Privacy Policy
Last updated: April 30, 2026
MDSpin (“we”, “our”) is a Chrome Extension and web service that converts document files into Markdown. This policy describes, in full, what data we collect, how we use it, who we share it with, and how long we keep it.
1. Data we collect
| Category | What | Where it comes from |
|---|---|---|
| Personally identifiable information | Email address, Google account ID | Sign-up form (email + password) or Google OAuth sign-in |
| Authentication credentials | Password (only when you sign up with email + password). Submitted from the sign-up form directly to Supabase Auth over TLS, where it is stored only in hashed form. MDSpin's backend never receives the password, and neither MDSpin nor anyone else can read the stored hash. | You, when you create an account with email and password |
| Authentication information | Supabase session tokens | Created when you sign in |
| Third-party authentication tokens | Google OAuth access token and refresh token (only if you sign in with Google and grant Drive/Docs scopes) | Returned by Google after OAuth consent; stored server-side so the extension can import files from your Drive on your behalf |
| Network identifier (anonymous use only) | Your IP address, used solely to enforce the 3-conversions-per-day limit for non-signed-in users. Not stored against signed-in accounts. | Sent automatically by your browser when you make a conversion request without being signed in |
| Website content (user-uploaded files) | The contents, filename, and file type of documents you choose to convert (PDF, DOCX, PPTX, TXT, HTML, RTF, CSV) | You, when you trigger a conversion |
| User activity | Count of conversions performed per day, tied to your account | Generated by the extension when you convert a file |
| Local preferences | UI settings such as inline-mode toggle | Stored locally in your browser via chrome.storage |
We do not collect: browsing history, page content from ChatGPT/Claude/Gemini conversations, mouse/keystroke telemetry, location, financial data, health data, or extension usage analytics.
2. How we use data
- File contents — transmitted to our conversion API solely to produce Markdown output, then returned to you. Used for no other purpose.
- Email + account ID — to identify your account and enforce daily conversion quotas.
- Password — verified by Supabase Auth at sign-in. Used only to authenticate you. Not used for any other purpose. We have no ability to read it.
- Google OAuth tokens — used server-side to fetch documents from your Google Drive when you choose to import a file. Tokens are never shared with third parties.
- IP address (anonymous users only) — counted against the per-IP daily quota and discarded after 24 hours. Not linked to an account.
- Session tokens — to keep you signed in.
- Conversion counts — to enforce per-user daily limits across devices.
- Local preferences — to remember your UI settings. Never transmitted.
3. Who we share data with
We share data only with the following infrastructure providers, strictly for the purposes listed:
| Recipient | What is sent | Purpose | Retention |
|---|---|---|---|
| MDSpin Conversion API (hosted on Vercel, api.mdspin.app) | File contents, filename, file type | Convert the file to Markdown | Processed in memory; not stored. Discarded immediately after the response is returned. |
| Supabase (ixdsddfxkrkytiitfici.supabase.co) | Email, account ID, hashed password (email signup only), Google OAuth tokens (Google signup only), session tokens, daily conversion counter, IP address (anonymous quota only) | Authentication, password verification, OAuth token storage for Drive/Docs imports, quota enforcement | Retained until you delete your account. Quota counters reset every 24 hours. |
| Google (OAuth identity provider) | Standard OAuth flow | Verify your identity when you sign in | Governed by Google's privacy policy |
We do not sell, rent, or transfer user data to any other party. We do not use user data for advertising, profiling, or any purpose unrelated to MDSpin's single purpose (file-to-Markdown conversion). We do not use or transfer user data to determine creditworthiness or for lending purposes.
4. Google API Services — Limited Use disclosure
MDSpin's use and transfer of information received from Google APIs to any other app will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements.
5. Data retention
- File contents: 0 seconds (in-memory only; discarded after response).
- Account data (email, ID): until you delete your account.
- Password (hashed): stored by Supabase Auth until you delete your account or change your password.
- Google OAuth tokens: until you revoke access in your Google account settings or delete your MDSpin account. Refresh tokens are rotated automatically by Google.
- IP addresses (anonymous quota): 24-hour rolling window; deleted when the daily quota row is reset.
- Session tokens: until you sign out or they expire.
- Quota counters: 24-hour rolling window.
- Local preferences: until you uninstall the extension or clear browser storage.
6. Security
All communication between the extension, the conversion API, and Supabase uses HTTPS/TLS encryption. Passwords are never stored in plaintext: when you sign up with email + password, the password is sent directly from your browser to Supabase Auth over TLS and hashed there using bcrypt before storage. MDSpin's backend never receives the plaintext password, and neither MDSpin nor anyone else can read the stored hash. Authentication is performed entirely by Supabase Auth.
7. Your rights and controls
- Access or delete your account data: email trenkner.peter@gmail.com and we will delete your account and all associated data within 30 days.
- Sign out: available from the extension popup. Ends the session immediately.
- Stop local storage: uninstalling the extension clears all locally stored preferences.
8. Children
MDSpin is not directed at children under 13 and we do not knowingly collect data from them.
9. Changes to this policy
We will update the “Last updated” date above when the policy changes. Material changes will be announced in the extension's release notes.
10. Contact
Questions about this policy: trenkner.peter@gmail.com