This page describes how Markdown to PDF (“we”, “us”) processes personal data when you use mkpdf.app. We aim for plain language; contact us if anything is unclear.
1. Who we are
The data controller is Markdown to PDF, established in United Kingdom. You can reach us at [email protected] for any privacy question or to exercise any right described below.
2. What we collect and why
We limit data collection to what each feature genuinely needs.
Anonymous visitors
You can use the editor without signing in. Markdown you type stays in your browser; when you click “Download PDF” the text is sent to our server, rendered to PDF, and streamed back. We do not persist the markdown or the generated PDF. Legal basis: legitimate interest (GDPR Art. 6(1)(f)) in delivering the service you requested.
Registered users
When you sign in (Google OAuth or email magic link) we create an account storing your email address, a Supabase user id, and timestamps. Documents you create in the library are stored against your account and only readable by you (enforced by row-level security). Legal basis: contract (Art. 6(1)(b)) — we cannot provide the library without these records.
Server-side logs
Our hosting provider records standard access metadata (IP address, timestamp, path, status). We use this for abuse prevention and debugging, not analytics. Legal basis: legitimate interest (Art. 6(1)(f)).
3. Cookies and local storage
We use only strictly necessary cookies and do not place advertising or analytics trackers. No consent banner is shown because the ePrivacy “strictly necessary” exemption applies.
| Item | Purpose | Retention |
|---|---|---|
sb-*-auth-token | Supabase auth session (HttpOnly) | Up to ~60 days (refreshed on use) |
mdpaper.split.editor (localStorage) | Remembers your editor / preview split position | Until you clear browser data |
4. Who we share data with (sub-processors)
We rely on the following processors. Each is bound by a data processing agreement with standard contractual clauses where data leaves the EEA / UK.
- Supabase — database, authentication, and storage. Project hosted in the EU (London, eu-west-2). Supabase Inc. is US-based; transfers governed by SCCs.
- Netlify — application hosting and edge delivery. US-based; transfers governed by SCCs and the EU-US Data Privacy Framework.
- Google — OAuth sign-in (only if you choose Google). Governed by Google’s Cloud DPA and the EU-US DPF.
5. How long we keep data
- Account, documents, and preferences: as long as the account exists.
- Inactive accounts: we may delete accounts with no activity for 24 months after a 30-day notice email.
- Anonymous PDF renders: not retained beyond the request lifecycle.
- Stripe event records: up to 90 days (webhook replay window).
- Server access logs: per our hosting provider’s default retention.
- Billing records (when payments are enabled): kept for tax-law periods applicable in United Kingdom, typically 6–10 years, held in Stripe.
6. Your rights
Under the UK GDPR / EU GDPR you have the right to:
- access the personal data we hold about you (Art. 15);
- correct inaccurate data (Art. 16) — edit it in the app or email us;
- delete your account and associated data (Art. 17);
- receive a portable export of your data (Art. 20);
- restrict or object to processing in limited circumstances (Art. 18, 21);
- lodge a complaint with the competent supervisory authority (Art. 77). Ours is the Information Commissioner's Office (ICO), United Kingdom — ico.org.uk, but you may also complain to the authority where you live or work.
Signed-in users can self-serve access, export, and deletion from the account menu in the app. For any other request, email [email protected] and we will respond within one month.
7. Automated decisions
We do not perform profiling or make decisions about you using automated means (the AI styling feature generates typography; it does not make decisions about you).
8. Security
Data in transit is protected by TLS. Database rows are protected by row-level security so each user can only read their own records. Secrets are stored in our hosting provider’s environment vault, never in source control. If we become aware of a personal-data breach that is likely to affect you, we will notify the supervisory authority within 72 hours and inform affected users without undue delay.
9. Children
Markdown to PDF is not directed to children under 16. Do not use the service if you are under the minimum age of digital consent in your country.
10. Changes to this policy
We may update this policy to reflect changes to the service or to the law. We will update the “last updated” date above and, for material changes, notify signed-in users by email.