Overview
MerMD is a Markdown viewer that renders .md files from your device and optional cloud storage providers. The App does not collect any personally identifiable information. Anonymous, aggregated diagnostic and usage data is collected via Google Firebase to improve app stability and performance. All file content and cloud credentials remain on your device.
Information We Collect
What We Do NOT Collect
- No personal information (name, email address, phone number)
- No file contents or document data
- No file names or file paths
- No location data
- No advertising identifiers
- No cookies or web tracking
What We DO Collect (Anonymous & Aggregated)
- Crash reports via Firebase Crashlytics — to identify and fix bugs
- Usage analytics via Firebase Analytics — to understand which features are used
- Performance metrics via Firebase Performance Monitoring — to improve app speed
All collected data is anonymous and aggregated. It cannot be used to identify you personally.
Cloud Storage Integrations
MerMD offers optional integrations with third-party cloud storage providers to allow you to browse and view your Markdown files. These connections are entirely optional and initiated only by you.
GitHub
- What we access: Read-only access to your public and private repositories for browsing and viewing Markdown files.
- OAuth Scope:
repo(required to access private repositories) - How it works: The App uses GitHub's OAuth Device Flow. You visit a GitHub URL in any browser and enter a code displayed in the App. Your GitHub credentials are never seen or stored by the App.
- Data stored locally: An encrypted OAuth access token and your GitHub username are stored on-device using Android's EncryptedSharedPreferences (AES-256-GCM).
- Revoking access: You can sign out from within the App, or revoke access at GitHub Authorized Apps.
GitLab
- What we access: Read-only access to your GitLab projects and repository files for browsing and viewing Markdown content.
- OAuth Scope:
read_api - How it works: You provide a Personal Access Token (PAT) generated in your GitLab account settings. The App stores this token securely on your device.
- Data stored locally: Your PAT and GitLab username are stored on-device using Android's EncryptedSharedPreferences (AES-256-GCM).
- Revoking access: You can sign out from within the App. You can also revoke your PAT at GitLab Access Tokens.
Dropbox
- What we access: Read-only access to your Dropbox files and folders for browsing and viewing Markdown content.
- OAuth Scopes:
files.metadata.read,files.content.read - How it works: The App uses Dropbox's OAuth 2.0 with PKCE (Proof Key for Code Exchange) for secure authorisation. You are redirected to the Dropbox website in your browser to approve access. Your Dropbox credentials are never seen or stored by the App.
- Data stored locally: Encrypted OAuth access and refresh tokens are stored on-device using Android's EncryptedSharedPreferences (AES-256-GCM).
- Limited Use: Dropbox data is accessed solely to display your Markdown files in the App. It is never transferred to third parties, used for advertising, or used to build user profiles.
- AI/ML: Dropbox data is never used to train machine learning models or for any artificial intelligence purposes.
- Revoking access: You can sign out from within the App, or revoke access at Dropbox Connected Apps.
Microsoft OneDrive
- What we access: Read-only access to your OneDrive files and folders for browsing and viewing Markdown content.
- OAuth Scopes:
Files.Read.All,offline_access - How it works: The App uses Microsoft's OAuth 2.0 with PKCE for secure authorisation via the Microsoft identity platform. You are redirected to the Microsoft website in your browser to approve access. Your Microsoft credentials are never seen or stored by the App.
- Data stored locally: Encrypted OAuth access and refresh tokens are stored on-device using Android's EncryptedSharedPreferences (AES-256-GCM).
- Limited Use: OneDrive data is accessed solely to display your Markdown files in the App. It is never transferred to third parties, used for advertising, or used to build user profiles.
- AI/ML: OneDrive data is never used to train machine learning models or for any artificial intelligence purposes.
- Revoking access: You can sign out from within the App, or revoke access at Microsoft Account Permissions.
Data Stored on Your Device
MerMD stores the following data locally on your device only:
| Data | Purpose | Storage Method |
|---|---|---|
| User preferences | Theme, font size, rendering settings | Android DataStore (non-sensitive) |
| Recent files list | Quick access to recently opened files | Android DataStore |
| Starred files | Your bookmarked/favourite files | Android DataStore |
| Bookmarks & highlights | In-document bookmarks and text highlights | Android DataStore |
| Scroll positions | Resume reading from where you left off | Android DataStore |
| OAuth tokens | Authentication with cloud providers | EncryptedSharedPreferences (AES-256-GCM) |
| Cached files | Offline access to recently viewed cloud files | App-private internal storage |
All authentication tokens are encrypted using AES-256-GCM with keys stored in the Android Keystore, which provides hardware-backed key protection on supported devices.
