CmdCal
Sign in
CmdCal
Pricing
OverviewWhat CmdCal does and how the engine works.XLSXDeclarative spreadsheet generation with validation, repair, and template-aware workflows.PlaygroundTest the output layer with live JSON-to-PPTX preview.
DocumentationSDK references, API docs, and implementation guides.BlogTechnical deep-dives and product updates.
Sign in

Legal

Privacy Policy

How CmdCal collects, uses, and protects account data, documents, and usage information.

1. Introduction

Mindy Inc ("CmdCal," "Company," "we," "us") operates cmdcal.com (the "Service").

This Privacy Policy governs your use of the Service and explains how we collect, safeguard, and disclose information that results from your use of the Service. We use your data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this policy.

Our Terms of Service govern all use of the Service and together with this Privacy Policy constitute your agreement with us.

2. Definitions

SERVICE means the cmdcal.com website and CmdCal API operated by Mindy Inc

PERSONAL DATA means data about a living individual who can be identified from that data (or from that data combined with other information in our possession or likely to come into our possession).

USAGE DATA means data collected automatically, generated by the use of the Service or from Service infrastructure (for example, feature usage patterns or API response times).

CUSTOMER CONTENT means any data, structured JSON input, presentation templates (.potx), document templates, images, or other materials submitted by you through the Service, and the generated output files (.pptx, .docx, .pdf). For self-hosted SDK users, Customer Content processed on your own infrastructure is not received or stored by us.

DATA CONTROLLER means the natural or legal person who determines the purposes and manner of processing personal data. For the purpose of this Privacy Policy, we are the Data Controller of your Account Data and Usage Data.

DATA PROCESSOR means any natural or legal person who processes data on behalf of the Data Controller. We act as Data Processor for Customer Content, as described in our DPA.

DATA SUBJECT means any living individual who is the subject of Personal Data.

3. Information Collection and Use

We collect several different types of information for various purposes to provide and improve the Service.

4. Types of Data Collected

Personal Data

While using the Service, we may ask you to provide personally identifiable information that can be used to contact or identify you, including:

  • Email address
  • First name and last name
  • Organization name and role
  • Usage Data

Usage Data

We collect information about how the Service is accessed and used. This may include your computer's IP address, browser type and version, the pages of the Service that you visit, the time and date of your visit, time spent on those pages, API call volume and response times, unique device identifiers, and other diagnostic data.

Payment Data

If you purchase a Subscription, payment information (including billing name, email address, billing address, and payment method details) is collected and processed by Paddle, our Merchant of Record. We do not store complete payment card information on our systems. Paddle adheres to PCI-DSS standards for the secure handling of payment information.

5. Use of Data

We use the collected data for the following purposes:

  1. To provide and maintain the Service (legal basis: contract);
  2. To notify you about changes to the Service (legal basis: contract);
  3. To allow you to use interactive features of the Service (legal basis: contract);
  4. To process payments through Paddle (legal basis: contract);
  5. To provide customer support (legal basis: legitimate interest);
  6. To gather analysis or valuable information so that we can improve the Service (legal basis: legitimate interest);
  7. To monitor the usage of the Service (legal basis: legitimate interest);
  8. To detect, prevent, and address technical issues, fraud, and abuse (legal basis: legitimate interest);
  9. To send transactional communications, including order confirmations, security alerts, and service notifications (legal basis: contract);
  10. To provide you with product updates and announcements about the Service, unless you have opted out (legal basis: legitimate interest);
  11. To comply with legal obligations (legal basis: legal obligation);
  12. For any other purpose with your consent (legal basis: consent).

We do not sell personal data. We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects.

6. Retention of Data

We retain Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy.

Account Data. Duration of your account, plus 30 days after deletion. Tax and transaction records may be retained for up to 5 years as required by applicable law.

Customer Content. Duration of your account. Available for export for 30 days after termination, then deleted.

Usage Data. Up to 24 months in pseudonymized or aggregated form. Usage Data used to strengthen security or improve Service functionality may be retained for longer periods.

Support Data. Up to 36 months from the date of last interaction.

Server Logs. Up to 90 days.

7. Transfer of Data

Your information, including Personal Data, may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ from those of your jurisdiction.

We are based in the Republic of Korea. Data may be processed in Korea, the United States, and other countries where our sub-processors operate.

We rely on EU and UK adequacy decisions for transfers to Korea. For transfers to the United States and other countries without an adequacy decision, we rely on Standard Contractual Clauses approved by the European Commission (Decision 2021/914) or other appropriate safeguards required by applicable data protection law.

Your use of the Service followed by your submission of information represents your agreement to these transfers. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.

8. Disclosure of Data

We may disclose personal information that we collect, or you provide:

Disclosure for Law Enforcement

Under certain circumstances, we may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities.

Service Providers

We disclose data to contractors, service providers, and other third parties we use to support our business, who are obligated to use it only for the purposes described. See Section 12.

Other Cases

We may disclose your information: (a) to fulfill the purpose for which you provide it; (b) in connection with a merger, acquisition, or sale of assets, with notice to you; or (c) with your consent.

