Privacy Policy
Last updated: March 18, 2026
MassEdit ("we," "our," or "us") is operated by Exis LLC, a company based in New Jersey, United States. This policy explains what data we collect, how we use it, and your rights — including rights under the EU General Data Protection Regulation (GDPR) and UK GDPR.
01 — Data Controller
For the purposes of GDPR and applicable data protection law, the data controller is:
Exis LLC
New Jersey, United States
Email: admin@massedit.app
Support: massedit.app/Support
We do not have a designated Data Protection Officer (DPO) as we do not meet the thresholds requiring one under GDPR Article 37. For all privacy-related inquiries, contact us at admin@massedit.app.
02 — Information We Collect
Account Data
- Email address
- First and last name
- Hashed password
- Account creation date
- Last login timestamp
Google Account Data
- Google email address
- OAuth tokens (encrypted at rest)
- Names of files/folders you select
- Job metadata (counts, timestamps)
Payment Data
- Subscription status
- Transaction confirmations
- Last 4 digits of card (display only)
- Billing address (if provided)
Technical Data
- IP address (server logs)
- Browser type and version
- Session information
- Feature usage patterns
We do not store the content of your Google Documents. All document processing happens in real-time via Google's APIs. Document text is read, processed in memory, and written back to Google — nothing is saved on our servers.
03 — Lawful Basis for Processing (GDPR)
For users in the EU and UK, we process your personal data under the following lawful bases:
| Processing Activity | Lawful Basis |
|---|---|
| Account creation and authentication | Contract (Art. 6(1)(b)) — necessary to provide the service |
| Processing Google Docs on your behalf | Contract (Art. 6(1)(b)) — core service delivery |
| Billing and subscription management | Contract + Legal Obligation (Art. 6(1)(b)(c)) |
| Service communications (confirmations, resets) | Contract (Art. 6(1)(b)) |
| Security logging and fraud prevention | Legitimate Interests (Art. 6(1)(f)) |
| Service improvement and analytics | Legitimate Interests (Art. 6(1)(f)) |
04 — Google API Access & Scopes
When you connect your Google account, MassEdit requests the minimum permissions necessary to perform bulk editing. Google OAuth is used solely for document access — it is entirely separate from your MassEdit login.
| Scope | Edition | Why We Need It |
|---|---|---|
| userinfo.email | Both | Identify which Google account is connected to your MassEdit account |
| documents | Both | Read and apply find/replace changes to Google Docs you select |
| drive.readonly | Both | View file names, folder structure, and metadata in your Google Drive and Shared Drives. Read-only — we cannot modify your Drive organization with this permission. |
| drive.file | Both | Create new files and folders for processed document copies. Only used when you choose to save edited documents as new copies. |
MassEdit's use of Google API data adheres to the Google API Services User Data Policy, including Limited Use requirements. We do not use Google data for advertising, do not sell or share it with third parties, and do not use it for any purpose unrelated to providing our core service.
Revoking Google Access
You can disconnect MassEdit from your Google account at any time via Settings → Google Account → Disconnect, or directly at myaccount.google.com/permissions. Upon disconnection, all stored OAuth tokens are immediately and permanently deleted.
05 — How We Use Your Data
- Provide, operate, and maintain the MassEdit service
- Authenticate your identity and manage your account
- Process document editing jobs on your behalf
- Manage subscriptions and process payments via Stripe
- Send transactional emails (confirmations, password resets, job notifications)
- Enforce usage limits during trial periods
- Detect and prevent fraud, abuse, and security incidents
- Improve service performance and develop new features
- Respond to support requests
- Comply with legal obligations
We do not sell your personal data. We do not use your data for advertising. We do not share your data with third parties except as described in this policy.
06 — Data Retention
| Data Type | Retention Period |
|---|---|
| Account data (name, email, password hash) | Until account deletion is requested |
| Google OAuth tokens | Until you disconnect Google — deleted immediately on disconnection |
| Job history metadata | 90 days, then automatically deleted |
| Payment records | 7 years as required by US tax law |
| Server/security logs | 30 days |
| Document content | Not stored — processed in memory only |
07 — International Data Transfers
MassEdit is hosted on Microsoft Azure infrastructure in the United States. If you are located in the European Union or United Kingdom, your personal data is transferred to and processed in the United States.
We rely on the EU Standard Contractual Clauses (SCCs) as the legal mechanism for transferring personal data from the EU/UK to the United States. Our hosting provider (Microsoft Azure) is certified under appropriate transfer frameworks and maintains SCCs for their data processing services.
For corporate customers requiring a formal Data Processing Agreement (DPA) including SCCs, please contact us at admin@massedit.app.
08 — Your Rights
All users have the following rights regarding their personal data. EU and UK users have these rights under GDPR/UK GDPR. US users have rights under applicable state law (including California CCPA where applicable).
Access
Request a copy of the personal data we hold about you.
Rectification
Correct inaccurate or incomplete personal data.
Erasure ("Right to be Forgotten")
Request deletion of your personal data. We will delete your account and all associated data within 30 days.
Portability
Receive your personal data in a structured, machine-readable format.
Restriction
Request that we restrict processing of your data in certain circumstances.
Objection
Object to processing based on legitimate interests at any time.
Withdraw Consent
Where processing is based on consent, withdraw it at any time without affecting prior processing.
Lodge a Complaint
EU/UK users may lodge a complaint with their local supervisory authority (e.g., ICO in the UK, or your national DPA).
To exercise any of these rights, contact us at admin@massedit.app. We will respond within 30 days.
09 — Security
- All data transmitted over HTTPS/TLS — enforced via HSTS
- Google OAuth refresh tokens encrypted at rest using AES-256 (ASP.NET Data Protection)
- Passwords hashed using industry-standard algorithms — never stored in plaintext
- TOTP multi-factor authentication available for all accounts and enforced for enterprise accounts
- Email confirmation required before account activation
- Account lockout after 5 failed login attempts
- Application secrets managed via environment variables — not stored in code or config files
In the event of a data breach affecting your personal data, we will notify affected users and relevant supervisory authorities as required by applicable law.
10 — Third-Party Services
| Service | Purpose | Privacy Policy |
|---|---|---|
| Google APIs | Document access and processing | policies.google.com/privacy |
| Stripe | Payment processing — we never see your full card number | stripe.com/privacy |
| Microsoft Azure | Application hosting and infrastructure | privacy.microsoft.com |
11 — Cookies
We use only strictly necessary cookies that are essential for the application to function. No consent banner is required for these cookies under EU ePrivacy regulations, as they are exempt from consent requirements.
- Authentication cookie: Keeps you signed in to your account. Expires after 14 days of inactivity. Encrypted, HTTP-only, and transmitted only over HTTPS.
- Session cookie: Maintains your workflow state as you move through the editing wizard. Expires after 30 minutes of inactivity. HTTP-only and HTTPS-only.
- Two-factor authentication cookie: If you choose "Remember this machine" during two-factor login, this cookie allows you to skip the authenticator code on subsequent logins from the same browser. This cookie is optional and only set with your explicit action.
We do not use advertising cookies, tracking cookies, or third-party analytics cookies. All cookies are set with the SameSite=Lax attribute to help protect against cross-site request forgery attacks.
12 — Children's Privacy
MassEdit is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
13 — Changes to This Policy
We may update this privacy policy from time to time. For material changes, we will notify you by email or via a notice in the application at least 14 days before the change takes effect. Your continued use of the service after that date constitutes acceptance of the updated policy.
The current version of this policy is always available at massedit.app/Privacy.