privacy.md — mdz
← →mdzprivacy.mdhomegithub

Privacy

last updated 2026-06-12

Draft expansion — awaiting legal sign-off. The factual claims below reflect the current service code; the legal framing is pending counsel review. The accompanying Terms of Service are also in draft.

The short version: the mdz desktop app makes no network calls. Everything you read stays on your machine. Only when you deliberately share a document — via the app, the mdz CLI, or the web viewer — does any data leave your device, and even then we handle only the minimum needed to serve that link, with a short default expiry.

This policy is organized by surface, because each one is different. Jump to the part that applies to you:

Desktop app

The mdz desktop app makes no outbound network calls. There is no analytics, no error reporting, no automatic update check, no remote config fetch, and no account. The only data the app reads is the folder you point it at, plus a local settings file at ~/Library/Application Support/sh.mdz.mdz/settings.toml (macOS). Nothing is transmitted off your machine.

You can verify this:

Two narrow exceptions, both initiated by something other than mdz analytics:

mdz CLI

The mdz command-line tool is local-first. Converting, viewing, and indexing documents happen entirely on your machine and send nothing anywhere.

Opt-in telemetry

The CLI can record local, aggregate usage timings to help us understand performance. This is off unless you opt in, and even when enabled it is written to a local database on your machine — it is not automatically uploaded. We do not collect the contents of your documents, file names, or file paths. If you never opt in, no usage data is ever produced.

Sharing from the CLI

Running mdz share uploads the document you name to the mdz.sh share service so it can be served as a link. That is the one CLI action that sends content off your device, and it is covered by the share-service section below. mdz rm <code> deletes a share you created.

mdz.sh share service & web viewer

This is the only part of mdz that runs as an online service. It exists to turn a document into a shareable read-only link. It applies when you use mdz share, the app's share feature, the web viewer at mdz.sh/view, or create an account, handle, or API key.

What we store

DataWhyRetention
The markdown content you shareTo render and serve the linkUntil you delete it, or its expiry — anonymous/CLI shares default to 7 days
Short code & metadata (size, created time, expiry)To resolve and manage the linkSame as the share
Account record (if you sign in) — handle, email/OAuth identity, API keysTo let you manage and reuse your linksUntil you delete the account / revoke the key
Aggregate view countsTo show you how many times a link was openedAggregated; raw click rows age out

What we log

To keep the free service from being abused, the service records request metadata, including the requesting IP address (via Cloudflare's CF-Connecting-IP header), keyed transiently to rate-limit buckets and brute-force lockouts (e.g. password-protected shares). Cloudflare also logs IPs as part of standard request handling (see Cloudflare's privacy policy). These abuse-control records are short-lived and are not used to profile you or build advertising audiences.

Sandboxing & cookies

Shared documents are served from a separate origin, usercontent.mdz.sh, under a strict Content-Security-Policy, so a malicious document cannot reach your main-site session. That origin is cookie-free by construction; the only cookie the service ever sets is a path-scoped unlock token for password-protected shares, and a session cookie on the main site when you are signed in. We set no advertising or tracking cookies and run no third-party analytics — which is why this site shows no cookie banner (see below).

GDPR / CCPA & your rights

This section applies to the share service only — the desktop app processes no personal data on our side. For the share service, the data controller is [REVIEW: controller legal entity and address]; contact [REVIEW: privacy contact email].

Lawful basis (GDPR Art. 6)

Retention

Retention is tied to the life of each share. Anonymous and CLI shares default to a 7-day TTL; you may set a shorter one. When a share expires or you delete it, an automated cleanup job purges the content from the live service. Account records persist until you delete the account. Abuse-control logs (IP/rate-limit) are short-lived. We do not keep shared content indefinitely.

Access, erasure & your other rights

You have the right to access, correct, export, restrict, or erase your personal data, and (for CCPA) to know what is collected and to opt out of "sale" — we do not sell personal data. You can exercise the core rights yourself without contacting us:

To make a data-subject request that you cannot complete with the tools above, or to lodge a complaint, contact [REVIEW: privacy contact email]. You also have the right to complain to your local data-protection authority.

Why there is no cookie banner

We do not set advertising, analytics, or cross-site tracking cookies, and we run no third-party trackers. The only cookies the service uses are strictly necessary — a signed-in session cookie on the main site and a path-scoped unlock token for password-protected shares. Strictly-necessary cookies are exempt from the consent requirement under the ePrivacy Directive, so no consent banner is required. If we ever add a non-essential cookie or tracker, we will add a consent mechanism before doing so.

If we ever change this

If a future version of mdz adds anything that touches the network on the desktop, or the service changes what it collects, this page will say so explicitly, in plain English, before that change ships. Material changes are reflected by the "last updated" date above.