Destination | What is sent | When | User-controlled |
|---|---|---|---|
| Lemon Squeezy API api.lemonsqueezy.com |
License key + hashed machine identifier (SHA-256 of Windows MachineGuid, truncated to 32 hex chars; not personally identifiable) | On each app launch, to validate the active license | Required for Pro/Healthcare/Legal tiers. Free tier: no call at all. |
| Local Ollama instance 127.0.0.1 (localhost only) |
Document text excerpts + user prompts (AI sidebar, document brief, semantic search, PII NER, translation, contract analysis) | When you use AI features | User-configured. Traffic stays on-device. Never leaves your machine. |
| RFC 3161 Timestamp Authority User-configured TSA URL |
A hash of the document being signed (SHA-256 digest only — not the document content) | When you digitally sign a document with LTV timestamps enabled | User-initiated. TSA URL is configurable. No document content is transmitted. |
| OCSP / CRL responder Extracted from signing certificate's AIA extension |
Certificate serial number and issuer information | When you digitally sign a document with LTV enabled (to verify certificate revocation status) | User-initiated signing operation. No document content is transmitted. |
| Cloud AI providers OpenRouter, OpenAI, or other provider you configure |
Document text excerpts + user prompts (same as Ollama, but routed to external provider) | Only if you configure a cloud AI provider AND use AI features | Opt-in only. You supply the API key. Traffic goes directly from your device to the provider — not through Vexifa. Disabled in Healthcare edition. |
| Cloud OCR providers Azure Document Intelligence or Google Cloud Vision |
Rendered page images from the document being OCR'd | Only if you configure a cloud OCR provider AND run OCR on a document | Opt-in only. You supply the API key. Traffic goes directly from your device to the provider — not through Vexifa. Disabled in Healthcare edition. |
| Cloud storage providers Google Drive, Microsoft OneDrive, Dropbox, or WebDAV instance you configure |
The PDF files you explicitly open from or save to that provider | Only if you configure cloud storage sync AND open or save a file from/to it | Opt-in only. Authenticated via OAuth 2.0. Traffic goes directly from your device to the provider — not through Vexifa. Healthcare edition requires local paths only. |
| DocuSign or Adobe Sign API Provider you configure for e-signatures |
The document you are sending for signature + recipient details you enter | Only when you use "Send for E-Signature" and explicitly confirm the send | User-initiated, requires explicit confirmation. You supply the API credentials. Traffic goes directly from your device to the provider. |
| Vexifa crash report email contact@vexifa.com (via your email client) |
App version, OS version, panic message, stack trace. Explicitly excludes document paths, file names, document content, audit log contents, license key, and any username or organization data. | Only if the App crashes AND you choose to send the report by clicking Send in your own email client | Fully opt-in. Your email client sends it — Vexifa has no server-side crash collection endpoint. Healthcare and Legal editions default to off. |
4. Protected Health Information (PHI) and HIPAA
The Healthcare edition of Vexifa PDF Suite is designed for use in environments where HIPAA compliance is required. The following architectural properties are relevant to your compliance obligations:
4.1 Data Location
All documents — including those containing PHI — remain on the device running the App. The App does not move PHI to Vexifa servers at any stage of processing. AI analysis, OCR, PII scanning, redaction, and audit logging all execute on-device.
4.2 Encryption at Rest
The Healthcare edition audit log is encrypted at rest using AES-256-GCM with a key derived from the device's Windows Machine GUID and an application-specific salt. This satisfies the addressable implementation specification at HIPAA §164.312(a)(2)(iv) for encryption of data at rest.
4.3 Audit Controls
The Healthcare edition maintains an append-only audit log recording every operation that touches document content: opens, saves, exports, prints, redactions, signatures, password changes, and annotation modifications. The log includes timestamp, hostname, Windows username, event type, document identifier, and a detail record. Logs are retained for a minimum of 7 years (configurable; 7 years is the HIPAA-required retention floor). The log cannot be cleared without a deliberate multi-step confirmation that itself generates an audit event.
4.4 Access Controls
The Healthcare edition supports a PIN lock screen (optional in standard Healthcare, configurable by your IT policy). The Windows identity of the current user is logged in every audit event. Session timeout is configurable and enforced — the app cannot be left indefinitely unlocked in the Healthcare edition.
4.5 Cloud AI in Healthcare
Cloud AI providers (OpenRouter, OpenAI, and similar) are disabled in the Healthcare edition. All AI features in Healthcare use the local Ollama instance only. If no local model is configured, AI features are unavailable rather than routing to a cloud provider.
4.6 Business Associate Agreement
A click-through Business Associate Agreement (BAA) is presented during Healthcare edition activation and must be accepted before regulated features unlock. The BAA is a local-first BAA — it acknowledges the architecture described above and limits Vexifa's obligations to software vulnerability disclosure rather than data breach notification (Vexifa cannot observe instance-level breaches because it never receives PHI). Enterprise Healthcare customers may request an executed BAA via Dropbox Sign by contacting contact@vexifa.com.
