Privacy Policy

This Privacy Policy explains how verso.md (“verso.md”, “we”, “our”, or “us”) collects, uses, discloses, and retains personal information when you use our collaborative markdown editor and related services (collectively, the “Service”). It applies to anyone who creates an account, interacts with the product, or otherwise communicates with us.

By using the Service, you acknowledge this policy. If you do not agree with it, do not use the Service. Continued use after changes take effect constitutes acceptance of the updated policy.

Questions, requests, and notices related to this policy can be sent to privacy@verso.md. We aim to respond within a reasonable period, subject to identity verification and the limits described in section 8.

The categories of personal information we collect are illustrative, not exhaustive, and may evolve as the Service evolves:

• Account information. Name, email, GitHub username, avatar, and authentication identifiers issued by GitHub or our authentication provider.
• Content. Drafts, files, comments, AI prompts, attachments, and any other material you create, upload, or share inside the Service.
• Repository metadata. When you connect GitHub, the list of repositories, branches, file paths, and commit metadata necessary to render and edit your content.
• Usage and device data. Pages and features you use, timestamps, click and scroll signals, browser, operating system, device type, IP address, and approximate geolocation derived from IP.
• Communications. Support emails, in-product messages, survey responses, and feedback you send us.
• Billing data. Plan, billing email, and invoice history. Payment card numbers are processed by Stripe and never stored on our servers.
• Diagnostic and security data. Error reports, audit logs, request signatures, and information necessary to detect or investigate abuse.

We may also derive aggregated and de-identified data from the above (see section 3).

We process personal information for the broad set of legitimate business purposes necessary to operate verso.md. The list below is illustrative, not exhaustive:

• Providing, maintaining, and operating the Service.
• Authenticating users and securing accounts.
• Detecting, preventing, and investigating fraud, abuse, security incidents, and violations of our Terms of Use.
• Billing, invoicing, and managing subscriptions.
• Providing support and responding to user communications.
• Debugging, performance monitoring, error reporting, and reliability engineering.
• Analyzing product usage to maintain and improve features, develop new features, and conduct internal research.
• Sending operational, transactional, and (where permitted) occasional product communications.
• Complying with applicable law, regulation, court orders, and governmental requests; enforcing our agreements; and protecting our rights, property, safety, users, and the public.

Aggregated and de-identified data

We may aggregate or de-identify personal information so it can no longer reasonably be linked to a particular person or device. We may retain and use such aggregated or de-identified data indefinitely for any lawful purpose, including improving the Service, publishing insights, and operating our business.

No sale of personal data

We do not sell personal information for monetary consideration as that term is defined under the California Consumer Privacy Act (CCPA/CPRA) or other comparable laws. Sharing data with our subprocessors so they can perform services on our behalf is not a sale.

AI training carve-out

We do not use your content to train third-party AI models without your explicit consent. Internal product analytics performed on aggregated or de-identified usage data is permitted under this policy.

We rely on third-party processors and infrastructure providers to operate the Service. The list below is current as of the “Last updated” date and is provided for transparency; it may be expanded, reduced, or substituted as the Service evolves without giving rise to a breach of this policy. Continued use after we update the policy constitutes acceptance.

• GitHub — repository hosting and OAuth authentication. We act on the permissions you grant during the OAuth flow and never write outside the scope you authorize.
• Supabase — managed Postgres and authentication infrastructure for accounts, drafts, and metadata.
• Vercel — application hosting and serverless runtime.
• PartyKit — real-time collaboration backend for multiplayer editing.
• Stripe — payment processing and subscription billing. Stripe handles card data directly under its own agreements.
• PostHog — product analytics and event instrumentation.
• OpenAI, Anthropic, and other model providers — inference for AI features when selected by the user.

Each provider has its own privacy policy and security posture. Where we are subject to data-protection laws that require it, we enter into appropriate processor or transfer agreements (such as Standard Contractual Clauses for international transfers).

