Privacy Policy

Name: MidOS
Author: MidOS Research

Effective Date: February 23, 2026 Last Updated: February 23, 2026

1. Who We Are

MidOS Research (“we”, “us”) operates the MidOS knowledge infrastructure service at midos.dev. This policy explains how we handle your data.

2. Data We Collect

2.1 Account Data

Email address (for authentication and communication)
Hashed password (bcrypt, never stored in plaintext)
Tier and subscription status

2.2 Usage Data

API queries (tool name, timestamp, response status)
Rate limiting counters (per-key, per-IP)
Session metadata (session ID, duration, tool call count)

2.3 Content You Submit

Feedback and ratings submitted via submit_feedback
Research requests (topic, context)
Episodic memory entries (if your tier supports write access)

2.4 Analytics

We use Umami (privacy-first, cookie-free analytics) on midos.dev
Umami does not use cookies, does not track across sites, and does not collect personal data
We see aggregate page views and referrers only

2.5 Payment Data

Payments are processed by Paddle (Merchant of Record)
Paddle collects payment details (card, PayPal, etc.) directly
We receive only: transaction ID, subscription status, tier, and email
We never see or store your full card number

3. How We Use Your Data

Data	Purpose	Legal Basis
Email	Authentication, billing notices, service updates	Contract performance
API queries	Rate limiting, abuse prevention, service improvement	Legitimate interest
Feedback	Quality improvement, knowledge validation	Consent (you choose to submit)
Research requests	Delivering the research service you requested	Contract performance
Episodic memory	Providing cross-session memory features	Contract performance
Analytics	Understanding usage patterns, improving UX	Legitimate interest

4. Data We Do NOT Collect

We do not track you across websites
We do not use advertising cookies or trackers
We do not sell or share your data with advertisers
We do not read the content of your source code or repositories
We do not use your queries to train AI models

5. Data Retention

Data	Retention
Account data	Until you delete your account + 30 days
API logs	90 days, then aggregated (anonymized)
Feedback	Indefinite (used for knowledge quality)
Research requests	1 year after delivery
Episodic memory	Until you delete it or close your account
Payment records	As required by tax law (typically 7 years, held by Paddle)

We share data only with:

Paddle — payment processing (as Merchant of Record, they are the data controller for payment data)
Hetzner — infrastructure hosting (EU servers, GDPR-compliant)
Law enforcement — only when legally compelled

We do not sell data. We do not share data with analytics companies, ad networks, or data brokers.

7. Your Rights

You have the right to:

Access your data — request an export via [email protected]
Correct inaccurate data — update your profile or contact us
Delete your account and associated data — contact us or use the dashboard
Export your episodic memory and feedback — available via API or on request
Object to processing based on legitimate interest
Withdraw consent for optional data processing (e.g., feedback) at any time

We respond to rights requests within 30 days.

8. Security

Passwords are hashed with bcrypt
API keys are generated with cryptographic randomness
All traffic is encrypted via TLS (HTTPS)
Infrastructure hosted on Hetzner (EU) with automated backups
Access to production systems is restricted and logged

9. International Transfers

Our servers are located in the EU (Hetzner, Germany). If you access the Service from outside the EU, your data is transferred to and processed in the EU under GDPR-level protections.

10. Children

MidOS is not directed at children under 16. We do not knowingly collect data from children.

11. Changes

We may update this policy. Material changes are announced via email to paid subscribers and on the website. The “Last Updated” date at the top reflects the most recent revision.

12. Contact

For privacy questions or rights requests: [email protected]