Privacy Policy

Effective date: June 1, 2026
Last updated: June 1, 2026
Data controller: toolweave (Andrii Sparysh, Ukraine)
Contact: admin@toolweave.dev

TL;DR

This Privacy Policy explains in detail what data we collect and how we use it. It applies to toolweave.dev and the MCP gateway at toolweave.dev/mcp.

1. What we collect

Account data

Authentication data

API keys you upload (BYO)

Usage metadata

For each MCP request: - Provider name (e.g. "openai") - Action name (e.g. "chat") - Model identifier - Token count (input + output) - Success/error flag, error message (truncated to 500 chars) - Timestamp - Mode (admin_key / byo / user_key)

We do not log: - Prompt content - Response content - Conversation history

Custom Connectors data

Operational logs

2. What we don't collect

3. How we use your data

Purpose Data used Legal basis (GDPR)
Authenticate you Email, session cookies, token hashes Contract (Art. 6(1)(b))
Route MCP requests API keys (BYO), package config Contract
Bill / track usage Usage metadata Contract + Legitimate interest
Send security notices Email Legal obligation + Legitimate interest
Detect abuse / fraud Usage metadata, IP logs Legitimate interest (Art. 6(1)(f))
Improve the Service Aggregated, anonymized metrics Legitimate interest

We do not use your data for: - AI model training (ours or providers') - Profiling for advertising - Selling to third parties - Cross-site tracking

4. Who we share data with

Service providers (necessary for operation)

These are sub-processors. We have data processing agreements where required by law.

AI / API providers (when you make requests)

When you make an MCP request, your prompt content goes to the relevant provider: - Anthropic, OpenAI, Google (Gemini), fal.ai, Suno, Firecrawl, GitHub, Railway, Vercel, Alpha Vantage, Finnhub, Twelve Data, SEC EDGAR, Kraken, and any Custom Connector targets you configure

Each provider has its own privacy policy. We do not control how providers handle your prompts. Notably: - Anthropic: does not train on API requests by default - OpenAI: does not train on API requests by default (opt-in required) - Google Gemini: API tier does not train; consumer-tier may - Other providers: review their policies

You can review which providers handle your data on the /dashboard/keys page.

We may disclose data when required by: - Court order or subpoena from a competent jurisdiction - Government request following due process - Investigation of fraud, security incident, or terms violation

We resist overbroad requests and notify affected users when legally permitted.

5. Where your data is stored

If you're outside the EU, your data is transferred to and processed in the EU. EU adequacy decisions or Standard Contractual Clauses apply where relevant.

6. Data retention

Data Retention period
Account (active user) While account exists
Account (deleted user) 30 days for reversal, then permanent deletion
Usage logs 24 months (then aggregated, identifiers stripped)
Encrypted API keys Until you delete them or close account
MCP token hashes (revoked) 90 days
Web server access logs 30 days
Application error logs 90 days
Audit log (security events) 12 months
Custom Connector schemas Until you delete them or close account
Discovery attempt records 24 months

7. Your rights

You have the following rights under GDPR (if EU/UK resident) and similar protections in other jurisdictions:

Right to access

You can see your data via /dashboard (account, tokens, keys, custom connectors, usage history). For a full export including audit logs, email admin@toolweave.dev — we'll send a JSON/CSV bundle within 30 days.

Right to rectification

Update your email or other account data via dashboard, or by email if dashboard tools don't cover your case.

Right to erasure ("right to be forgotten")

Email admin@toolweave.dev to delete your account. We will: - Revoke all tokens immediately - Delete encrypted API keys, Custom Connectors, sessions within 7 days - Anonymize usage_log entries (replace user_id with hash) within 30 days - Retain financial/audit records as legally required (up to 7 years per Ukrainian accounting law)

Right to data portability

Your full data export (JSON) is available on request — same email channel.

Right to object

You can object to specific processing (e.g. legitimate-interest based fraud detection). Email us your objection — we will assess and respond within 30 days.

Right to restrict processing

You can ask us to "freeze" your data while a dispute is resolved.

Right not to be subject to automated decision-making

We do not make decisions that significantly affect you using automated processing. Account suspension is reviewed by a human (the admin).

Right to lodge a complaint

If you believe we mishandled your data, contact us first at admin@toolweave.dev. If unsatisfied, you have the right to complain to your local data protection authority. For EU users: any DPA in your country.

8. Cookies

We use minimal cookies:

Cookie Purpose Type Lifetime
toolweave_session Authenticate you HttpOnly, Secure, SameSite=Lax 30 days
tw_lang (localStorage) Remember language choice First-party Persistent until cleared

We do not use: - Tracking cookies - Advertising cookies - Third-party cookies (except whatever Cloudflare needs for security challenges)

9. Children

The Service is not directed to anyone under 18. We do not knowingly collect data from minors. If we learn that we have collected data from a child under 18, we will delete it promptly. Parents/guardians can email admin@toolweave.dev with concerns.

10. Security

We implement reasonable measures: - Encryption at rest — API keys, magic-link tokens (Fernet) - TLS 1.2+ for all data in transit - Multi-tenant isolation — all queries scope by user_id - Password-less auth — magic links to verified email, no password to leak - MCP tokens — long random strings, hashed in DB, revocable - Rate limiting — on auth endpoints and discovery - Volume backups via Railway

We cannot guarantee perfect security. In the event of a breach affecting your data, we will: - Notify affected users by email within 72 hours of confirmation - Notify supervisory authorities as required by GDPR Article 33 - Publish a post-mortem

11. International transfers

If you access the Service from outside the EU, your data is processed in the EU (Netherlands). This is generally considered safe under most data protection regimes. If you're from a country requiring data localization (e.g. Russia, China), you should not use this Service.

The Service contains links to third-party websites (provider docs, blog posts, etc.). We are not responsible for the privacy practices of those sites. Their policies apply when you visit them.

13. Changes to this Privacy Policy

We may update this Privacy Policy. The "Effective date" at the top reflects the current version. Material changes are announced by email to active users at least 14 days in advance.

A copy of the current Policy is always at https://toolweave.dev/docs/privacy and as raw markdown at https://toolweave.dev/docs/privacy.md.

14. Contact

Email admin@toolweave.dev for: - Data access / export requests - Deletion requests - Privacy questions - Reporting suspected breaches - Anything not covered above

We aim to respond within 7 days for routine requests and within 30 days for complex data-rights requests as required by law.


Plain-language summary: we run a gateway, we route your stuff to AI providers, we don't read it, we don't sell anything, and you can ask us to delete everything by sending one email.