Privacy Policy

Last updated: April 30, 2026

We operate the grade.dev website and the grade review platform (collectively, the “Service”). This Privacy Policy explains what we collect, how we use it, who we share it with, and how to delete it.

grade is built around data minimization. Reviews auto-expire (default 30 days, max 180), commenter identity can be hidden in anonymous mode, and we do not run third-party analytics or trackers.

1. Information We Collect

1.1 Information you provide

• Email address — used to send you a one-time code or magic link for sign-in. We do not store passwords.
• Display name (optional) — if you set one in your account.
• Review content — the markdown documents, code, and diagrams you (or an MCP-connected agent acting on your behalf) push into a review.
• Comments and annotations — text comments, highlighted passages, and multiple-choice responses left by reviewers.
• API keys — names and salted SHA-256 hashes of MCP API keys you generate. The plaintext key is shown to you once at issue and is never persisted.

1.2 Information collected automatically

• Authentication metadata — IP address and timestamps for sign-in events, used to prevent abuse and rate-limit the auth endpoints. Handled by our auth subprocessor (Supabase) and not retained by us beyond their default windows.
• Strictly-necessary cookies — Supabase auth session cookies for signed-in creators, and a per-review session cookie (grade_rev_<publicId>) that lets a returning reviewer keep their thread of comments. No tracking or analytics cookies.
• MCP request metadata — when an agent calls the remote MCP, we record the tool name, latency, and result status against the calling API key for rate-limiting and abuse detection.

1.3 Information we do not collect

• We do not run third-party analytics, tracking pixels, or advertising SDKs.
• We do not store the plaintext of any API key — only a salted hash.
• In anonymous-mode reviews, the review owner cannot see commenter identities, and our public DTOs strip identity-correlatable fields. Internally we still associate a comment with the session that produced it, so a returning commenter can edit their own thread, but that mapping is never exposed.

2. How We Use Your Information

• To create your account and authenticate you.
• To render the reviews you create and route comments back through MCP to the requesting agent.
• To send transactional emails: sign-in codes, magic links, and notifications when feedback arrives or a review is approaching its expiry.
• To enforce rate limits and prevent abuse of the MCP and reviewer auth endpoints.
• To respond to support and legal requests.

3. Subprocessors

We rely on the following providers to operate the Service. Each is contractually bound to protect your data and processes it on our behalf, not theirs.

• Supabase (Postgres database + email-OTP auth) — stores your account, reviews, comments, and API key hashes. supabase.com/privacy
• Vercel (web hosting + serverless functions + cron) — serves the Service. vercel.com/legal/privacy-policy

4. Data Retention & Auto-Expiry

Every review you create has a mandatory expiration date (default 30 days, configurable from 1 to 180 days). When that date passes:

• Public review URLs return 410 Gone; the MCP returns an expired error for any tool that targets the review.
• A daily job hard-deletesall the review's revisions, annotations, comments, quiz responses, and reviewer sessions.
• The review itself is kept as a tombstone for ~30 days so visitors see “this review expired” instead of a generic 404, and is then dropped entirely.

If you delete a review manually (via the dashboard or the MCP delete_review tool), all child rows are removed immediately.

If you delete your account, we remove your account record, your API keys, and all reviews you own within 30 days.

5. How We Share Your Information

We do not sell or rent your information. We share it only:

• With the subprocessors listed in Section 3.
• When you grant access — for example, by sharing a public review link, or by configuring a third-party MCP client (Claude Code, Cursor, ChatGPT) with your API key.
• When required by law, regulation, valid legal process, or governmental request.
• In connection with a merger, acquisition, or sale of assets — in which case we will notify you and the acquirer will be bound by a policy at least as protective as this one.

6. Your Rights

Depending on where you live, you have some or all of the following:

• Access — request a copy of the personal information we hold about you.
• Correction — request correction of inaccurate or incomplete information.
• Deletion — request deletion of your account and associated data.
• Portability — request your data in a structured, machine-readable format (use the MCP list_reviews +get_page_feedback tools, or email us).
• Objection & restriction — object to certain processing, or ask us to restrict it.

To exercise any of these, email [email protected].

European Economic Area & UK (GDPR / UK GDPR)

Our legal bases are: performance of a contract (operating the Service), legitimate interest (fraud prevention, rate-limiting), and consent where required. You may lodge a complaint with your local data-protection authority.

California (CCPA / CPRA)

We do not sell or share personal information for cross-context behavioral advertising. California residents have the right to know, delete, correct, and opt out of sale; contact us using the address below.

7. International Data Transfers

Our subprocessors may process data outside your country of residence, including in the United States and the European Union. Where required, we rely on standard contractual clauses or equivalent safeguards provided by those subprocessors.

8. Security

Connections to the Service use HTTPS. API keys are stored only as salted SHA-256 hashes. Auth tokens are HMAC-signed with a server-side secret. Reviewer sessions are scoped to a single review via a per-link cookie. We do not have access to the plaintext of any API key after issuance.

No system is perfectly secure. If you discover a vulnerability, please report it to [email protected].

9. Children

grade is not intended for individuals under 16. We do not knowingly collect personal information from children under 16; if we learn we have, we will delete it.

10. Changes to This Policy

We may update this Policy. Material changes will be posted here with an updated “Last updated” date and, where reasonable, notified to active accounts by email. Continued use of the Service after the effective date constitutes acceptance.

11. Contact

Email: [email protected]
Operator: Lost Property LLC
Website: https://grade.dev