mdsync
BlogDocsHome

Privacy Policy

Effective Date: January 1, 2026

1. Introduction

Rosy AI, MB ("we," "us," or "our"), operating as mdsync.app, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our synchronization service.

We act as the Data Controller for your account information and billing data. For the content you synchronize between GitHub and Notion, we act as a Data Processor.

2. Information We Collect

2.1. Information You Provide

  • Account Data: When you register via Google OAuth, we collect your email address, name, and profile avatar.
  • Billing Information: If you subscribe to a paid plan, our payment processor (Stripe) collects your payment method, billing address, and VAT number. We do not store full credit card numbers on our servers.
  • Configuration Data: We store settings required to perform syncs, including repository names, Notion page IDs, and sync preferences.

2.2. Automated Data Collection

  • OAuth Tokens: We store encrypted Access Tokens for GitHub and Notion to perform actions on your behalf.
  • Sync Logs: We retain logs of sync execution (timestamps, status, error messages) to help you debug issues.
  • Usage Analytics: With your consent, we use Google Analytics and Microsoft Clarity to track page views and user behavior to improve the app.

2.3. Data We Do NOT Store

File Content: We do not permanently store the content of your Markdown files or Notion pages. Content is fetched from GitHub, processed in memory, sent to Notion, and then discarded. We only store file paths and content hashes (for change detection).

3. How We Use Your Data

We use your data for the following purposes:

  • Service Provision: To authenticate you, read your GitHub repositories, and update your Notion pages.
  • Billing: To process subscription payments and manage plan limits.
  • Communication: To send you transactional emails (e.g., invoices, trial expirations) and service updates.
  • Security: To detect and prevent abuse of our API and infrastructure.

4. Data Sharing and Third Parties

We do not sell your data. We share data only with the following third-party service providers necessary to operate the Service:

  • Supabase: Database hosting and authentication (Data storage).
  • Stripe: Payment processing.
  • Vercel: Web hosting and serverless function execution.
  • Google & Microsoft: Analytics (only if consented).
  • GitHub & Notion: External platforms you explicitly connect to our Service.

5. International Data Transfers

Your information, including Personal Data, may be processed on servers located outside of your state, province, or country. Specifically, our infrastructure providers (Supabase, Vercel) may utilize servers globally. By using the Service, you consent to these transfers, provided appropriate safeguards (such as standard contractual clauses) are in place.

6. Your Data Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights:

  • Right to Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Correct inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your account and associated data ("Right to be forgotten").
  • Right to Portability: Receive your data in a structured, machine-readable format.
  • Right to Withdraw Consent: Withdraw consent for analytics or marketing at any time.

To exercise these rights, please contact us at info@rosy.ai.lt.

7. Data Retention

  • Active Accounts: We retain your data for as long as your account is active.
  • Deleted Accounts: Upon account deletion, all personal data, OAuth tokens, and sync configurations are permanently removed from our database.
  • Logs: Sync logs are limited to the most recent 100 entries per synchronization.
  • Billing Records: We may retain billing history for up to 7 years as required by tax laws.

8. Security

We implement industry-standard security measures, including:

  • Encryption at Rest: All database data is encrypted.
  • Token Security: OAuth tokens are encrypted using AES encryption before storage.
  • Encryption in Transit: All data is transmitted over HTTPS/TLS.

9. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a minor has provided us with personal data, we will take steps to delete such information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Effective Date."

11. Contact Us

If you have questions about this Privacy Policy, please contact us:

Back to Home