Privacy Policy

1. Who we are

mdclaudy (“we”, “us”, “the Service”) is an independent product operated by Mohammed Agrat, based in Morocco. The Service is a web application that turns Markdown documents into designed PDFs, with optional AI assistance, available at mdclaudy.com.

For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, Mohammed Agrat acts as the data controller for personal data processed through the Service. For California residents, mdclaudy acts as a business under the CCPA/CPRA.

You can reach us at any time at simo.agrat1@gmail.com for any privacy-related question, request, or complaint.

2. Data we collect

We collect only what we need to operate the Service. Concretely, that means:

2.1 Account data

When you sign up, our authentication provider (Clerk) collects your email address, a hashed password, and — if you sign in with Google — your name and profile picture. We receive a stable user identifier and your email; we never receive your password.

2.2 Authentication & session data

Clerk manages your sessions and may collect your IP address, device user-agent, and approximate location for security (anti-fraud, suspicious-login detection). These are used by Clerk under their own privacy policy and are not shared with third parties for advertising.

2.3 Content you create

We store the documents you write — Markdown source, generated HTML/PDF, document title, collection name, export presets — in our database and object storage (Supabase). We also retain a limited history of revisions so you can recover earlier versions. Files you upload (such as images embedded in a document) are stored in Supabase Storage.

We do not read, browse, or mine your content. Access is restricted by row-level security; only you (and our automated systems necessary to render exports) can read your documents.

2.4 Billing data

Paid subscriptions are processed by Polar. When you subscribe, Polar collects your name, billing email, billing address, tax identifier (if applicable), and payment-method details. We never see or store full card numbers; we receive a customer identifier, subscription status, and the last-4 digits of your card for display purposes only.

2.5 Usage & analytics

We use PostHog, Google Analytics, and Vercel Analytics / Speed Insights to understand how the Service is used in aggregate. These tools collect: page views, button clicks, browser type, device type, approximate location (country/region from IP), and a pseudonymous identifier. We configure them to mask IP addresses and avoid cross-site advertising.

2.6 Error & technical data

We use Sentry to detect crashes and bugs. When an error happens, Sentry captures the error message, stack trace, the page URL, your browser type, and (where helpful) your Clerk user ID — so we can reproduce the bug. Sensitive request bodies and tokens are scrubbed.

2.7 AI prompts and outputs

When you use AI features (autocomplete, generation, summaries), the relevant document text is sent to OpenRouter, which routes the request to a model provider (currently Anthropic Claude). The provider returns a completion that we display to you.

We do not use your content to train any AI model. We have configured our integrations so that prompts and completions are not retained beyond what is necessary to serve the request. Providers may retain logs for short windows for abuse monitoring as described in their own terms; we never grant permission to train on your data.

2.8 Cookies and similar technologies

See section 9 below.

3. Why we process it (legal basis)

Purpose	Legal basis (GDPR)
Create your account, render documents, store your work, fulfil paid plans	Performance of a contract (Art. 6(1)(b))
Invoicing, accounting, fraud prevention, retention of legal records	Legal obligation (Art. 6(1)(c))
Keep the Service secure, prevent abuse, debug crashes	Legitimate interest (Art. 6(1)(f))
Product analytics, marketing communications, optional cookies	Consent (Art. 6(1)(a)) — withdrawable at any time

4. Service providers (sub-processors)

We use the following third-party services to run mdclaudy. Each is bound by its own privacy policy and, where required, by a Data Processing Agreement with us. Most are based in the United States and may transfer data internationally; see section 5.

Provider	Purpose	Location
Clerk	Authentication, account management	United States
Supabase	Database & file storage	European Union (Frankfurt region)
Polar	Payment processing, invoicing	United States / EU
Vercel	Hosting, CDN, web analytics	United States / global edge
Sentry	Error & performance monitoring	United States
PostHog	Product analytics	United States
Google	Analytics (GA4), OAuth sign-in	United States
Upstash	Rate limiting (IP-based)	United States / EU
OpenRouter	AI request routing	United States
Anthropic	AI model provider (Claude)	United States
Mux	Video hosting (demo videos only)	United States

We may add, replace, or remove sub-processors over time. Material changes will be reflected in this policy and, where required by law, communicated to you.

