Privacy Policy

Version 2026-05-27

Mediary is trust infrastructure for autonomous agents. This policy describes what we collect when you visit our marketing pages and how we use it. We do not sell personal data or share it with third parties for marketing purposes.

What we collect

When you visit any page on mediary.co, we use a product analytics service (PostHog, EU region) to record:

  • Page views and page leaves — URL, page title, time on page, referrer.
  • Session replay frames — visual reconstruction of how the page rendered for you. In the replay frames, all <input> and <textarea> values and elements marked sensitive are masked at capture, so the recording does not contain raw values you typed into form fields. (Text you choose to send via the feedback widget below is a deliberate exception — see “Feedback widget”.)
  • Browser environment — user-agent string, screen size, viewport, language preference.
  • An anonymous session identifier — a randomly-generated ID stored client-side so we can group events from the same visit. Not linked to your identity.

We do not use autocapture (we don't record every click or input event), and we do not create person profiles for anonymous visitors. Profile creation only happens for authenticated users on the platform (`platform.mediary.co`), which is covered by a separate notice.

Feedback widget

Selected operator devices see a feedback button on marketing pages. If you submit feedback, the submission includes your free-text comment, an optional rating, the page you were on, and the same anonymous session identifier described above. Comments are truncated to 2000 characters at capture.

The widget is only visible to a small allowlist of operator IP addresses; you will not see it unless your IP is on that list. The allowlist evaluation happens server-side based on the IP your browser presents to our edge.

IP address handling

Your IP address is used at two points:

  • Rate-limiting public endpoints (to prevent abuse).
  • Evaluating the operator feedback-widget allowlist.

IP addresses are anonymised in our CDN access logs at ingestion. Application logs record the IP only for the duration of a single request; we do not store IP addresses in our analytics database alongside event data beyond what PostHog itself retains under its standard retention policy.

Legal basis

We process the data described above under legitimate interest (GDPR Article 6(1)(f)) for the purpose of understanding how visitors use our marketing pages, debugging issues, and improving the product. We rely on legitimate interest because:

  • The data we collect is minimised (no autocapture, masked text in replay, anonymous identifiers, no cross-site tracking).
  • We don't profile individuals or use the data for advertising or any decision that affects you.
  • The processing is necessary to operate the marketing pages and feedback workflow.

You can object to this processing at any time using the contact address below; we will honour the objection within a reasonable timeframe.

Third parties

We use PostHog (PostHog Inc., EU region: eu.i.posthog.com) as our product analytics processor. We have a Data Processing Agreement in place. PostHog retains event data according to its standard retention policy; session recordings are retained for a shorter period (typically 30 days unless we extend retention for a specific investigation).

We do not use Google Analytics, Facebook Pixel, or any advertising-network tracking on marketing pages.

Your rights

Under GDPR you have the right to access, correct, or delete data we hold about you, and to object to or restrict processing. Because we don't link marketing-page analytics to identifiable people, requests to access or delete specific events require you to provide enough context for us to find them (typically the anonymous session ID, which you can read from your browser's cookies on a page visit).

Contact

For questions, objections, or rights requests, contact privacy@mediary.co.

Changes to this policy

We will update this page (and the version date above) when we make material changes to data collection or processing. The version date reflects the most recent substantive change, not minor typographical edits.