Privacy Policy

Overview

Markdown Studio is a client-side web application. This means everything runs entirely in your browser - we have no servers that process or store your data.

Data We Collect

No personal data. We do not collect personal information or use cookies. Specifically:

• No cookies (tracking or otherwise)
• No user accounts or registration
• No server-side data storage
• No third-party tracking scripts
• Anonymous usage analytics only (see "Analytics" section below)

Data Storage

Your markdown content and preferences are stored locally in your browser using localStorage. This data:

• Never leaves your device (except when using optional Prompt Studio features - see below)
• Is not transmitted to our servers
• Is not accessible to us or anyone else
• Can be cleared by clearing your browser data

Prompt Studio & API Keys (Optional Feature)

Markdown Studio includes an optional Prompt Studio feature that allows you to test prompts with AI models (OpenAI, Anthropic, Google).

API Key Storage

When you enter API keys for OpenAI, Anthropic, or Google services:

• Storage Location: Keys are stored in your browser's localStorage only
• Encryption: Keys are encrypted using AES-256-GCM before storage
• Encryption Key: Derived from your browser fingerprint (user agent, language, timezone)
• Deletion: Keys remain until you explicitly delete them or clear browser data

API Key Transmission

All providers use the same direct architecture:

• Direct API Calls: Your browser connects directly to the provider's API over HTTPS
• No Intermediary: API keys are sent from your browser to the provider — they never transit through our servers
• Route: Your browser → Provider API (direct)
• Architecture Details: Full technical documentation is available on our API Security Architecture page

API Key Security Limitations

Please be aware of the following security considerations:

• Client-Side Encryption: While keys are encrypted at rest, they must be decrypted to use them, and the decryption key is stored client-side
• Protection Level: Encryption protects against casual viewing and automated scrapers, but not against determined attackers with JavaScript execution access
• XSS Risk: If the application has an XSS vulnerability (we use DOMPurify to prevent this), stored keys could be compromised
• Browser Extensions: Malicious browser extensions with page access could potentially access stored keys
• Shared Devices: Do not use Prompt Studio on shared or public computers

When You Use Prompt Studio

When you execute a prompt using Prompt Studio:

• Your prompt content is sent directly to the AI provider's API (OpenAI, Anthropic, or Google)
• Your API key is sent (decrypted) in the Authorization header over HTTPS
• We do not see this data - it goes directly from your browser to the AI provider
• The AI provider's privacy policy applies to data sent to their APIs
• You are responsible for API costs incurred through your own API keys

Third-Party AI Service Privacy Policies

When using Prompt Studio, your data is subject to the privacy policies of the AI providers you choose:

• OpenAI: openai.com/policies/privacy-policy
• Anthropic: anthropic.com/privacy
• Google (Gemini): policies.google.com/privacy

We recommend reviewing these policies before using Prompt Studio.

Analytics (Optional)

We use Umami Analytics (privacy-focused, GDPR-compliant) to understand how the application is used. This analytics:

• Does not collect personal information
• Does not use cookies
• Does not track across websites
• Only collects anonymous usage statistics (page views, button clicks)
• Does not record your content, API keys, or prompts

Audit Logging (Optional Feature)

Markdown Studio includes an optional audit logging feature for enterprise compliance:

• Storage: Audit logs are stored locally in your browser's IndexedDB - they never leave your device
• What is logged: Prompt executions, export actions, settings changes, and API key operations (keys are redacted)
• Content redaction: You can configure content redaction levels (metadata only, preview, or full content)
• Retention: Logs remain until you explicitly clear them or clear browser data
• Webhook (optional): You may optionally configure a webhook URL to send audit events to external SIEM systems - this is entirely opt-in

PII Sanitization (Optional Feature)

The PII sanitization feature scans prompt content for sensitive patterns (SSN, credit cards, emails, phone numbers) before execution:

• Client-side only: All scanning happens in your browser - no data is sent to external services
• No data collection: Detected patterns are flagged locally but never transmitted or stored
• User control: You can bypass PII warnings at your discretion

Data Sent to LLM Providers

When you use Prompt Studio to execute prompts, the following data is sent to the selected AI provider:

• Your prompt content (system message, user message, and any filled variables)
• Model configuration (model ID, temperature, max tokens)
• Your API key (in the Authorization header, over HTTPS)

Important: You are solely responsible for the content you send to AI providers. Do not include sensitive personal data, trade secrets, or confidential information in prompts unless you understand and accept the provider's data handling policies.

External Links

Our site may contain links to external websites (like our Ko-fi support page). These external sites have their own privacy policies, and we have no control over their content or practices.

Children's Privacy

Since we don't collect any data, there are no special concerns regarding children's privacy. Anyone can use Markdown Studio without providing any personal information.

Changes to This Policy

If we ever change our practices (which would be unlikely given our commitment to privacy), we will update this page and the "Last updated" date above.

Contact

If you have any questions about this privacy policy, you can reach us at:

• Website: mdstudio.app

Your Rights

Since we don't collect any of your data, there's nothing to request, modify, or delete. You have complete control over your content through your own browser.