Privacy
last updated 2026-06-12
Draft expansion — awaiting legal sign-off. The factual claims below reflect the current service code; the legal framing is pending counsel review. The accompanying Terms of Service are also in draft.
The short version: the mdz desktop app makes no network calls. Everything you read stays on your machine. Only when you deliberately share a document — via the app, the mdz CLI, or the web viewer — does any data leave your device, and even then we handle only the minimum needed to serve that link, with a short default expiry.
This policy is organized by surface, because each one is different. Jump to the part that applies to you:
- Desktop app — no network, no account, no telemetry.
- mdz CLI — local by default; opt-in telemetry;
mdz shareuses the service. - mdz.sh share service & web viewer — what we store, log, and for how long.
- GDPR / CCPA & your rights — lawful basis, retention, access & erasure.
Desktop app
The mdz desktop app makes no outbound network calls. There is no analytics, no error reporting, no automatic update check, no remote config fetch, and no account. The only data the app reads is the folder you point it at, plus a local settings file at ~/Library/Application Support/sh.mdz.mdz/settings.toml (macOS). Nothing is transmitted off your machine.
You can verify this:
- Block mdz at the firewall — it will function identically.
- The source is at github.com/CharlesWong/mdz; grep it for
http://orhttps://.
Two narrow exceptions, both initiated by something other than mdz analytics:
- Image src URLs in your markdown. If a doc contains
, the WebView fetches that image directly, the same way any browser does. We don't proxy or log this — the request goes from your machine to that host. - Future: notarization check. Once mdz is notarized, macOS itself may verify the app's notarization ticket — that's a system-level call by the OS, not something mdz code initiates.
mdz CLI
The mdz command-line tool is local-first. Converting, viewing, and indexing documents happen entirely on your machine and send nothing anywhere.
Opt-in telemetry
The CLI can record local, aggregate usage timings to help us understand performance. This is off unless you opt in, and even when enabled it is written to a local database on your machine — it is not automatically uploaded. We do not collect the contents of your documents, file names, or file paths. If you never opt in, no usage data is ever produced.
Sharing from the CLI
Running mdz share uploads the document you name to the mdz.sh share service so it can be served as a link. That is the one CLI action that sends content off your device, and it is covered by the share-service section below. mdz rm <code> deletes a share you created.
mdz.sh share service & web viewer
This is the only part of mdz that runs as an online service. It exists to turn a document into a shareable read-only link. It applies when you use mdz share, the app's share feature, the web viewer at mdz.sh/view, or create an account, handle, or API key.
What we store
| Data | Why | Retention |
|---|---|---|
| The markdown content you share | To render and serve the link | Until you delete it, or its expiry — anonymous/CLI shares default to 7 days |
| Short code & metadata (size, created time, expiry) | To resolve and manage the link | Same as the share |
| Account record (if you sign in) — handle, email/OAuth identity, API keys | To let you manage and reuse your links | Until you delete the account / revoke the key |
| Aggregate view counts | To show you how many times a link was opened | Aggregated; raw click rows age out |
What we log
To keep the free service from being abused, the service records request metadata, including the requesting IP address (via Cloudflare's CF-Connecting-IP header), keyed transiently to rate-limit buckets and brute-force lockouts (e.g. password-protected shares). Cloudflare also logs IPs as part of standard request handling (see Cloudflare's privacy policy). These abuse-control records are short-lived and are not used to profile you or build advertising audiences.
Sandboxing & cookies
Shared documents are served from a separate origin, usercontent.mdz.sh, under a strict Content-Security-Policy, so a malicious document cannot reach your main-site session. That origin is cookie-free by construction; the only cookie the service ever sets is a path-scoped unlock token for password-protected shares, and a session cookie on the main site when you are signed in. We set no advertising or tracking cookies and run no third-party analytics — which is why this site shows no cookie banner (see below).
GDPR / CCPA & your rights
This section applies to the share service only — the desktop app processes no personal data on our side. For the share service, the data controller is [REVIEW: controller legal entity and address]; contact [REVIEW: privacy contact email].
Lawful basis (GDPR Art. 6)
- Performance of a contract / your request (Art. 6(1)(b)): storing and serving the content you choose to share, and operating your account.
- Legitimate interests (Art. 6(1)(f)): the minimal IP-based logging and proof-of-work checks needed to prevent abuse, fraud, and denial-of-service of a free service. We balance this against your interests by keeping these records short-lived and not using them to profile you.
- Consent (Art. 6(1)(a)): CLI telemetry, which is off until you opt in and which you can disable at any time.
Retention
Retention is tied to the life of each share. Anonymous and CLI shares default to a 7-day TTL; you may set a shorter one. When a share expires or you delete it, an automated cleanup job purges the content from the live service. Account records persist until you delete the account. Abuse-control logs (IP/rate-limit) are short-lived. We do not keep shared content indefinitely.
Access, erasure & your other rights
You have the right to access, correct, export, restrict, or erase your personal data, and (for CCPA) to know what is collected and to opt out of "sale" — we do not sell personal data. You can exercise the core rights yourself without contacting us:
- Erase a share: delete it from the desktop app or your dashboard, or run
mdz rm <code>. The content is removed from the live service; transient backups and edge caches age out shortly after. - Let a share lapse: do nothing — the default 7-day expiry erases it for you.
- Delete your account: revoke your API keys and links from the dashboard. Full account deletion (handle, identity, and any remaining links) can be requested from the operator at the contact above; we action verified requests within the period required by applicable law.
To make a data-subject request that you cannot complete with the tools above, or to lodge a complaint, contact [REVIEW: privacy contact email]. You also have the right to complain to your local data-protection authority.
Why there is no cookie banner
We do not set advertising, analytics, or cross-site tracking cookies, and we run no third-party trackers. The only cookies the service uses are strictly necessary — a signed-in session cookie on the main site and a path-scoped unlock token for password-protected shares. Strictly-necessary cookies are exempt from the consent requirement under the ePrivacy Directive, so no consent banner is required. If we ever add a non-essential cookie or tracker, we will add a consent mechanism before doing so.
If we ever change this
If a future version of mdz adds anything that touches the network on the desktop, or the service changes what it collects, this page will say so explicitly, in plain English, before that change ships. Material changes are reflected by the "last updated" date above.