Effective date: June 1, 2026
Last updated: June 1, 2026
Data controller: toolweave (Andrii Sparysh, Ukraine)
Contact: admin@toolweave.dev
This Privacy Policy explains in detail what data we collect and how we use it. It applies to toolweave.dev and the MCP gateway at toolweave.dev/mcp.
tw_* prefixes for identification)For each MCP request: - Provider name (e.g. "openai") - Action name (e.g. "chat") - Model identifier - Token count (input + output) - Success/error flag, error message (truncated to 500 chars) - Timestamp - Mode (admin_key / byo / user_key)
We do not log: - Prompt content - Response content - Conversation history
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Authenticate you | Email, session cookies, token hashes | Contract (Art. 6(1)(b)) |
| Route MCP requests | API keys (BYO), package config | Contract |
| Bill / track usage | Usage metadata | Contract + Legitimate interest |
| Send security notices | Legal obligation + Legitimate interest | |
| Detect abuse / fraud | Usage metadata, IP logs | Legitimate interest (Art. 6(1)(f)) |
| Improve the Service | Aggregated, anonymized metrics | Legitimate interest |
We do not use your data for: - AI model training (ours or providers') - Profiling for advertising - Selling to third parties - Cross-site tracking
These are sub-processors. We have data processing agreements where required by law.
When you make an MCP request, your prompt content goes to the relevant provider: - Anthropic, OpenAI, Google (Gemini), fal.ai, Suno, Firecrawl, GitHub, Railway, Vercel, Alpha Vantage, Finnhub, Twelve Data, SEC EDGAR, Kraken, and any Custom Connector targets you configure
Each provider has its own privacy policy. We do not control how providers handle your prompts. Notably: - Anthropic: does not train on API requests by default - OpenAI: does not train on API requests by default (opt-in required) - Google Gemini: API tier does not train; consumer-tier may - Other providers: review their policies
You can review which providers handle your data on the /dashboard/keys page.
We may disclose data when required by: - Court order or subpoena from a competent jurisdiction - Government request following due process - Investigation of fraud, security incident, or terms violation
We resist overbroad requests and notify affected users when legally permitted.
europe-west4-drams3a (Netherlands, EU)If you're outside the EU, your data is transferred to and processed in the EU. EU adequacy decisions or Standard Contractual Clauses apply where relevant.
| Data | Retention period |
|---|---|
| Account (active user) | While account exists |
| Account (deleted user) | 30 days for reversal, then permanent deletion |
| Usage logs | 24 months (then aggregated, identifiers stripped) |
| Encrypted API keys | Until you delete them or close account |
| MCP token hashes (revoked) | 90 days |
| Web server access logs | 30 days |
| Application error logs | 90 days |
| Audit log (security events) | 12 months |
| Custom Connector schemas | Until you delete them or close account |
| Discovery attempt records | 24 months |
You have the following rights under GDPR (if EU/UK resident) and similar protections in other jurisdictions:
You can see your data via /dashboard (account, tokens, keys, custom connectors, usage history). For a full export including audit logs, email admin@toolweave.dev — we'll send a JSON/CSV bundle within 30 days.
Update your email or other account data via dashboard, or by email if dashboard tools don't cover your case.
Email admin@toolweave.dev to delete your account. We will: - Revoke all tokens immediately - Delete encrypted API keys, Custom Connectors, sessions within 7 days - Anonymize usage_log entries (replace user_id with hash) within 30 days - Retain financial/audit records as legally required (up to 7 years per Ukrainian accounting law)
Your full data export (JSON) is available on request — same email channel.
You can object to specific processing (e.g. legitimate-interest based fraud detection). Email us your objection — we will assess and respond within 30 days.
You can ask us to "freeze" your data while a dispute is resolved.
We do not make decisions that significantly affect you using automated processing. Account suspension is reviewed by a human (the admin).
If you believe we mishandled your data, contact us first at admin@toolweave.dev. If unsatisfied, you have the right to complain to your local data protection authority. For EU users: any DPA in your country.
We use minimal cookies:
| Cookie | Purpose | Type | Lifetime |
|---|---|---|---|
toolweave_session |
Authenticate you | HttpOnly, Secure, SameSite=Lax | 30 days |
tw_lang (localStorage) |
Remember language choice | First-party | Persistent until cleared |
We do not use: - Tracking cookies - Advertising cookies - Third-party cookies (except whatever Cloudflare needs for security challenges)
The Service is not directed to anyone under 18. We do not knowingly collect data from minors. If we learn that we have collected data from a child under 18, we will delete it promptly. Parents/guardians can email admin@toolweave.dev with concerns.
We implement reasonable measures: - Encryption at rest — API keys, magic-link tokens (Fernet) - TLS 1.2+ for all data in transit - Multi-tenant isolation — all queries scope by user_id - Password-less auth — magic links to verified email, no password to leak - MCP tokens — long random strings, hashed in DB, revocable - Rate limiting — on auth endpoints and discovery - Volume backups via Railway
We cannot guarantee perfect security. In the event of a breach affecting your data, we will: - Notify affected users by email within 72 hours of confirmation - Notify supervisory authorities as required by GDPR Article 33 - Publish a post-mortem
If you access the Service from outside the EU, your data is processed in the EU (Netherlands). This is generally considered safe under most data protection regimes. If you're from a country requiring data localization (e.g. Russia, China), you should not use this Service.
The Service contains links to third-party websites (provider docs, blog posts, etc.). We are not responsible for the privacy practices of those sites. Their policies apply when you visit them.
We may update this Privacy Policy. The "Effective date" at the top reflects the current version. Material changes are announced by email to active users at least 14 days in advance.
A copy of the current Policy is always at https://toolweave.dev/docs/privacy and as raw markdown at https://toolweave.dev/docs/privacy.md.
Email admin@toolweave.dev for: - Data access / export requests - Deletion requests - Privacy questions - Reporting suspected breaches - Anything not covered above
We aim to respond within 7 days for routine requests and within 30 days for complex data-rights requests as required by law.
Plain-language summary: we run a gateway, we route your stuff to AI providers, we don't read it, we don't sell anything, and you can ask us to delete everything by sending one email.