5. International data transfers

Several of our providers are based in the United States. When personal data of users in the European Economic Area, the United Kingdom, or Switzerland is transferred to such providers, we rely on appropriate safeguards under GDPR, including Standard Contractual Clauses and, where the provider is certified, the EU–U.S. Data Privacy Framework. You can request a copy of the safeguards in place by emailing simo.agrat1@gmail.com.

6. How long we keep your data

Data	Retention
Account data	Until you delete your account
Documents and uploads	Until you delete them, or 30 days after account deletion (for backup recovery)
Billing records and invoices	Up to 10 years (legal accounting obligation)
Server access logs	Up to 90 days
Error reports	Up to 90 days
Analytics events	Up to 24 months
AI prompts and completions	Not retained by us beyond the request lifecycle

7. Your rights

Depending on where you live, you have rights over your personal data. We respect all of them, regardless of jurisdiction.

7.1 If you are in the EU, UK, or Switzerland (GDPR)

Right of access — get a copy of the data we hold about you.
Right to rectification — correct inaccurate data.
Right to erasure (“right to be forgotten”) — delete your account and associated data.
Right to restrict processing — temporarily halt certain uses of your data.
Right to data portability — receive your data in a structured, machine-readable format.
Right to object — including to processing based on legitimate interest.
Right to withdraw consent — for any processing based on consent.
Right to lodge a complaint — with your local supervisory authority. In Morocco, this is the CNDP (Commission Nationale de Protection des Données à caractère Personnel).

7.2 If you are in California (CCPA / CPRA)

Right to know what personal information is collected, used, shared, or sold.
Right to delete personal information held about you.
Right to correct inaccurate personal information.
Right to opt out of “sale” or “sharing” of personal information. We do not sell or share your personal information in the sense defined by the CCPA/CPRA.
Right to limit use of sensitive personal information.
Right to non-discrimination for exercising any of these rights.

7.3 How to exercise your rights

Most rights can be exercised directly in-app: you can edit your account, export your documents, and delete your account from the Settings page. For anything else, email simo.agrat1@gmail.com. We will respond within 30 days (extendable by 60 days under GDPR for complex requests).

We may need to verify your identity before fulfilling certain requests, typically by sending a confirmation to the email on file.

8. Security

We take security seriously. Concretely:

All traffic is encrypted in transit with TLS 1.2+ and HSTS.
Data at rest is encrypted by our database and storage providers.
Access to your documents is enforced by row-level security at the database level — even an authenticated request cannot access another user’s data.
Passwords are never seen by us; Clerk handles authentication with industry-standard hashing.
Production secrets are stored in Vercel’s encrypted environment variable store with restricted access.
Rate limiting and bot protection are in place to prevent abuse.

No system is perfectly secure. If you suspect your account has been compromised, contact us immediately at simo.agrat1@gmail.com.

9. Cookies and similar technologies

We use a small number of cookies and local-storage entries:

Strictly necessary — session cookies set by Clerk to keep you logged in, and a small local-storage preference for your editor theme. These cannot be disabled.
Analytics — PostHog, Google Analytics, and Vercel Analytics set first-party cookies and/or local-storage identifiers to measure usage. We do not use them for cross-site advertising.

You can clear cookies in your browser settings at any time. EU visitors are asked for consent for non-essential analytics where required.

10. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from anyone under that age. If you believe a child has provided us with personal data, please email us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. When we do, we update the “Last updated” date at the top. If a change is material — for example, a new category of data or a new sub-processor — we will notify registered users by email at least 14 days before the change takes effect.

12. Contact

Questions, requests, or complaints? Email simo.agrat1@gmail.com. We aim to respond within 5 business days, and always within the legal deadlines (30 days for GDPR, 45 days for CCPA).

Postal address available on request. Operated by Mohammed Agrat, Morocco.

→ Terms of Service → Contact us