Privacy Policy
Last updated: May 2026
This Privacy Policy explains how ApexMCP ("we", "our", "us") collects, uses, and protects your personal data when you use our Service. The Service is operated by Andrew James Camilleri Micallef, a sole trader registered in Malta with VAT identification number MT30163832. We are committed to GDPR compliance and act as data controller for account data and as data processor for the connector data you route through the Service.
1. Data We Collect
Account information
- Name, email address, and profile information from your identity provider
- Organisation name and billing address
- Payment method details (tokenised and processed by Stripe — we do not store card numbers)
Usage logs
- API call logs, connector activity, and feature usage events
- IP addresses and browser / device information
- Session data and authentication events
Audit logs
- Every tool call, credential access, and administrative action is logged with timestamp, actor, and IP
- Audit logs form an immutable hash chain. PII redaction is available on export via account settings.
2. How We Use Your Data
- Service delivery: Providing, maintaining, and operating the MCP gateway and connector infrastructure
- Billing: Processing payments, tracking usage against plan limits, and issuing invoices via Stripe
- Security: Detecting abuse, enforcing IP allowlists, audit log integrity, and incident response
- Communication: Transactional emails (account alerts, invoices) via Resend; marketing emails only with your consent
- Legal obligations: Tax records, regulatory compliance, responding to lawful requests
3. Data Retention
- Audit logs: Retained for 90 days on standard plans; extended retention available on request
- Account data: Retained for the duration of your subscription; deleted on request within 30 days of account deletion
- Payment records: Retained for 7 years for tax and regulatory compliance
4. Your GDPR Rights
Under GDPR, you have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate personal data
- Erasure: Request deletion of your personal data ("right to be forgotten")
- Portability: Receive your data in a machine-readable format
- Restriction: Request we limit processing of your data
- Objection: Object to processing based on legitimate interests
- Withdraw consent: Where processing is based on consent
To exercise these rights, use the Data & Privacy section in your account settings or email privacy@apexmcp.ai. We will respond within 30 days.
5. Sub-Processors
We engage the following sub-processors. All are bound by data processing agreements (DPAs) and Standard Contractual Clauses (SCCs) where applicable. Signed copies are retained for our records and available to enterprise customers on request to legal@apexmcp.ai under NDA. Public DPA references: Stripe (stripe.com/legal/dpa).
| Sub-Processor | Purpose | Data Location | Entity |
|---|---|---|---|
| Hetzner Online GmbH | Application hosting (compute, networking, Vault, Zitadel) | Finland (EU) | Germany |
| Neon Inc. | Managed PostgreSQL database | AWS eu-central-1, Frankfurt (EU) | United States — see Section 6 |
| Upstash Inc. | Managed Redis (caching, rate-limiting, sessions) | AWS eu-central-1, Frankfurt (EU) | United States — see Section 6 |
| Cloudflare, Inc. | DNS, CDN, DDoS / WAF protection, inbound email routing | Global edge network with EU presence | United States — see Section 6 |
| Stripe Payments Europe Ltd | Payment processing | Ireland (EU) | Ireland (parent: Stripe Inc., US) |
| Sendinblue SA (Brevo) | Transactional email delivery (SMTP relay) | France (EU) | France |
6. International Data Transfers
All customer data — including application data, database records, audit logs, and credentials — is physically stored and processed within the European Union. Our application servers are hosted by Hetzner Online GmbH in Finland, and our primary database is hosted by Neon Inc. on Amazon Web Services in the Frankfurt (eu-central-1) region.
Three of our sub-processors — Neon Inc. (database), Upstash Inc. (Redis), and Cloudflare, Inc. (DNS / CDN / WAF / email routing) — are incorporated in the United States, although they store and process EU customer data within the EU (Neon and Upstash both in AWS eu-central-1 Frankfurt; Cloudflare via its global edge network with EU points of presence). Because they are US-incorporated entities, US legal frameworks (such as the CLOUD Act and FISA Section 702) could theoretically obligate them to disclose data to US authorities. We mitigate this residual risk by:
- Executing Standard Contractual Clauses (SCCs) with each US-incorporated processor;
- Selecting providers that offer EU data residency by configuration;
- Transmitting only operational metadata through the transactional email path (account events, invoices) — no connector credentials or secrets;
- Encrypting connector credentials with HashiCorp Vault before any database persistence, so even at the database layer the stored ciphertext is meaningless without our keys;
- Limiting personal data exposure to Cloudflare to visitor IP addresses, HTTP request metadata, and TLS-terminated traffic — no application-level secrets transit Cloudflare in cleartext-readable form.
By using the Service, you acknowledge and accept this residual risk. Customers requiring a strictly EU-incorporated processing stack should request our self-hosting option (see self-hosting documentation).
7. Contact
For privacy questions, GDPR requests, or to request a Data Processing Agreement, contact privacy@apexmcp.ai. You also have the right to lodge a complaint with your local data protection authority.