Legal

Privacy Policy

Effective May 27, 2026.

Markbase is a software product operated by AltaCoda LLC (“AltaCoda,” “we,” “us,” or “our”). This Privacy Policy describes how AltaCoda collects, uses, discloses, and protects information in connection with the Markbase platform and related services (collectively, the “Service”). Markbase is a hosted Markdown document store reached over the Model Context Protocol (MCP).

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

1. Who We Are

AltaCoda LLC is the data controller for personal data collected through the Service in the course of operating the platform (such as your account information). Where you use the Service to store documents and we process personal data on your behalf, we act as a data processor. That relationship is governed by our Data Processing Addendum (DPA).

Contact: AltaCoda LLC 1111 Broadway Oakland, CA 94607 Email: hello@altacoda.io

2. What the Service Does — and What That Means for Your Data

Understanding how Markbase works is essential to understanding what data we handle.

Markbase is a hosted document store. Documents you submit to the Service — Markdown files, frontmatter, typed-collection records — are stored on infrastructure we operate, indexed for full-text search, and made accessible over MCP and over the dashboard.

Markbase is content-agnostic. We do not require you to submit personal data to the Service. If you choose to store personal data in your documents (for example, in notes about people, in CRM-style records, or in templates that include names or email addresses), we treat that content as confidential and process it only as described in this Privacy Policy and the DPA.

Agents act under credentials you authorize. When you connect an MCP Client to a workspace, the client receives an OAuth access token bound to the scopes you approve. Anything that client reads or writes flows through our systems on your behalf.

3. Information We Collect

3.1 Information You Provide

Account information: Name, email address, and the identifiers returned by our identity provider when you sign in.
Organization information: Organization name and details you provide during setup.
Workspace content: Markdown documents, frontmatter, typed-collection records, and _markbase.md files that you or your authorized agents submit to the Service. We treat workspace content as confidential; we access it only to operate the Service or with your instruction.
OAuth client metadata: Names, redirect URIs, and other client metadata you or your agents register through our Dynamic Client Registration endpoint.
Billing information (when applicable): Payment method details collected and processed by our payment processor. We do not store full payment card numbers on our servers.
Support communications: Information you provide when contacting us for support, including email address, message content, and any attachments.

3.2 Information Collected Through Use of the Service

Authentication data: Session identifiers, OAuth access tokens (stored hashed at rest), refresh tokens (hashed at rest), and authorization codes (hashed at rest, single-use).
Connection metadata: The list of MCP Clients authorized against your workspaces, scopes granted, and last-seen timestamps, surfaced on the Connections page in the dashboard.
Usage data: Information about how you interact with the dashboard and the MCP API, including endpoints called, response statuses, request rates, and timestamps.
Device and connection information: IP address, browser type and version, operating system, device identifiers, and referring URLs.
Analytics data: We use Google Analytics on the marketing site (markbase.cloud) to understand visitor behavior, and Mixpanel within the dashboard and Service to understand how the product is used. Analytics data is collected as described in each provider’s privacy documentation.

3.3 Information from Third-Party Sources

Identity provider: When you sign in with Google, Google returns the identity claims associated with your account (such as your name, email address, and a unique Google account identifier).
Payment processor (when applicable): Transaction status, payment confirmation, and limited billing details.

4. How We Use Your Information

We use the information we collect for the following purposes:

Providing the Service: Operating, maintaining, and delivering the features and functionality of Markbase, including storing and serving documents, maintaining the search index, brokering OAuth flows, and delivering API responses to your agents.
Account management: Creating and managing your Account, authenticating your identity, managing Authorized User access, and managing the MCP Clients you have authorized.
Billing (when applicable): Processing payments, managing subscriptions, issuing invoices, and communicating about billing matters.
Communications: Sending you service-related notices (such as account verification, security alerts, maintenance notifications, and changes to our terms or policies). These are transactional communications, not marketing.
Product improvement: Analyzing aggregated, de-identified usage patterns and trends to improve, develop, and optimize the Service. We do not use the contents of your documents to train machine learning models.
Security and fraud prevention: Detecting, investigating, and preventing unauthorized access, abuse, and other harmful activity, including monitoring for stolen-token reuse and rate-limit violations.
Legal compliance: Complying with applicable laws, regulations, legal processes, or enforceable governmental requests.
Support: Responding to your inquiries, troubleshooting issues, and providing customer support.

We do not sell your personal information. We share information only in the following circumstances:

5.1 Service Providers (Subprocessors)

We share information with third-party service providers (subprocessors) who process data on our behalf to provide the Service. A complete list of our current subprocessors, including their purposes and locations, is maintained at markbase.cloud/subprocessors.

These providers are contractually obligated to use your information only as necessary to provide their services to us and in accordance with this Privacy Policy and applicable data protection laws.

5.2 Agents and MCP Clients You Authorize

When you authorize an MCP Client, that client can read and write Content in the scopes you granted. The Service transmits Content to that client over its TLS connection. We are not responsible for what the client does with the Content after it receives it; that is governed by your agreement with the client’s provider.

5.3 Within Your Organization

Account administrators and Authorized Users within your organization may have access to shared organizational workspaces, documents, typed collections, and connection lists as determined by your Account settings and any access controls you configure.

5.4 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of AltaCoda, our users, or the public.

5.5 Business Transfers

In connection with a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change in ownership or control of your personal information.

We may share your information in other circumstances with your explicit consent.

