Privacy Policy

We collect the minimum data needed to run the service. Here is exactly what that is:

• Documents — the Markdown or HTML content you paste, plus metadata (title, slug, visibility setting, expiry date). Stored in Supabase.
• Email address — only if you create an account via magic link. Used exclusively for authentication and transactional email (welcome message, magic link delivery).
• IP addresses — collected transiently on report submissions and PIN unlock attempts. We immediately hash each IP with SHA-256 before writing it to the database. The hash is one-way — we cannot recover your original IP from it.
• Subscription data — if you upgrade to Pro or Pro Plus, Stripe processes your payment. We store only your Stripe customer ID and subscription status (tier, renewal date, payment state). No card numbers are stored by us.
• Error metadata — when the application encounters an error, Sentry may capture the request path, browser user-agent, and a sanitized stack trace. No document content is included in error reports.
• API keys — if you generate a key for MCP or API access, we store the label you choose and update last_used_at when that key authenticates a request. Plaintext keys are never stored.
• OAuth MCP connections — if you authorize Claude or another MCP client, we store the registered client ID, granted scopes, and token expiry times. Access tokens are stored as one-way hashes only — never in plaintext.
• Document content via MCP — content is transmitted only when you explicitly publish or update through a tool call. We do not read your local files or chat history.

We do not collect location data, device identifiers, browsing history, or any data beyond what is listed above.

• To serve the documents you publish to anyone with the link.
• To authenticate your account and send you magic-link sign-in emails.
• To enforce rate limits on PIN unlock attempts (using hashed IPs) and to deduplicate abuse reports (same hashed IP, same document, counts once).
• To manage your subscription and grant access to paid features.
• To diagnose application errors and improve reliability.

We do not sell your data. We do not use your content to train machine learning models. We do not share your data with advertisers.

grtwo sets the following cookies:

• Supabase session cookies — set by Supabase Auth after you sign in. HttpOnly, SameSite=Lax. Used to maintain your authenticated session. Cleared on sign-out.
• grtwo_terms_accepted — set when you accept the Terms of Service before publishing a document. Stores a simple boolean so you are not asked to re-accept on subsequent publishes from the same browser. SameSite=Lax, expires in 365 days.
• grtwo_pin_[slug] — set when you successfully unlock a PIN-protected document. Stores an HMAC of the slug (not your PIN). HttpOnly, SameSite=Lax, expires in 30 days. Scoped to the path of the document.
• grtwo_publisher_token — set when you publish a document without an account. Allows you to claim that document after signing up. HttpOnly, SameSite=Lax, expires in 7 days. Cleared after a successful claim.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

We use the following sub-processors to operate the Service. Each is contractually bound to handle data securely and receives only the data necessary for their function.

• Vercel (vercel.com) — application hosting and edge infrastructure. All HTTP requests to grtwo.app pass through Vercel's network. Vercel may log request metadata (IP address, path, user-agent) for a short period for security and reliability purposes.
• Supabase (supabase.com) — database, authentication, and session management. Stores document content, account data (email address), session tokens, and subscription records.
• Stripe (stripe.com) — payment processing. Handles billing for Pro and Pro Plus subscriptions. We store only your Stripe customer ID and subscription status. No card numbers are stored by us.
• Resend (resend.com) — transactional email. Used solely to deliver magic-link sign-in emails and account notifications. Your email address is shared with Resend for this purpose.
• Sentry (sentry.io) — error tracking. Captures sanitized error metadata (request path, browser type, stack trace) when the application encounters an error. No document content is included in error reports.

All data processed by sub-processors is handled in accordance with this policy. If you have questions about a specific vendor, contact us at hello@grtwo.app.

• Documents — retained until you delete them, or until their expiry date passes (for documents published with a TTL). Deleted documents are removed from the database immediately.
• Accounts — retained until you request deletion. You may delete your account directly from your account settings page, or by emailing hello@grtwo.app. Deletion is completed within 30 days of your request. Subscription records are retained separately for accounting purposes (see below).
• Hashed IPs — retained for 90 days in rate-limit and report tables, then automatically purged.
• Error logs — retained for 90 days, then automatically purged.
• Anonymous publisher tokens — expire after 7 days.
• Subscription records — retained for the life of the subscription plus 7 years for accounting purposes (legal requirement).

Depending on your jurisdiction, you may have rights including: access to your data, correction of inaccurate data, deletion of your data, and objection to certain processing. To exercise any of these rights, email us at hello@grtwo.app. We will respond within 30 days.

If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection authority.

grtwo is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, contact us at hello@grtwo.app and we will delete it promptly.

We may update this policy from time to time. Material changes will be announced via the email address on your account (if you have one) at least 14 days before they take effect. The effective date at the top of this page is always current.

Questions about this policy? Email us at hello@grtwo.app. We aim to respond within 2 business days.