Privacy Policy

Last updated: 2026-05-25

This Privacy Policy describes how DataOps, s.r.o. ("we", "us", "our"), the operator of the MDflow service available at mdflow.cz ("Service"), collects, uses and stores information about you ("you", "user") when you use the Service.

By using the Service you confirm that you have read and understood this Policy.

1. Who is the data controller

The data controller is:

DataOps, s.r.o. Registered in the Czech Republic. Contact: vaclav@wearedataops.cz

2. What data we collect

We only collect the data needed to operate the Service.

From your Google account (via Google OAuth):

• email address
• display name
• avatar URL
• Google account identifier (sub)

Content you create:

• folder names
• document titles
• document content (markdown text)
• public-share state and slugs for documents you choose to share

Technical data automatically collected by our hosting providers:

• IP address
• browser type and version
• timestamps of requests
• standard server access logs

We do not use third-party analytics or advertising trackers.

3. Why we collect it

We use your data only to:

• authenticate you and keep you signed in
• store and display your documents
• generate public-share URLs when you choose to share a document
• operate, secure and debug the Service

We do not sell your data. We do not use your documents to train machine-learning models. We do not show you ads.

4. Legal basis

We process your data on the basis of:

• performance of a contract (Art. 6(1)(b) GDPR) — to provide the Service you signed up for
• legitimate interest (Art. 6(1)(f) GDPR) — to secure and maintain the Service

5. Where your data lives

The Service runs on third-party infrastructure:

• Supabase (database and authentication)
• Vercel (application hosting)
• Google (OAuth sign-in)

These providers may process your data outside the European Economic Area. They are bound by their own privacy terms and standard contractual clauses.

6. Public sharing

When you toggle public sharing on for a document, the document title and body become accessible to anyone who has the share URL. The URL contains a cryptographically random 64-character slug. We never publish the URL ourselves — it is up to you who you share it with.

The public viewer never reveals your email, name, avatar or any other documents in your workspace.

When you toggle sharing off, the slug is invalidated and the previous URL stops working.

7. Cookies

We use only cookies strictly necessary to keep you signed in. We do not use marketing, analytics or third-party tracking cookies.

8. How long we keep your data

We keep your account and content for as long as your account exists. If you ask us to delete your account, we delete your folders, documents and profile from our database. Backups may retain copies for a limited period before being overwritten.

Server access logs are kept for a short, technically necessary period.

9. Your rights

Under the GDPR you have the right to:

• access the personal data we hold about you
• correct inaccurate data
• delete your data ("right to be forgotten")
• restrict or object to processing
• receive your data in a portable format
• lodge a complaint with the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů)

To exercise any of these rights, email us at vaclav.vaclav@wearedataops.cz.

10. Children

The Service is not intended for users under 16. We do not knowingly collect data from children.

11. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the latest version. Material changes will be announced inside the Service before they take effect.

12. Contact

Questions about this Policy: vaclav@wearedataops.cz