Privacy Policy
Last updated: 2026-06-18
This Privacy Policy describes how DataOps, s.r.o. ("we", "us", "our"), the operator of the MDflow service available at mdflow.cz ("Service"), collects, uses and stores information about you ("you", "user") when you use the Service.
By using the Service you confirm that you have read and understood this Policy.
1. Who is the data controller
The data controller is:
DataOps, s.r.o. Registered in the Czech Republic. Contact: vaclav@wearedataops.cz
2. What data we collect
We only collect the data needed to operate the Service.
From your Google account (via Google OAuth):
- email address
- display name
- avatar URL
- Google account identifier (sub)
Content you create:
- folder names
- document titles
- document content (markdown text)
- public-share state and slugs for documents you choose to share
- comments you add to shared documents
Technical data automatically collected by our hosting providers:
- IP address
- browser type and version
- timestamps of requests
- standard server access logs
Analytics (only with your consent):
- We use Google Analytics 4 to understand how the Service is used (pages visited, approximate location, device and browser type). Analytics cookies and identifiers are set only after you accept them in the cookie banner. Until you accept, Google Analytics runs in consent-denied mode and stores nothing on your device. We do not use advertising trackers.
3. Why we collect it
We use your data only to:
- authenticate you and keep you signed in
- store and display your documents
- generate public-share URLs when you choose to share a document
- let signed-in users comment on shared documents and open independent copies
- operate, secure and debug the Service
We do not sell your data. We do not use your documents to train machine-learning models. We do not show you ads.
4. Legal basis
We process your data on the basis of:
- performance of a contract (Art. 6(1)(b) GDPR) — to provide the Service you signed up for
- legitimate interest (Art. 6(1)(f) GDPR) — to secure and maintain the Service
- consent (Art. 6(1)(a) GDPR) — for Google Analytics, which runs only after you accept the cookie banner. You can withdraw consent at any time by clearing the consent choice in your browser.
5. Where your data lives
The Service runs on third-party infrastructure:
- Supabase (database and authentication)
- Vercel (application hosting)
- Google (OAuth sign-in and, with your consent, Google Analytics)
These providers may process your data outside the European Economic Area. They are bound by their own privacy terms and standard contractual clauses.
6. Public sharing
When you toggle public sharing on for a document, the document title and body become accessible to anyone who has the share URL. The URL contains a cryptographically random 64-character slug. We never publish the URL ourselves — it is up to you who you share it with.
The public viewer never reveals the document owner's email, name, avatar or any other documents in their workspace. When commenting is enabled, signed-in users with the share link can see comments together with each comment author's display name and avatar. Email addresses are not shown.
When you toggle sharing off, the slug is invalidated and the previous URL stops working.
Any signed-in user with an active share link can open an independent private copy of the shared document in their own workspace. The copy is not linked to the original after it is created.
7. Cookies
We use cookies strictly necessary to keep you signed in. We also use Google Analytics cookies, but only after you accept them in the cookie banner — if you decline, no analytics cookies are set. We do not use advertising or marketing cookies.
8. How long we keep your data
We keep your account and content for as long as your account exists. If you ask us to delete your account, we delete your folders, documents and profile from our database. Backups may retain copies for a limited period before being overwritten.
Server access logs are kept for a short, technically necessary period.
9. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you
- correct inaccurate data
- delete your data ("right to be forgotten")
- restrict or object to processing
- receive your data in a portable format
- lodge a complaint with the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů)
To exercise any of these rights, email us at vaclav.vaclav@wearedataops.cz.
10. Children
The Service is not intended for users under 16. We do not knowingly collect data from children.
11. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date at the top reflects the latest version. Material changes will be announced inside the Service before they take effect.
12. Contact
Questions about this Policy: vaclav@wearedataops.cz