4.7 Subcontractors That Touch No PHI
The following third-party subcontractors are used by Vexifa in connection with the Healthcare edition. None of them receive, process, or store PHI:
- Lemon Squeezy — payment processing and license key management. Receives billing information and the hashed machine ID. Does not receive document content, PHI, or audit log data.
- Ollama — local AI inference runtime. Runs entirely on your device. No data is sent to Ollama's servers.
- Dropbox Sign — used only for enterprise executed BAA delivery. Receives the BAA document only; no PHI contact.
5. Legal Professional Privilege and Confidentiality
The Legal edition of Vexifa PDF Suite includes features designed for attorney and paralegal workflows. The following is relevant to your professional obligations:
5.1 Document Confidentiality
Client documents, privileged communications, and work product processed through the App are never transmitted to Vexifa. The local-first architecture means that using the App — including AI analysis, PII scanning, and redaction — does not constitute a disclosure of confidential information to a third party.
5.2 E-Discovery and Legal Hold
The Legal edition's e-discovery mode preserves document metadata (creation date, modification history, author data) and prevents modification of documents under legal hold. The audit log records all access and modification events for each document, which may support chain-of-custody documentation.
5.3 Digital Signatures and eIDAS
The Legal edition supports PAdES-B-LT digital signatures with OCSP and RFC 3161 timestamp embedding. A hash of the document is transmitted to the configured RFC 3161 Timestamp Authority (TSA) for timestamping — this is a standard cryptographic operation and transmits no document content. The signing certificate and private key remain in your Windows OS keystore; they are never transmitted to Vexifa.
5.4 Third-Party E-Signature Services
When you use "Send for E-Signature" via DocuSign or Adobe Sign, you are uploading the document to that provider under the terms of your own agreement with them. This upload is a deliberate user action requiring explicit confirmation in the App. Vexifa does not intermediate the upload — it goes directly from your device to the provider's API. Review the relevant provider's privacy policy and BAA before sending confidential legal documents through these services.
5.5 Privilege Acknowledgment
The Legal edition requires a privilege acknowledgment on first launch, confirming that the user understands their professional obligations regarding confidential document handling. This acknowledgment is recorded locally in the app data directory.
6. Data Stored Locally by the App
The following data is written to your device's app data directory (%APPDATA%\Vexifa PDF Suite\) and remains entirely under your control:
- AI configuration (ai_config.json) — your configured AI providers, model selections, and API keys. Stored locally only.
- License state — your license tier and activation token, stored in the Windows OS keychain via the system keyring API.
- Security settings — session timeout duration, PIN hash (bcrypt), disable-recents flag.
- Audit log (audit.log or audit.log.enc) — the append-only operation log. Encrypted at rest in Healthcare edition.
- BAA acceptance record (baa_acceptance.json) — your organization name, acceptance timestamp, and BAA version. Not encrypted (it is an acceptance record, not PHI).
- Semantic search indices (.vxidx sidecar files) — embedding vectors only. These files contain no document text. They are stored alongside the source document.
- Crash reports (crash_reports/ folder) — written locally on crash. Never transmitted unless you choose to send them via email.
Uninstalling the App does not automatically delete these files. They can be removed manually from the app data directory at any time.
7. The Lemon Squeezy Relationship
Lemon Squeezy (lemon.squeezy.com) acts as Vexifa's merchant of record for subscription billing. When you purchase a Pro, Healthcare, or Legal subscription:
- Your payment information (card number, billing address) is collected and processed by Lemon Squeezy, not by Vexifa. Review Lemon Squeezy's privacy policy at their website.
- Lemon Squeezy provides Vexifa with your email address and purchase record for customer support and subscription management purposes.
- On each app launch, the App sends your license key and hashed machine ID to Lemon Squeezy's license validation API. This is a SHA-256 hash of your Windows MachineGuid — a machine-level identifier, not a user identifier. It is not personally identifiable.
- No document content, file paths, audit log data, or PHI is sent to Lemon Squeezy at any time.
8. Children's Privacy
Vexifa PDF Suite is a professional productivity application intended for use by individuals 18 years of age or older. We do not knowingly collect any personal information from children under 13.
9. Changes to This Policy
We may update this Privacy Policy to reflect changes in the App's functionality or applicable law. When we do, we will update the "Last updated" date at the top of this page. For material changes affecting Healthcare or Legal edition users, we will provide notice via the in-app settings panel. Healthcare edition BAA acceptance records include the app version at the time of acceptance; a materially updated BAA will require re-acceptance on next launch.
10. Contact
If you have questions about this Privacy Policy, require documentation for a compliance audit, or need to discuss a Business Associate Agreement for your organization, contact us at contact@vexifa.com. For BAA-related inquiries, include your organization name and the number of seats in use.