You retain ownership of the content you create or upload to the Service. To provide the Service we need a worldwide, non-exclusive, royalty-free, sublicensable license to host, store, transmit, display, reproduce, and (only as needed to operate features such as format conversion, search indexing, AI inference, and version history) modify and create derivative works from your content. The full terms of that license, and how it survives termination for backups and legal-hold purposes, are described in our Terms of Use.

You are responsible for the content you upload and for ensuring you have the rights to do so. You should not upload content that you are not authorized to share, and you should not upload highly sensitive data — including regulated health, financial, government, or biometric data — unless covered by a separate written agreement with us.

When you use AI features, your prompts (which may include excerpts of your drafts, code, and repository metadata) are transmitted to the model provider you select to generate a response. We do not control how those providers process inputs or outputs beyond the contractual commitments they make to us.

When you use a Bring-Your-Own-Key (BYOK) configuration, your API key is used to call the provider directly and is stored only as required to operate the feature on your behalf. We do not transmit BYOK keys to any third party other than the provider they authenticate with.

AI outputs are generated by third-party models and are provided to you on an “AS IS” basis. We do not warrant that outputs are accurate, complete, original, non-infringing, or fit for any particular purpose. You are responsible for reviewing AI outputs before relying on them. The full disclaimer is in our Terms of Use.

We use cookies and similar technologies (such as local storage and server-issued tokens) for two purposes:

• Strictly necessary. Authenticating sessions, remembering preferences, securing requests against forgery, and operating real-time collaboration.
• Product analytics. Understanding how features are used so we can prioritize improvements. We use PostHog for this purpose.

We do not use advertising cookies, third-party advertising trackers, or cross-site tracking pixels. Where required by law, we will surface a cookie consent or preferences mechanism; the absence of such a mechanism in your jurisdiction means it is not legally required for the categories above.

Depending on where you reside, you may have the right to access, correct, delete, or port your personal information, to opt out of certain processing, and to lodge a complaint with a data protection authority. To exercise these rights, contact us at privacy@verso.md.

We may need to verify your identity before responding, and we may decline requests that are unverifiable, repetitive, manifestly unfounded, or that we are required by law to refuse. Where the law permits, we may charge a reasonable fee for excessive requests.

Even after you delete your account, we may retain personal information for a period sufficient to (a) recover from backups, (b) comply with legal, tax, audit, or accounting obligations, (c) resolve disputes, and (d) enforce our agreements. Backup rotations generally complete within 90 days of deletion. Data subject to a legal hold may be retained longer.

When we disclose information

We may disclose personal information:

• To our subprocessors and service providers, as needed to operate the Service and bound by contractual confidentiality obligations.
• When required by law, court order, subpoena, or valid governmental request, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of verso.md, our users, or the public, or to investigate or address suspected abuse or violations of our agreements.
• To professional advisors (lawyers, accountants, auditors, insurers) under confidentiality.
• In connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction, in which case the successor entity inherits this policy and any commitments made under it.
• With your direction or consent.

International transfers

The Service is operated from the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the United States and other jurisdictions where our subprocessors operate. Where required, we use Standard Contractual Clauses or other lawful transfer mechanisms.

Children

The Service is not directed to individuals under 16, and we do not knowingly collect personal information from them. If we learn we have collected information from a child, we will delete it.

Security

We implement commercially reasonable technical and organizational safeguards designed to protect personal information. No system is perfectly secure, however, and we make no warranty that the Service will be secure or error-free. Except to the extent caused by our gross negligence or willful misconduct, we are not liable for unauthorized access, disclosure, alteration, or destruction of personal information by third parties.

Changes to this policy

We may update this policy from time to time. When we do, we will update the “Last updated” date at the top of this page and add an entry to the change log below. For material changes, we will use commercially reasonable efforts to notify account holders via email or in-product notice, but posting the updated policy on this page is sufficient notice. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

How to contact us

For privacy questions, requests, or notices, write to privacy@verso.md. For general support, see our Guide. For terms of use, see our Terms of Use.