Privacy Policy
Effective date: April 14, 2026
1. Introduction and Data Controller
Welcome to OpenDocs, a Markdown publishing platform consisting of our website (opendocs.cc), command-line interface (CLI), and REST API. This Privacy Policy explains how we collect, use, store, and protect your personal data.
For the purposes of the General Data Protection Regulation (GDPR) and the Icelandic Data Protection Act (Act No. 90/2018), the data controller is:
Contrarian Capital ehf. (doing business as OpenDocs)
Company ID (Kennitala): 4209221590
Country of incorporation: Iceland
Website: https://opendocs.cc
Contact email: hello@opendocs.cc
The processing of your personal data is governed by the GDPR (Regulation (EU) 2016/679), the Icelandic Data Protection Act (lög um persónuvernd og vinnslu persónuupplýsinga nr. 90/2018), and the Icelandic ePrivacy rules (reglur um fjarskiptavernd).
2. Data We Collect and Legal Bases for Processing
We collect specific categories of personal data to provide our services. We rely on the following legal bases under the GDPR to process your data:
2.1. Account Data
To create and manage your OpenDocs account, we collect your email address, display name, username (used in your public profile URL), and hashed password (if using email/password authentication). If you authenticate using GitHub or Google OAuth, we receive your name, email, profile picture URL, and OAuth provider ID. We also process your API keys, which are stored as hashed values (the plaintext is shown only once at creation).
Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR).
2.2. User Content
We process the Markdown files you publish, the rendered HTML versions of those files, and document metadata (title, slug, summary, tags, visibility settings, and version history). Public documents are accessible to anyone with the URL; workspace-visible documents are strictly limited to workspace members.
Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR).
2.3. Workspace Data
If you utilize our collaboration features, we collect the workspace name, workspace slug, and membership data detailing which users belong to the workspace and their respective roles.
Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR).
2.4. Billing Data
Our Free plan does not require payment processing. For our Pro plan, payments are processed by Paddle, our Merchant of Record. We do not collect or store credit card numbers, bank details, or full billing addresses. We only receive from Paddle your subscription status, plan type, transaction IDs, amounts paid, billing country, and invoice references. Paddle acts as an independent data controller for your payment data (see Paddle's Privacy Policy).
Legal Basis: Performance of a contract (Art. 6(1)(b) GDPR) and compliance with a legal obligation (Art. 6(1)(c) GDPR).
2.5. Server Logs and Technical Data
We automatically collect server logs including your IP address, user agent string (browser and device information), requested URLs, timestamps, HTTP status codes, and referrer headers. These logs are strictly utilized for security monitoring, debugging, and preventing abuse of our platform.
Legal Basis: Legitimate interests in maintaining the security and stability of our service (Art. 6(1)(f) GDPR).
2.6. Analytics Data (Plausible Analytics)
We use Plausible Analytics, a privacy-focused, cookie-free analytics tool, to understand website traffic. Plausible does not use cookies and does not collect personal data. The data collected includes aggregated page views, referrer sources, country (derived from IP; the IP address itself is discarded and not stored), browser type, device type, and operating system.
Legal Basis: Legitimate interests in understanding service usage to improve our product (Art. 6(1)(f) GDPR).
2.7. Error Tracking (Sentry)
When errors or application crashes occur, we use Sentry to capture diagnostic data. This may include your IP address, browser and device information, the specific URL where the error occurred, and technical stack traces. Sentry does not have access to your user content or documents.
Legal Basis: Legitimate interests in identifying and resolving software bugs (Art. 6(1)(f) GDPR).
3. Cookies and Tracking Technologies
We use cookies to ensure our platform functions correctly and, provided we have your explicit consent, to measure the effectiveness of our marketing campaigns.
3.1. Strictly Necessary Cookies (No Consent Required)
We use a session/authentication cookie required to keep you securely logged into your account. This cookie is marked HttpOnly, Secure, and is set on the .opendocs.cc domain. It expires when you log out or after the session timeout. This cookie is essential for the service to function and does not require consent under GDPR or ePrivacy rules.
