Privacy Policy
The short version. Your profile is public because you published it. We store the file, remember who owns the handle, and log the requests we serve. We don't sell your data. We don't use it to train models. You can export or delete your profile any time.
1. Who we are
about-me.md is a service operated by The Holding Company ("we", "us"). We're the data controller for the personal information described below. Reach us at [email protected].
2. What we collect
2.1 Information you provide
- Account details — email address, chosen handle, and any authentication identifiers (OAuth subject IDs, WebAuthn keys) required to prove you own the account.
- Profile content — the markdown file you publish, any linked assets, and metadata you choose to attach (schema.org fields, contact rules, preferences, links). This is intentionally public unless you mark a section otherwise.
- Billing details — if you subscribe to a paid tier, our payments processor (see §5) collects card data on our behalf. We store only the last four digits, the plan tier, and the renewal date.
3.2 Information collected automatically
- Request logs — IP address (as forwarded by our CDN), user agent, requested path, response code, response time, and referrer. Retained 30 days for abuse detection and debugging, then aggregated.
- Agent gateway usage — for AI agent queries against your profile, we log the requesting IP, the query text, and the number of tokens returned so we can enforce rate limits and bill usage-tier customers.
- Cookies — a single first-party session cookie (
a_m_session) after login. No third-party tracking cookies. No advertising pixels.
3. How we use it
- Serve your published profile to humans and agents that request it.
- Authenticate you when you sign in to edit.
- Prevent abuse (rate limiting, spam detection, credential stuffing).
- Bill you if you subscribe.
- Send transactional email — invoices, security alerts, verification codes. Not marketing.
- Improve the product by looking at aggregate, non-identifying request patterns.
4. What we don't do
- We do not sell your personal information to anyone.
- We do not use your profile content or agent-gateway queries to train machine-learning models.
- We do not place third-party advertising trackers on any about-me.md page.
- We do not read your private profile sections for any purpose other than serving them to authorized requesters.
5. Who else touches your data
The subprocessors we rely on to operate the service, and what they see:
- Cloudflare — CDN and DDoS protection. Sees IP address and request path.
- AWS — hosting for the application and profile storage (us-east-1, us-west-2).
- Stripe — payment processing. Sees card data; we do not.
- Postmark — transactional email delivery. Sees email address and message body.
Each is contractually bound to process data only on our instructions and to keep it confidential.
6. Your rights
You have the right to:
- Export your profile as a single markdown file at any time (Settings → Export, or
GET /you.md). - Correct anything wrong in your account — edit and re-publish.
- Delete your account and all profile content within 30 days of your request. Some minimal records (payment invoices, abuse logs implicating you) may be retained longer if we're legally required to.
- Object to any specific use of your data by writing to [email protected].
- For EU/UK/Californian users: the additional rights described by GDPR, UK GDPR, and CCPA/CPRA respectively. We honor those requests globally.
7. Data retention
- Profile content — kept while your account exists and for 30 days after deletion (in case you reactivate).
- Request logs — 30 days.
- Billing records — 7 years (US tax law).
- Backups — rolling 30 days, then destroyed.
8. Children
about-me.md is not directed at children under 13, and we don't knowingly collect information from them. If you believe a child under 13 has published a profile, email us and we'll remove it.
9. Cross-border transfers
Our servers live in the United States. If you're in the EU, UK, or another jurisdiction with data-transfer restrictions, we rely on Standard Contractual Clauses with our subprocessors and treat your data as if GDPR applied.
10. Security
We use HTTPS for every request; hash passwords with bcrypt; store private profile sections encrypted at rest; scope API tokens to specific handles; and rotate access keys on a schedule. We disclose any breach that affects your account within 72 hours of confirmation.
11. Changes to this policy
When we change this policy in a way that reduces your rights, we'll email account-holders at least 30 days before the change takes effect. Cosmetic edits (typos, clarifications) are noted in the changelog at the bottom of this page.
12. Contact
Questions, requests, or complaints: [email protected]. For anything you'd rather send by post:
The Holding Company
Attn: Privacy
[postal address on file with your account]