Privacy Policy

We collect information you provide directly when creating an account, including your name, email address, and profile details. We also store the project metadata, organisation settings, and configuration you create on the platform.

Specification content is processed transiently — it passes through our API to be routed, optionally transformed by an agent template, and forwarded to your target tool (e.g. ClickUp, S3). It is not durably stored on our servers. When an agent template is configured, spec content is also sent to Anthropic's Claude API for transformation before publishing. Only content hashes and metadata required for change detection and routing are retained in our ledger.

mdspec offers “Sign in with Google” as an authentication option. When you use this feature, we access the following Google user data via the openid email profile OAuth scopes:

Data Accessed

• Your Google account email address
• Your display name
• Your profile picture URL

We do not access Google Drive, Gmail, Calendar, Contacts, or any other Google service data.

Data Usage

Google user data is used solely to authenticate you and create or identify your mdspec account. Your email address is used as your account identifier. Your display name and profile picture may be displayed within the mdspec interface. We do not use this data for advertising, profiling, or any purpose beyond providing the mdspec service.

Data Sharing

Google user data received via OAuth is stored in Supabase (our authentication and database provider) and is not shared with any other third party. We do not sell, rent, or transfer Google user data to advertisers or data brokers.

Data Storage & Protection

Google profile data is stored in Supabase, protected by Row Level Security (RLS) policies. Only you and authorised members of your organisations can access your account data. All data is transmitted over HTTPS.

Data Retention & Deletion

Google user data is retained for as long as your mdspec account is active. To request deletion of your account and all associated Google user data, email us at mdspecapp@gmail.com or delete your account from the account settings page. Data will be permanently removed within 30 days of the request.

mdspec's use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

mdspec offers “Continue with GitHub” as an authentication option. When you use this feature, we access the following GitHub user data via OAuth:

Data Accessed

• Your GitHub account email address
• Your GitHub display name
• Your GitHub avatar URL

We request only the read-only user:email and public profile scopes. We do not access repositories, organizations, or any other GitHub resource.

Data Usage

GitHub user data is used solely to authenticate you and create or identify your mdspec account. Your email address is used as your account identifier. Your display name and avatar may be shown within the mdspec interface. We do not use this data for advertising, profiling, or any purpose beyond providing the mdspec service.

Data Sharing

GitHub user data received via OAuth is stored in Supabase and is not shared with any other third party. We do not sell, rent, or transfer GitHub user data to advertisers or data brokers.

Data Storage & Protection

GitHub profile data is stored in Supabase, protected by Row Level Security (RLS) policies. Only you and authorised members of your organisations can access your account data. All data is transmitted over HTTPS.

Data Retention & Deletion

GitHub user data is retained for as long as your mdspec account is active. To request deletion, email us at mdspecapp@gmail.com or delete your account from account settings. Data will be permanently removed within 30 days of the request.

We use your information exclusively to provide, maintain, and improve the mdspec service. This includes:

• Authenticating your access and managing sessions
• Routing specification publishes to the correct integrations
• Managing organisation memberships and permissions
• Processing subscription payments via Paddle
• Sending transactional emails related to your account

We do not sell your personal information. We share information only with trusted third-party providers strictly necessary to deliver the service:

• Supabase — database and authentication
• Vercel — application hosting
• Paddle — subscription billing
• Anthropic — AI-powered agent template transformations

Each provider is bound by confidentiality obligations and their own privacy standards.

Your data is protected by Row Level Security (RLS) policies enforced at the database layer. Only authorised members of your projects and organisations can access your private data. All data is transmitted over HTTPS.

We retain your account data for as long as your account is active. If you delete your account, your personal data and project metadata will be permanently removed within 30 days, except where retention is required by law.

You have the right to access, correct, export, or delete your account and associated data at any time. To exercise any of these rights, contact us at mdspecapp@gmail.com.

We use strictly necessary session cookies to keep you authenticated. We do not use tracking or advertising cookies.

This Privacy Policy and any matters relating to the collection and use of your data are governed by the laws of Sri Lanka and shall be resolved exclusively in the courts of Sri Lanka.

Questions about this policy? Email us at mdspecapp@gmail.com.