6. Data Retention

Account data: Retained for as long as your Account is active. Upon account closure, your data is deleted in accordance with our data deletion procedures, subject to any legal retention obligations.
Workspace content (documents and typed-collection records): Retained for as long as your workspace exists. Deleted documents are moved to a per-workspace trash and permanently purged on a scheduled basis (currently daily). Older object-storage versions may persist for a limited additional period under bucket-level versioning retention.
OAuth tokens: Access tokens expire after one hour. Refresh tokens are rotated on every use and expire after thirty (30) days of inactivity. Revoked tokens are retained in hashed form long enough to detect token-reuse and chain-revocation scenarios.
Billing records (when applicable): Retained for as long as necessary to comply with tax, accounting, and legal obligations (typically up to 7 years).
Support communications: Retained for as long as necessary to resolve your inquiry and for a reasonable period thereafter for quality and training purposes.
Server logs: Automatically deleted or anonymized after 90 days.

7. Data Security

We implement commercially reasonable technical and organizational measures to protect your information, including:

Encryption of data in transit (TLS 1.2 or higher) for all external communications.
Encryption of data at rest in our database and in object storage.
OAuth access tokens signed with rotating RS256 keys; refresh tokens and authorization codes hashed at rest.
Rate limits on the MCP endpoint, OAuth flows, and Dynamic Client Registration to detect and mitigate abuse.
Access controls and authentication requirements for all internal personnel; principle of least privilege for production access.
Centralized logging of access to production systems and monitoring for anomalous activity.
Regular security reviews of changes to authentication, authorization, and storage code paths.

No method of transmission over the Internet or electronic storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

8. Your Rights and Choices

8.1 Account Information

You may access, update, or correct your account information at any time through the dashboard or by contacting us at hello@altacoda.io.

8.2 Workspace Content

You may read, modify, list, and delete documents at any time through the MCP API or the dashboard. Deletion is subject to the soft-delete and purge behavior described in Section 6.

8.3 Connection Management

You may revoke an MCP Client’s access to your workspaces at any time from the Connections page in the dashboard. Revocation invalidates the client’s refresh token immediately; previously-issued access tokens expire on their normal one-hour schedule.

8.4 Account Deletion

You may request deletion of your Account and associated data by contacting us at hello@altacoda.io. Deletion is permanent and subject to the retention periods described in Section 6.

8.5 Communications Preferences

You may manage your notification preferences through the dashboard where available. Note that you cannot opt out of transactional communications necessary for the operation of your Account (such as security alerts and billing notices).

8.6 Cookies and Tracking

The Service uses cookies and similar technologies for session management, authentication, and analytics. You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Service.

9. Rights for EEA, UK, and Swiss Individuals

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have additional rights under applicable data protection laws, including the General Data Protection Regulation (GDPR) and the UK GDPR.

9.1 Legal Bases for Processing

We process your personal data on the following legal bases:

Contract performance: Processing necessary to provide the Service and fulfill our contractual obligations to you (Article 6(1)(b) GDPR).
Legitimate interests: Processing necessary for our legitimate interests, such as improving the Service, ensuring security, and preventing fraud, where those interests are not overridden by your rights (Article 6(1)(f) GDPR).
Legal obligation: Processing necessary to comply with applicable laws (Article 6(1)(c) GDPR).
Consent: Where you have given explicit consent for a specific purpose. You may withdraw consent at any time.

You have the right to:

Access your personal data and obtain a copy.
Rectify inaccurate or incomplete personal data.
Erase your personal data (subject to legal retention requirements).
Restrict processing of your personal data in certain circumstances.
Data portability — receive your personal data in a structured, commonly used, machine-readable format.
Object to processing based on legitimate interests.
Withdraw consent at any time where processing is based on consent.
Lodge a complaint with your local data protection authority.

To exercise these rights, contact us at hello@altacoda.io. We will respond within 30 days (or such shorter period as required by applicable law).

9.3 International Transfers

Your personal data may be transferred to and processed outside of the EEA, UK, or Switzerland — most notably to the United States (object storage) and within the EEA itself (application infrastructure in Germany). When we transfer personal data out of the EEA, UK, or Switzerland to a country without an adequacy decision, we rely on appropriate safeguards as described in our DPA, which may include Standard Contractual Clauses approved by the European Commission.

10. Rights for California Residents

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

10.1 Categories of Personal Information

In the preceding 12 months, we may have collected the following categories of personal information: identifiers (name, email, IP address, user identifiers from our identity provider), commercial information (billing records and subscription history, where applicable), internet or electronic network activity (usage data, device information), and professional information (organization name, role).

10.2 Your CCPA/CPRA Rights

You have the right to:

Know what personal information we collect, use, and disclose.
Delete your personal information (subject to exceptions).
Correct inaccurate personal information.
Opt out of the sale or sharing of personal information. We do not sell or share your personal information as defined by the CCPA/CPRA.
Non-discrimination for exercising your rights.

To exercise these rights, contact us at hello@altacoda.io. We will verify your identity before processing your request.

10.3 Authorized Agents

You may designate an authorized agent to make requests on your behalf. We may require you to verify your identity directly and confirm the agent’s authority.

11. Children’s Privacy

The Service is not directed to individuals under the age of 16, and we do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at hello@altacoda.io.

12. Third-Party Links and Services

The Service may contain links to third-party websites or services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access, including any MCP Client you authorize to access your workspaces.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least thirty (30) days before the changes take effect. The “Effective Date” at the top of this page indicates when the policy was last revised. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

AltaCoda LLC 1111 Broadway Oakland, CA 94607 Email: hello@altacoda.io

For GDPR-related inquiries, you may also contact us at the address above. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

Last updated: May 27, 2026