Home / Legal / Privacy

Privacy Policy

Last updated: 2026-04-25

This explains what data MDSwap collects, why, who sees it, how long we keep it, and how to get it back or delete it. The voice is plain because privacy notices written in legalese are how companies hide what they actually do.

The short version

• You can browse without an account, and we don't profile you.
• If you sign in, we store your handle, email, and what you publish.
• We use only strictly necessary cookies. No advertising, no third-party trackers.
• We do not sell your data. There is no "Do Not Sell" flow because there is nothing to opt out of.
• You can export everything and delete your account from /me.

Who's responsible

MDSwap is operated by an individual founder, who acts as data controller for the personal data described here. To exercise any right below, or to ask a question, email us. We aim to respond within 30 days, faster for clear-cut requests.

What we collect

When you browse: Vercel logs your request (IP address, user-agent, URL, timestamp) so the site can serve a response. Logs are retained for up to 30 days for abuse and debugging, then dropped.

When you sign in: we store the handle you choose, the email returned by your OAuth provider (Google or GitHub), an avatar URL if your provider gives one, the OAuth provider name, and timestamps for account creation and last sign-in. We do not store OAuth refresh tokens beyond the active session.

When you publish: the markdown text, title, description, tags, license, the AI-generated flag, your chosen visibility, and the timestamps. Branches are linked to the parent MD.

When you interact: ratings, comments, reviews, branches, copies, and reports you make. Reports include the category and a free-text reason.

When something breaks: Sentry receives anonymized error events with a hashed session ID, the URL where the error happened, the stack trace, and browser/OS strings. The Sentry pipeline is configured to drop cookies, email addresses, and the contents of any markdown field before the event is stored. Errors are kept for 90 days.

What we do not collect: precise location, biometric data, health data, payment information, advertising identifiers. We do not run third-party fingerprinting.

Why we collect it (lawful bases under GDPR)

• Performance of the contract (Art. 6(1)(b)): operating your account, hosting your MDs, delivering features.
• Legitimate interest (Art. 6(1)(f)): abuse prevention, security, anti-spam, basic aggregate analytics, error monitoring. We've documented why these don't override your rights and how to object.
• Consent (Art. 6(1)(a)): the optional newsletter, and the AI-generated content toggle insofar as it's an explicit declaration about your content under the EU AI Act.
• Legal obligation (Art. 6(1)(c)): responding to lawful requests; preserving records of takedowns.

Who sees your data

• Supabase (PostgreSQL, Auth, Storage): hosts the database and avatars; subprocessor with a data-processing agreement; data residency is EU when you're an EU user where supported.
• Vercel: hosts the front end and Edge functions; processes IP and request logs.
• Resend: sends transactional email (report acknowledgements, deletion confirmations, branch notifications).
• Buttondown: sends the optional newsletter, only for subscribers.
• Sentry: receives scrubbed error events.
• Cloudflare Turnstile: anti-bot challenge on publish and report; receives a token, not your content.
• Plausible (when added): cookieless aggregate analytics; receives a hashed daily session, never identifiable.
• Law enforcement: only where compelled by valid legal process, or where required by law (CSAM reports to NCMEC, threats to relevant authorities).

We do not sell, rent, or barter personal data. Period.

International transfers

Some subprocessors are US-based. Where transfers leave the EU/EEA or UK, they rely on Standard Contractual Clauses or equivalent. We aim for EU regions where the subprocessor offers them.

How long we keep things

• Active account: until you delete it.
• Deleted account: 30-day grace period (so you can undo), then hard-delete of auth.users, profiles, comments, ratings, OAuth metadata.
• Reports you submitted: we retain the report row with your user ID anonymized after deletion. Legitimate interest: keeping a record of moderation decisions to spot patterns and abuse of the report system.
• Server logs: 30 days.
• Sentry errors: 90 days.
• Newsletter: until you unsubscribe.

Your rights

Under GDPR and similar laws (UK GDPR, CCPA where applicable), you have rights to access, rectify, delete, restrict, object to, and port your personal data, plus the right to withdraw consent and to lodge a complaint with a supervisory authority. Specifically, on MDSwap:

• Access / portability: /me → Export my data emails you a signed link to a ZIP containing your MDs as .md files plus JSON of comments, ratings, and profile.
• Erasure: /me → Delete my account. Choose anonymize-and-keep (your MDs stay, author becomes deleted-user-####) or full delete (your MDs go too; downstream "branched from" links degrade to "[original removed]").
• Rectification, restriction, objection: email us. We act within 30 days.
• Withdraw consent: unsubscribe link in every newsletter; toggle the AI-generated flag at any time on your own MDs.
• Complain: to the supervisory authority where you live or work.

Cookies

Strictly necessary only. The Supabase auth cookie keeps you signed in. The Vercel session cookie supports basic platform behaviour. Theme preference is stored in localStorage, not a cookie. No advertising cookies. No third-party trackers. No banner: there's nothing requiring consent to refuse. Details at /legal/cookies.

Children

Don't sign up if you're below the digital-consent age in your country (13 in the US, 16 in most of the EU unless your country lowered it). If we learn we have a child's data, we delete it.

Security

We enforce row-level security on every table; auth.uid() is the gate. CAPTCHA on writes. Rate limits per user. Daily backups. Errors scrubbed before transmission. Coordinated-disclosure policy at /.well-known/security.txt. We are not perfect; if something happens we'll tell you within 72 hours where required, faster where possible, and post-mortem at /transparency.

"Do Not Sell or Share" (CCPA / CPRA)

We do not sell or share personal information as those terms are defined under California law. There is no opt-out flow because there is nothing to opt out of. If California changes the definitions in a way that captures what we do, we'll add the flow.

Changes

If we change anything material we'll post a notice on the site and email active accounts at least 14 days before the change takes effect.

Contact: muhammedeliwat@gmail.com