Privacy Policy

1.1 Personal Information

When you register for an account or log in via OAuth2 (Google, GitHub, etc.), you may provide us with:

• Username
• Email address
• Password (hashed and stored securely)
• Billing address (only if you subscribe to a paid service later)

We do not collect sensitive personal data such as race, religion, political beliefs, health information, or government-issued identifiers.

1.2 Device & Technical Information

When you visit or use ToMarkdown (even without registering), we automatically collect certain non-personal, technical data to ensure our site runs smoothly:

• Device type and operating system (e.g., Windows, macOS, Linux, iOS, Android)
• Browser type and version (e.g., Chrome, Firefox, Safari)
• Screen resolution and viewport size
• Unique device identifiers (e.g., browser fingerprinting tokens, cookies)
• IP address (stored only in truncated or anonymized form)

1.3 Usage Data & Interaction Logs

To improve our services, we record aggregated, non-identifiable metrics such as:

• Timestamped page views (which pages or tools you accessed, and when)
• Clickstream data (sequence of actions—e.g., which Markdown tools you used and for how long)
• Error and crash reports (stack traces and HTTP status codes, stripped of any personal content)

1.4 Third-Party Login Information

If you choose to log in with a third-party provider via OAuth2, we may receive:

• Name or display name
• Email address
• Avatar or profile picture URL
• Basic public profile data

We rely on the OAuth2 provider's user consent process; ToMarkdown does not store your third-party login credentials or passwords.

1.5 User-Provided Content & Preferences

Any information you actively provide that is not part of document content—such as:

• Avatar or profile photo (if you upload one)
• Display name (if different from username)
• Tool preferences or settings (e.g., preferred Markdown flavor, theme selection, editor layout)

2.1 To Provide & Maintain Our Services

• Account Creation & Authentication: Verify your email address and authenticate your login sessions. Securely store hashed passwords or OAuth2 tokens.
• User Profile & Preferences: Display your avatar, display name, and saved preferences.
• Feature Access: Grant you access to registered-only features (e.g., project history, saved snippets, future API endpoints).
• Billing & Subscription Management: If you subscribe to a paid API plan, we'll use your billing address and payment information (via a third-party processor) to process transactions, send invoices, and handle refunds.

2.2 To Improve User Experience

• Usage Analytics: Analyze aggregated logs to determine which tools are most popular, how long users spend on each page, and where improvements are needed.
• Performance Monitoring: Track page load times, API response times, and error rates to optimize site speed and reliability.

2.3 To Communicate With You

• Support & Inquiries: Respond to support requests, troubleshoot technical issues, and provide account assistance via email.
• Updates & Announcements: Send you optional newsletters, feature launch emails, or other marketing communications only if you opt in. You may unsubscribe at any time by clicking the "Unsubscribe" link at the bottom of any email.

2.4 To Ensure Security & Prevent Abuse

• Fraud Detection & Prevention: Monitor for unusual login patterns or suspicious API usage to protect user accounts and server resources.
• DDoS & Malicious Activity Mitigation: Use server-side analytics and firewall rules to block or rate-limit abusive IP addresses.

2.5 To Comply with Legal Obligations

• Law Enforcement & Legal Requests: Cooperate with valid subpoenas, court orders, or other legal processes.
• Regulatory Compliance: Retain certain transaction logs for tax and accounting compliance, if you subscribe to a paid API plan.

3.1 Service Providers & Subprocessors

We engage third-party vendors to perform services on our behalf. These providers are contractually obligated to process your information only for the purposes we specify and to maintain confidentiality. Examples include:

• Hosting & Infrastructure (Cloudflare Workers)
• Authentication & OAuth2 Management (e.g., Auth0, Firebase Authentication)
• Analytics & Performance Monitoring (e.g., Google Analytics, Sentry)
• Payment Processing (e.g., Stripe, PayPal) for paid API subscriptions
• Email Delivery & CRM (e.g., SendGrid, Mailgun)

3.2 Legal Compliance & Protection

• Law Enforcement & Legal Requests: ToMarkdown may disclose personal information if required by a valid subpoena, court order, or other governmental request. We will notify you of such disclosures unless prohibited by law.
• Protecting Our Rights & Safety: If we believe your actions violate our Terms of Service or pose a security threat to other users, we may share relevant data (e.g., truncated IP logs) with authorities or affected parties.

3.3 Business Transfers

In the event ToMarkdown undergoes a merger, acquisition, or asset sale, your personal information may be transferred as part of the business transaction. We will notify you of any change in ownership or use of your data prior to such transfer, and the new entity will be bound by this Privacy Policy (or a policy substantially similar).

4.1 Encryption & Secure Storage

• Data in Transit: All communication between your browser and our servers is encrypted using HTTPS (TLS 1.2 or higher).
• Data at Rest: Sensitive data (e.g., passwords) are hashed with a strong algorithm (e.g., bcrypt or Argon2). Payment details are never stored on our servers; all transactions are processed directly by our third-party payment partners (e.g., Stripe).

4.2 Access Controls & Authentication

• Least-Privilege Access: Only authorized employees and contractors have access to production systems and databases.
• Multi-Factor Authentication (MFA): We enforce MFA for all administrative accounts with access to sensitive data.

4.3 Regular Audits & Monitoring

• Security Audits: We perform periodic code reviews, vulnerability scans, and penetration tests.
• Logging & Alerting: Real-time monitoring for unusual activity (e.g., multiple failed login attempts, SQL injection patterns) with automatic alerts to our security team.

4.4 Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will:

1. Investigate and contain the breach immediately.
2. Notify you via email within 72 hours of confirming that it impacted your personal data, as required by applicable laws (e.g., GDPR).
3. Provide guidance on steps you can take to protect yourself (e.g., resetting your password).

5.1 Essential Cookies

• Session Management: Remember your authenticated session (so you don't have to log in on every page).
• Load Balancing & Security: Distribute traffic across our servers and detect malicious bots.

5.2 Analytics & Performance Cookies (Optional)

• Google Analytics / Sentry: We collect anonymized, aggregated usage data (e.g., page views, bounce rate) to improve site performance and user flow.
• Opt-Out: You may disable analytics cookies by clicking "Do Not Track" in your browser settings or installing a cookie-blocking extension. Note that blocking essential cookies may impair certain site functions.

Account Information

Retained until you delete your account or we discontinue the service.

Billing & Transaction Records

Retained for a minimum of seven years to comply with tax and accounting regulations (if you subscribe to a paid plan).

Usage Logs & Analytics

Aggregated usage data may be stored for up to 12 months before anonymization or deletion.

Crash Reports & Error Logs

Retained for up to 90 days for debugging and product improvement; then permanently deleted.