Privacy Policy

1. Introduction

2. Information We Collect

2.1 Information You Provide

• Account information: Email address, display name, username, bio, and avatar image when you create and configure your account.
• Authentication data: When you sign in via Google or GitHub OAuth, we receive your name and email address from those providers. We use passwordless authentication (magic links); no passwords are stored.
• Content: Markdown documents, published pages, folders, and any other content you create or upload through the Service, including images stored in our document image storage.
• Payment information: When you subscribe to the Pro Tier, payment details (credit card number, billing address) are collected and processed directly by Stripe. We do not store your full payment card information on our servers. We receive and store your Stripe customer ID, subscription status, plan type, and billing period dates.
• Communications: When you contact us through our contact form, email, or other channels, we collect your name, email address, and the content of your message.

2.2 Information Collected Automatically

• Usage data: Pages visited, features used, actions taken, time spent on pages, and interaction patterns. This data is collected through PostHog analytics (see Section 5).
• Device and browser information: Browser type and version, operating system, screen resolution, device type, and language preferences.
• Network information: IP address, approximate geographic location (country and region level, derived from IP address), and referring URL.
• Error and performance data: Application errors, performance metrics, and session replay data collected through Sentry (see Section 5). Session replay captures user interactions (mouse movements, clicks, scrolling, and page content) for the purpose of diagnosing errors.
• Document analytics: For published documents, we collect anonymized view data including visitor hash (a truncated SHA-256 hash that cannot identify individuals), referrer domain, country code, and device type.

2.3 Information from Third Parties

• OAuth providers: When you sign in via Google or GitHub, we receive your name and email address as authorized by you during the OAuth flow.
• Stripe: We receive payment status updates, subscription lifecycle events, and billing information through Stripe webhooks.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing the Service: To create and manage your account, store and serve your content, process document conversions and exports, and provide publishing features.
• AI processing: To send selected text to AI providers for editing actions when you use AI features (see Section 4).
• Payment processing: To process subscriptions, manage billing, and handle refunds through Stripe.
• Communications: To send transactional emails (magic links, account notifications, share invitations) and respond to your inquiries. We do not send marketing emails unless you opt in.
• Analytics and improvement: To understand how the Service is used, identify issues, and improve features and performance.
• Error monitoring: To detect, diagnose, and resolve bugs and performance issues.
• Security: To detect and prevent fraud, abuse, and unauthorized access to the Service.
• Legal compliance: To comply with applicable laws, regulations, legal processes, and governmental requests.

4. AI Data Processing

When you use AI editing features, the Service sends your selected text (or your full document if no text is selected) to third-party AI providers for processing. This section describes exactly how your data is handled during AI operations.

4.1 What Data Is Sent

Only the text you select for an AI action is sent to our servers, which forward it to the AI provider. We include a system prompt that instructs the AI on what action to perform (for example, "polish this text" or "convert to a table"). We do not send your account information, email address, or any metadata about your identity to AI providers.

4.2 Which Providers Process Your Data

• Anthropic (Claude): Our primary AI provider. Anthropic's data usage policy states that API inputs and outputs are not used to train their models. See Anthropic's Privacy Policy.
• OpenAI: Used as a fallback provider if the primary provider is unavailable. OpenAI's API data usage policy states that API inputs and outputs are not used to train their models by default. See OpenAI's Privacy Policy.

4.3 Data Retention by AI Providers

AI processing is ephemeral. Your text is sent, processed, and the result is returned in a single request. Neither Unmarkdown™ nor our AI providers retain your text content after the request is complete for the purpose of model training. AI providers may temporarily log API requests for abuse monitoring and debugging in accordance with their own data retention policies.

4.4 How to Avoid AI Processing

AI features are entirely opt-in. If you do not want your text processed by AI providers, simply do not use the AI editing actions in the toolbar. No data is sent to AI providers unless you explicitly initiate an AI action.

5. Analytics and Error Monitoring

We use the following services to understand how the Service is used and to diagnose technical issues:

5.1 PostHog (Product Analytics)

We use PostHog to collect anonymized analytics data about how users interact with the Service. PostHog is self-hosted/cloud-based analytics that we access through a first-party proxy (all analytics requests go through our own domain at unmarkdown.com/ingest, not to a third-party domain). Data collected includes page views, page navigation patterns, and feature usage. We do not currently track custom product events beyond basic pageviews. PostHog analytics data is used solely for understanding usage patterns and improving the Service. See PostHog's Privacy Policy.

5.2 Sentry (Error Monitoring)

We use Sentry to capture and diagnose application errors and performance issues. Sentry collects error reports (stack traces, error messages), performance traces (page load times, API response times), and session replay data. Session replay records user interactions including mouse movements, clicks, scrolling, and visible page content for the purpose of reproducing and diagnosing errors. Session replay is sampled at 10% of normal sessions and 100% of sessions that encounter an error. All Sentry data is transmitted through a first-party tunnel at unmarkdown.com/monitoring. See Sentry's Privacy Policy.

5.3 Opting Out

You can limit analytics collection by using browser privacy features such as ad blockers, tracking protection, or Do-Not-Track settings. Because our analytics are proxied through first-party domains, some browser-based blocking methods may not prevent all data collection. If you wish to completely avoid analytics tracking, you may contact us at contact form to request opt-out.

6. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

• Essential cookies: Required for authentication, session management, and security. These cookies are necessary for the Service to function and cannot be disabled.
• Preference cookies: Store your preferences such as selected template, editor layout, dark mode setting, and language preferences. These are stored in your browser's localStorage.
• Analytics cookies: Used by PostHog to track usage patterns and identify returning visitors. These cookies are set through our first-party proxy domain.
• Error monitoring: Sentry may use cookies or local storage for session identification and replay functionality.