9. Security of Data

The security of your data is important to us. We encrypt data in transit (TLS 1.2+) and at rest (AES-256). We use access controls, multi-factor authentication on infrastructure, logging, and regular security reviews. Detailed technical and organizational security measures are described in Annex II of our DPA.

No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

Report vulnerabilities to support@cmdcal.com.

10. Your Rights

Regardless of where you are located, you can:

  • Access your personal data and receive a copy
  • Rectify inaccurate or incomplete data
  • Request erasure of your data (subject to applicable exceptions)
  • Object to or restrict processing
  • Receive your data in a structured, machine-readable format (data portability)
  • Withdraw consent at any time where processing is based on consent

To exercise any of these rights, email privacy@cmdcal.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.

You have the right to complain to a data protection authority about our collection and use of your Personal Data.

11. Additional Rights for Specific Jurisdictions

GDPR (EU/EEA)

If you are a resident of the European Union or European Economic Area, the rights listed in Section 10 apply to you under the GDPR. We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data. The legal bases for our processing are described in Section 5.

CCPA (California)

If you are a California resident, you are entitled to learn what data we collect about you, ask to delete your data, and not to sell or share it.

(a) Right to know. You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the business purpose for collecting it, and the categories of third parties with whom we share it.

(b) Right to delete. You may request that we delete the personal information we hold about you. In some cases, deletion may be accomplished through de-identification.

(c) Right to opt out of sale. We do not sell or rent your personal information to any third parties for any purpose. You are the only owner of your Personal Data and can request disclosure or deletion at any time.

We will not discriminate against you for exercising your rights.

To exercise your California data protection rights, email privacy@cmdcal.com.

CalOPPA

In accordance with the California Online Privacy Protection Act: (a) users can visit our site anonymously; (b) our Privacy Policy link is clearly accessible from our homepage; (c) users will be notified of privacy policy changes on this page; (d) users can change their personal information by emailing privacy@cmdcal.com.

12. Service Providers and Sub-processors

We use third-party companies and individuals to facilitate the Service, provide the Service on our behalf, or assist us in analyzing how the Service is used. These third parties have access to your Personal Data only to perform tasks on our behalf and are obligated not to disclose or use it for any other purpose.

The current list is maintained at cmdcal.com/subprocessors:

Provider Purpose Data Processed Location
Vercel Inc. Hosting, edge network, serverless functions IP address, request headers, access logs US
Supabase Inc. Database, authentication, storage Account data, application data US
Paddle.com Market Ltd. Payments (Merchant of Record) Billing name, email, address, payment method, transaction data UK
Functional Software Inc. (Sentry) Error monitoring IP address (anonymized), browser/OS, error stack traces US
PostHog Inc. Product analytics (EU Cloud) Pseudonymized usage events, device/browser type, pages visited Germany
Channel Corp. (채널코퍼레이션) Customer support chat Name, email, chat messages, browser/OS, IP address Korea
Cloudflare Inc. CDN, DDoS protection, DNS IP address, request headers, access logs Global
Resend Inc. Transactional email delivery Email address, name, email content US
Upstash Inc. Rate limiting, caching Pseudonymized request identifiers, usage counters US

Paddle as Merchant of Record

Paddle is an independent data controller for the personal data it collects in connection with payment transactions. Paddle's use of your personal information is governed by its own privacy policy at paddle.com/legal/privacy. Paddle adheres to PCI-DSS standards for the secure handling of payment information.

Analytics

We use PostHog for product analytics, configured in cookieless mode. PostHog uses a server-side hash (based on IP address and User Agent with a daily-rotating salt) that does not store data in your browser's cookies or local storage. PostHog Cloud EU is hosted in Frankfurt, Germany. IP addresses are not stored in their original form.

13. Cookies

Essential cookies. The Service uses a limited number of cookies strictly necessary for its operation, including session authentication and security tokens. These do not require consent because the Service cannot function without them.

Analytics. PostHog runs in cookieless mode. No cookies or local storage are used for analytics purposes.

Support. Channel.IO may set a session cookie when you initiate a chat to maintain your session.

We honor Global Privacy Control (GPC) signals. We do not respond to browser Do Not Track (DNT) signals as there is no industry-wide standard for compliance.

The Service may contain links to other sites that are not operated by us. If you click a third-party link, you will be directed to that third party's site. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

15. Children's Privacy

The Service is not intended for use by anyone under the age of 16 ("Child" or "Children"). We do not knowingly collect personally identifiable information from children under 16. If you become aware that a child has provided us with Personal Data, please contact us at privacy@cmdcal.com. If we become aware that we have collected Personal Data from children without appropriate consent, we take steps to remove that information from our servers.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or prominent notice within the Service at least 30 days before they take effect. We will update the "Effective" date at the top of this policy.

You are advised to review this Privacy Policy periodically. Changes are effective when posted on this page.

17. Contact Us

If you have any questions about this Privacy Policy, please contact us:

By email: privacy@cmdcal.com

Mindy Inc Cheonan, Chungcheongnam-do, Republic of Korea

Need the rest of the legal review packet?

Terms, DPA, and subprocessors are in the same section so security and procurement can move quickly.

Try for free