Analytics & Crash Reporting
MerMD uses Google Firebase services to improve app stability and understand how features are used. All data collected is anonymous and aggregated — it cannot be used to identify you personally.
Firebase Crashlytics (Crash Reporting)
- What is collected: Stack traces and crash reports when the App encounters a fatal or non-fatal error. Anonymous context keys — such as your current theme, font size, view mode, and active feature flags (Mermaid diagrams, math rendering, syntax highlighting) — are attached to help reproduce issues. The active file's extension (e.g.,
.md) and URI scheme (e.g.,content://,https://) are logged to identify the type of file being viewed. File names, file paths, and file contents are never logged. - What is NOT collected: File contents, file names, full file paths, cloud account identifiers, or any personally identifiable information.
- Provider: Google LLC — Firebase Privacy Policy
Firebase Analytics (Usage Analytics)
- What is collected: Anonymous app usage events (e.g., screens visited, session duration), device type, Android OS version, and app version. No custom events containing personal or file-related data are logged.
- What is NOT collected: File names, document contents, cloud account identifiers, or any personally identifiable information.
- Provider: Google LLC — Firebase Privacy Policy
Firebase Performance Monitoring
- What is collected: App startup time, screen rendering performance, and network request latency to cloud provider APIs. All metrics are aggregated and anonymous.
- Provider: Google LLC — Firebase Privacy Policy
Data Sharing
We do not sell your data or share it with third parties for commercial purposes. The App:
- Does not contain any advertising SDKs
- Does not transmit any data to Labs Vedant's own servers
- Communicates with Firebase (Google) solely for anonymous crash reporting, usage analytics, and performance monitoring as described above
- Communicates with cloud provider APIs (GitHub, GitLab, Dropbox, Microsoft) only when you explicitly connect your account and browse files
Data Security
We implement the following security measures to protect your data:
- Encryption at rest: All OAuth tokens are encrypted using AES-256-GCM via Android's EncryptedSharedPreferences, backed by the Android Keystore.
- Encryption in transit: All network communication uses HTTPS/TLS. The App enforces HTTPS-only connections via a Network Security Configuration that blocks unencrypted (HTTP) traffic.
- PKCE protection: OAuth flows for Dropbox and OneDrive use PKCE to prevent authorisation code interception attacks.
- Backup exclusion: OAuth tokens (stored in SharedPreferences) and cached files are excluded from Android cloud backups and device-to-device transfers via explicit backup exclusion rules.
- Code obfuscation: Release builds use R8 with ProGuard rules for code minification and obfuscation.
Children's Privacy
MerMD does not target children and does not knowingly collect personal information from children under the age of 13. The App does not require account creation and does not collect any personally identifiable information. Anonymous diagnostic data collected via Firebase is not linked to any individual user.
Your Rights
MerMD does not collect or store any personally identifiable information on external servers. As such, traditional data rights apply as follows:
- All your personal data is on your device — you have full control at all times.
- Uninstalling the App removes all locally stored data, including tokens, cache, and preferences.
- Signing out of any cloud provider within the App immediately deletes the associated tokens from your device.
- Clearing App data via Android Settings removes all locally stored data.
- Anonymous Firebase data (crash reports, analytics) cannot be linked back to you and therefore cannot be individually deleted. Firebase's data retention policies apply as described in Google's Privacy Policy.
Third-Party Services
The App uses or may connect to the following third-party services:
| Service | Provider | Purpose | Privacy Policy |
|---|---|---|---|
| Firebase Crashlytics | Google LLC | Anonymous crash reporting | Firebase Privacy |
| Firebase Analytics | Google LLC | Anonymous usage analytics | Firebase Privacy |
| Firebase Performance | Google LLC | Anonymous performance metrics | Firebase Privacy |
| GitHub API | GitHub, Inc. | Optional cloud file browsing | GitHub Privacy |
| GitLab API | GitLab B.V. | Optional cloud file browsing | GitLab Privacy |
| Dropbox API | Dropbox, Inc. | Optional cloud file browsing | Dropbox Privacy |
| Microsoft Graph API | Microsoft Corporation | Optional cloud file browsing | Microsoft Privacy |
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Any changes will be reflected by updating the "Last Updated" date at the top of this document. We encourage you to review this Privacy Policy periodically.
Contact
If you have any questions or concerns about this Privacy Policy or the App's data practices, please contact:
Labs Vedant
📧 labsvedant@gmail.com