We do not use third-party advertising cookies or tracking pixels. We do not participate in cross-site tracking networks. You can manage cookies through your browser settings, though disabling essential cookies may prevent you from using certain features of the Service.

7. Third-Party Services

We share data with the following third-party service providers, each of which processes data on our behalf and subject to their own privacy policies:

We evaluate our third-party providers for privacy and security practices. We will update this list if we add or remove providers that process personal data.

8. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we process your personal data based on the following legal grounds:

• Performance of a contract: Processing necessary to provide the Service, including account management, content hosting, payment processing, and AI features you request.
• Legitimate interests: Processing for analytics, error monitoring, security, fraud prevention, and service improvement, where our interests do not override your fundamental rights and freedoms.
• Consent: Processing based on your explicit consent, such as optional marketing communications. You may withdraw consent at any time.
• Legal obligation: Processing necessary to comply with applicable laws, such as tax record retention or responding to lawful government requests.

9. How We Share Your Information

We do not sell your personal information to third parties. We share your information only in the following circumstances:

• Service providers: With third-party providers listed in Section 7, solely for the purpose of providing and improving the Service.
• Published content: When you publish content, it becomes publicly accessible. Your display name and username are shown on your published pages and author profile.
• Shared documents: When you share a document with specific users, those users can see your display name and the shared content.
• Legal requirements: When required by law, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you before your information becomes subject to a different privacy policy.
• Aggregated data: We may share aggregated, de-identified data that cannot reasonably be used to identify you (for example, total number of documents published or conversion counts).

10. International Data Transfers

11. Data Retention

• Account data: Retained for as long as your account is active. When you delete your account, a 30-day grace period allows for account recovery. After 30 days, your personal data and content are permanently deleted.
• User Content: Retained until you delete it or delete your account. Published content remains accessible at its URL until unpublished or the account is deleted.
• Document version history: Pro Tier users have 30-day version history. Versions older than 30 days are automatically purged.
• Payment records: Billing history and transaction records are retained for 7 years as required for tax and accounting compliance.
• Analytics data: PostHog analytics data is retained in accordance with PostHog's data retention policies. Sentry error data is retained for up to 90 days.
• Document view analytics: Anonymized view data (visitor hashes, referrers, countries) is retained for as long as the associated document exists.
• Contact form messages: Messages sent through our contact form are retained for as long as necessary to resolve your inquiry, then deleted.
• Backups: Automated database backups may retain data for up to 30 days after deletion from the live system.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/SSL
• Encryption of data at rest in our database
• Row-level security (RLS) policies ensuring users can only access their own data
• Passwordless authentication (magic links and OAuth), eliminating password-related vulnerabilities
• API key authentication for programmatic access, with keys stored as hashed values
• Regular security updates and dependency patching
• Minimal data collection: we only collect data necessary to provide the Service

While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, and you use the Service at your own risk.

13. Your Privacy Rights

Depending on your location and applicable law, you may have some or all of the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that we correct inaccurate or incomplete personal information.
• Deletion: Request that we delete your personal information, subject to legal retention requirements.
• Portability: Request a copy of your data in a portable, machine-readable format.
• Restriction: Request that we restrict processing of your personal information in certain circumstances.
• Objection: Object to processing of your personal information based on legitimate interests.
• Withdrawal of consent: Where processing is based on consent, you may withdraw consent at any time.

You can exercise many of these rights directly through your account settings. You can update your profile information, export your documents as markdown files, and delete your account (which triggers deletion of all associated data after a 30-day grace period).

For requests that cannot be handled through account settings, please contact us at contact form. We will respond to your request within 30 days, or within the timeframe required by applicable law.

14. Additional Rights for EEA and UK Residents

If you are located in the European Economic Area or United Kingdom, you have the following additional rights under the General Data Protection Regulation (GDPR) and UK GDPR:

• Right to be informed: The right to clear information about how your data is processed, which this policy provides.
• Right to data portability: The right to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to object to automated decision-making: We do not make any automated decisions with legal or similarly significant effects based solely on automated processing of your data.
• Right to lodge a complaint: If you believe our processing of your data violates applicable data protection law, you have the right to lodge a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact us at contact form. We may need to verify your identity before processing your request.

15. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information.

Categories of Personal Information Collected

In the past 12 months, we have collected the following categories of personal information: identifiers (email, username, IP address), commercial information (subscription and billing records), internet activity (browsing and usage data), and professional information (only if voluntarily provided in your profile or documents).

Your Rights Under CCPA/CPRA

• Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to delete: You may request deletion of your personal information, subject to certain exceptions (legal obligations, completing transactions, security).
• Right to correct: You may request correction of inaccurate personal information.
• Right to opt-out of sale or sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a request, use our contact form and select "Privacy" as the topic. We will verify your identity by confirming the email address associated with your account. You may also designate an authorized agent to submit requests on your behalf; the agent must provide written authorization signed by you.

16. Do-Not-Track Signals

Some browsers transmit Do-Not-Track (DNT) signals to websites. There is currently no industry standard for how websites should respond to DNT signals. We do not currently alter our data collection practices in response to DNT signals. If a uniform standard for responding to DNT signals is adopted, we will update this policy to reflect our compliance.

17. Children's Privacy

18. Published Content Privacy

19. API and MCP Usage Data

20. Changes to This Policy

21. Contact

If you have any questions about this Privacy Policy or our data practices, please contact us:

ScamVerify LLC, d/b/a Unmarkdown™
Contact us