3.2. Marketing and Advertising Cookies (Consent Required)
We utilize third-party scripts to evaluate our marketing efforts. These are disabled by default and are only loaded if you provide explicit opt-in consent:
- Meta Pixel (Facebook Pixel): Measures advertising effectiveness on Meta platforms. It sets cookies to track pages visited, actions taken, browser/device data, IP address, and cookie identifiers.
- Google Ads (via gtag.js): Used for conversion tracking and remarketing. It sets cookies to track pages visited, conversion events, browser/device data, IP address, and cookie identifiers.
- Reddit Pixel: Used for Reddit Ads attribution and conversion measurement. It sets cookies to track pages visited, conversion events, browser/device data, IP address, and cookie identifiers.
- X Pixel: Used for X Ads attribution and conversion measurement. It sets cookies to track pages visited, conversion events, browser/device data, IP address, and cookie identifiers.
If you decline or ignore the cookie consent banner, these cookies are never set, no data is sent to advertising platforms, and your use of OpenDocs remains entirely unaffected.
3.3. Cookie Consent Mechanism
Upon your first visit, a cookie consent banner is displayed. While strictly necessary cookies are always active, marketing cookies require your explicit, unbundled opt-in. Your preference is stored in a local cookie for 12 months so you are not prompted repeatedly. You can withdraw your consent or change your preferences at any time by clicking the cookie settings link located in the footer of any page on our website.
4. Data Storage and International Transfers
Your personal data is primarily stored and processed within the European Economic Area (EEA) and the United Kingdom (UK).
- Primary Database: Hosted on Neon, running on AWS EU-West-2 (London, UK). The UK benefits from an adequacy decision issued by the European Commission, meaning data transfers from the EEA to the UK are legally permitted without requiring additional safeguards.
- Application Hosting: Hosted on Vultr within the EU region.
- International Transfers: Where we utilize sub-processors located outside the EEA or adequate jurisdictions (such as the United States), we rely on valid transfer mechanisms under Chapter V of the GDPR. This includes the EU-U.S. Data Privacy Framework (DPF) for certified organizations and standard contractual clauses (SCCs) approved by the European Commission.
5. Sub-Processors
To provide our service, we share necessary data with authorized third-party service providers (sub-processors). We have executed Data Processing Agreements (DPAs) with all sub-processors to ensure your data remains protected.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Neon (Neon Inc.) | Database hosting | All account data, user content, workspace data | AWS EU-West-2, London, UK |
| Paddle (Paddle.com Market Ltd) | Payment processing (Merchant of Record) | Billing data, email, country, transaction details | UK/EU |
| Plausible (Plausible Insights OÜ) | Privacy-focused analytics | Aggregated page views, no personal data | EU (Estonia) |
| Sentry (Functional Software Inc.) | Error tracking | IP address, browser info, error stack traces | EU data region |
| Resend (Resend Inc.) | Transactional email delivery | Email address, email content | US (SCCs in place) |
| Cloudflare (Cloudflare Inc.) | CDN, DNS, DDoS protection | IP address, request metadata | Global edge (DPF + SCCs) |
| Vultr (The Constant Company, LLC) | Application server hosting | All data in transit and at rest on the server | EU region |
| Meta Platforms (Meta Platforms Inc.) | Advertising measurement (only with consent) | Cookie identifiers, browsing activity, IP address | US (DPF + SCCs) |
| Google (Google LLC) | Advertising measurement (only with consent) | Cookie identifiers, browsing activity, IP address | US (DPF + SCCs) |
| Reddit (Reddit, Inc.) | Advertising measurement (only with consent) | Cookie identifiers, browsing activity, IP address | US (DPF + SCCs) |
| X Corp. | Advertising measurement (only with consent) | Cookie identifiers, browsing activity, IP address | US (SCCs) |
| MailerLite (UAB MailerLite) | Marketing emails (only with opt-in) | Email address, name | EU (Lithuania) |
6. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy or as legally required.
