Privacy Policy
Last updated: 2026-05-17 · v4 (Sentry sub-processor added for application error monitoring)
This policy explains what personal data MedYields collects, why we collect it, who processes it on our behalf, and what rights you have under the EU General Data Protection Regulation (GDPR) and the equivalent laws in your country.
We are a small operation. The policy is written to be lawyer-readable but not pretentious. If anything below is unclear, write to hello@medyields.com and we will rewrite it.
For the terms governing your use of the service (subscription, content licence, methodology disclaimer), see our Terms of Service.
1. Who we are
MedYields is a service operated under the laws of Romania. We are the data controller for all personal data described below. For all privacy questions, data-subject requests, and complaints, contact hello@medyields.com or by post to: Siret, Suceava County, 725500, Romania. This page will be updated when MedYields is incorporated as a Romanian Societate cu Răspundere Limitată (SRL).
2. What we collect
We collect only what we need to run the service:
- Account data — your email address, and whatever optional name or profile information you provide to our authentication provider (Clerk). Collected when you sign up.
- Subscription data — billing email, country (for VAT), and the fact of an active or cancelled premium subscription. Collected when you subscribe through our payment processor (Gumroad).
- Newsletter data — your email address, if you subscribe to our weekly newsletter through the signup form. Collected at the moment you submit the form.
- Welcome-flow data — the email address you signed up with is mirrored to our transactional-email provider (Loops, with Resend as a contingent fallback) for the purpose of sending welcome and onboarding emails. No additional fields are sent.
- Server logs — your IP address and basic request metadata are written to application logs by our hosting providers (Vercel for the website, Fly.io for the backend API). Used for debugging and abuse prevention. Rotated every 7 days.
We do not collect: phone numbers, postal addresses, payment-card details (those go directly to Gumroad and never touch our servers), demographic information, marketing-tracking identifiers, behavioral profiles, or anything we do not have a specific use for.
3. Why we collect it (legal basis)
- Account and subscription data: contract performance (Article 6(1)(b) GDPR). We cannot provide premium access without knowing who has paid for it.
- Newsletter data: consent (Article 6(1)(a) GDPR). You opt in; you can opt out at any time using the unsubscribe link in every email.
- Server logs: legitimate interests (Article 6(1)(f) GDPR) — service operation, security, and abuse prevention.
- Error-reporting telemetry: legitimate interests (Article 6(1)(f) GDPR) — operational error monitoring via Sentry. Error events are scoped to debugging the service that you, the user, requested; the data does not feed any tracking, profiling, or advertising purpose.
4. Who processes data on our behalf (sub-processors)
We use the following service providers. Each is contractually bound to process your data only on our instructions, in line with GDPR Article 28.
| Processor | Role | Data they see | Jurisdiction |
|---|---|---|---|
| Clerk | Authentication and account management | Email, account metadata | United States, SCCs in place |
| Gumroad | Payment processing (Merchant of Record) | Billing email, country, payment-card details, transaction history | United States, SCCs in place |
| Loops | Transactional and newsletter email delivery | Email, signup source, subscription status | United States, SCCs in place |
| Resendcontingent fallback | Transactional email if Loops deliverability fails | Email, send timestamp | United States, SCCs in place |
| Vercel | Website hosting | IP address, request logs | United States, SCCs in place |
| Fly.io | Backend API hosting | IP address, request logs | United States (EU region: Paris, France) |
| Neon | Database hosting (account + subscription rows) | Email, subscription status | Germany (eu-central-1) |
| Cloudflare | DNS resolution | DNS query metadata | United States, SCCs in place |
| Plausible Analytics | Privacy-preserving website analytics | Page-view counts, country, anonymised browser type. No cookies, no IP storage, no personal identifiers. | Germany |
| SentryFunctional Software, Inc. | Application error monitoring (frontend + backend) | Error messages, stack traces, IP address, browser / request metadata. Used solely for error attribution and debugging, not for tracking. | Germany (Frankfurt ingest edge), US (Sentry primary processing), SCCs in place |
We do not sell your data, share it with advertisers, or use it for behavioural retargeting. We have no advertising on the site.
5. International transfers
Several processors above are based outside the European Economic Area. Where personal data is transferred outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) as published in Commission Implementing Decision (EU) 2021/914, or on an applicable adequacy decision where one exists. Where neither applies, the transfer does not happen.
6. How long we keep it
- Active accounts: for as long as your account exists.
- Cancelled subscriptions: account row retained for 24 months after cancellation so you can resubscribe without losing history, then deleted unless you have an active free-tier account.
- Newsletter subscribers: until you unsubscribe, plus 30 days for deletion processing.
- Server logs: 7 days from creation.
- Billing records held by Gumroad: subject to their retention policy (typically 7 years for tax-record reasons under US and EU tax law).
7. Your rights
Under GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct anything that is inaccurate.
- Erasure (“right to be forgotten”) — ask us to delete your data, subject to legal retention obligations (tax records held by Gumroad cannot be deleted on request).
- Portability — receive your data in a machine-readable format (we will provide JSON).
- Restriction — ask us to pause processing while a dispute is resolved.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — for the newsletter, by clicking the unsubscribe link in any email or writing to us.
- Lodge a complaint — with your national data protection authority (in Romania, this is ANSPDCP — Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal, dataprotection.ro).
To exercise any of these rights, write to hello@medyields.com. We will respond within 30 days. We will not charge for these requests except in the rare case of manifestly unfounded or repetitive demands, in which case we will tell you first.
8. Cookies
We use cookies only when strictly necessary for service operation:
- Authentication cookies set by Clerk to keep you signed in. Required for the account and premium-content experience. Cannot be disabled without losing access to those features.
We do not use cookies for analytics (Plausible is cookieless), advertising (we have none), or cross-site tracking. No consent banner is shown because no non-essential cookies are set by us.
If you are signed in, our payment processor Gumroad may set its own cookies during the checkout flow; their privacy policy at gumroad.com/privacy describes those.
9. Children
The service is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has signed up, write to hello@medyields.com and we will delete the account.
10. Security
- All traffic is served over HTTPS with TLS 1.2 or higher.
- Payment-card data is handled exclusively by Gumroad (PCI-DSS compliant) and never reaches our servers.
- Authentication is handled by Clerk; we never see or store passwords.
- Database access is restricted to a single application user with row-level read/write permissions.
- We do not have a Bug Bounty Program at launch but welcome responsible disclosure to hello@medyields.com.
11. Changes to this policy
We will update this page with material changes and update the “Last updated” date at the top. If a change affects how we process personal data you have already given us, we will notify you by email before the change takes effect.
12. Contact
For any privacy question, data-subject request, or complaint: hello@medyields.com.
Postal correspondence: Siret, Suceava County, 725500, Romania.
13. Governing law
This policy is governed by Romanian law and by the EU General Data Protection Regulation (Regulation (EU) 2016/679). Where you reside in a different EU/EEA member state, you retain the protections of your local consumer-protection and data-protection laws to the extent those laws are mandatory and cannot be displaced by contract. Disputes that cannot be resolved by direct correspondence may be brought before the courts of Romania or, at your option as a consumer, before the courts of your habitual residence in the EU/EEA.