- Account Data and User Content: Retained while your account is active. Upon an account deletion request or individual document deletion, data is removed from our primary databases within 30 days. Backup copies may persist in encrypted archives for up to 30 additional days before being permanently purged.
- Billing/Financial Records: Retained for 7 years following the end of the financial year in which the transaction occurred, as mandated by the Icelandic Accounting Act (lög um bókhald nr. 145/1994, Art. 20). This retention is limited to necessary financial records; your personal account profile, documents, and API keys are still deleted within the 30-day window upon account closure.
- Server Logs and Sentry Error Data: Automatically deleted after 90 days.
- Analytics (Plausible): Only aggregated, non-personal data is retained.
- Cookie Preferences: Your consent status is stored in your browser for 12 months.
- Marketing Cookies: Retention is controlled by Meta or Google. You can clear these from your browser at any time.
7. Your Privacy Rights
Under the GDPR (Chapter III), you possess comprehensive rights regarding your personal data. You may exercise any of these rights by contacting us at hello@opendocs.cc. We will respond to your request within 30 days. For complex requests, we may extend this period by up to 60 additional days, provided we inform you of the extension within the initial 30 days.
- Right of Access (Art. 15): You have the right to request a copy of all personal data we hold about you.
- Right to Rectification (Art. 16): You have the right to correct inaccurate or incomplete data. You can update most of your profile data directly in the OpenDocs dashboard.
- Right to Erasure / "Right to be Forgotten" (Art. 17): You can request the deletion of your account and all associated data. You can initiate this self-serve from your dashboard. Deletion is completed within 30 days, subject to the financial record retention required by Icelandic law.
- Right to Restriction of Processing (Art. 18): You may ask us to suspend the processing of your personal data under certain circumstances (e.g., if you contest its accuracy).
- Right to Data Portability (Art. 20): You may receive your data in a structured, commonly used, and machine-readable format. You can export your published documents at any time using our CLI (
opendocs pull). - Right to Object (Art. 21): You have the right to object to processing based on our legitimate interests. If you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your rights.
- Right to Withdraw Consent (Art. 7(3)): Where processing is based on your consent (such as for marketing cookies or our newsletter), you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing that occurred beforehand.
- Right to Lodge a Complaint (Art. 77): If you believe our processing violates data protection laws, you have the right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd, Rauðarárstígur 10, 105 Reykjavík, Iceland; www.personuvernd.is), or with your local supervisory authority within the EEA.
8. Children's Privacy
OpenDocs is a professional productivity tool and is not directed at or intended for children. We do not knowingly collect personal data from individuals under the age of 16. If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take immediate steps to delete that information.
9. Marketing Communications
We solely send transactional emails necessary for the operation of the service (e.g., account verification, password resets, security alerts). We also offer an optional marketing newsletter delivered via MailerLite. You will only receive this newsletter if you explicitly opt-in. You can withdraw your consent and unsubscribe at any time by clicking the "unsubscribe" link provided at the bottom of every marketing email.
10. Automated Decision-Making
We do not engage in automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you, as defined under Article 22 of the GDPR.
11. Security Measures
Protecting your data is a core priority. We implement robust technical and organizational measures, including:
- TLS encryption for all data in transit.
- Encryption at rest for our primary databases.
- Hashing of passwords (using bcrypt) and API keys (we cannot reverse the hash to see your key).
- Network firewall rules and strict access controls.
- Regular security updates and patch management.
While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure, and we cannot guarantee absolute security.
12. Third-Party Links
The OpenDocs service, or documents published by our users, may contain links to third-party websites. We are not responsible for the privacy practices, content, or security of those external websites. We encourage you to read the privacy policies of any third-party sites you visit.
13. Changes to this Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. If we make material changes, we will provide you with prominent notice, such as via email or a notification in the OpenDocs dashboard, at least 30 days before the changes take effect. Your continued use of the service after the effective date constitutes acknowledgment of the updated policy.
14. Contact Information
If you have any questions, concerns, or wish to exercise your privacy rights, please contact us at: hello@opendocs.cc