Privacy Policy

1.1 Account Data

• Email address and optional full name (for the Kabaido account).
• Hashed password (managed by Supabase Auth, never visible to Kabaido staff).
• Workspace membership (account_id, role).
• Preferences (currency, locale, timezone, default margin and tax).

1.2 Workspace Data

Any data you add to your Kabaido workspace: customers, products, quotes, configurators, machines, resources, stock, process chains, portal settings, and uploaded documents. This data remains the property of the workspace owner at all times.

1.3 MCP Tool Invocation Metadata

When you call a Kabaido MCP tool, we log to the activity_events table:

• Tool name (for example kabaido_create_quote).
• Outcome (success or error).
• Workspace id, user id, timestamp.
• Input hash (SHA-256 of canonicalised JSON), not the raw input.
• OAuth token id, if the call came via MCP OAuth.

We do not store raw tool parameters, Claude conversation text, Claude responses, or any derived artefacts.

• Conversation history. The MCP server has no visibility into Claude prompts or responses.
• Cross-workspace data. Workspace isolation is enforced via Supabase Row Level Security and per-query account_id filters.
• Raw tool parameters. Only the SHA-256 hash and outcome are retained.
• Third-party analytics. No cookies, trackers, or analytics are attached to themcp.kabaido.com endpoints.

Kabaido stores workspace data on Supabase infrastructure hosted in AWS EU-West regions (Ireland). OAuth tokens are stored SHA-256 hashed in the mcp_oauth_tokens Supabase table. Email delivery uses Resend (EU region).

• You and your workspace team members, per role-based permissions.
• Kabaido support engineers, only with explicit permission from the workspace admin, via the platform admin override feature.
• Supabase and Vercel (sub-processors, bound by their respective DPAs).

• Workspace data: retained until you delete it or terminate the account.
• Activity logs: retained for 365 days.
• OAuth tokens: access tokens 1 hour, refresh tokens 30 days, revoked on account termination.
• Support tickets: retained for 2 years after resolution.

Under GDPR and the Irish Data Protection Act, you have the right to:

• Access the data we hold about you.
• Rectify inaccurate data.
• Delete your data (right to erasure).
• Export your data in a portable format.
• Object to processing.
• Restrict processing.
• Lodge a complaint with the Irish Data Protection Commission.

To exercise any of these rights, email privacy@kabaido.com. We will respond within 30 days.

• TLS 1.2 or higher on every endpoint (Vercel and Cloudflare managed certificates).
• SHA-256 hashed OAuth tokens; never logged in plaintext.
• Supabase Row Level Security on every business table.
• Rate limiting (120 requests per minute per subject) and per-tool destructive rate limits.
• Sentry error tracking with PII scrubbing.
• Cloudflare DDoS protection and WAF rules.

Kabaido's MCP connector does not orchestrate actions across third-party services. It operates exclusively inside the caller's Kabaido workspace. Integrations with accounting or ERP systems (Xero, SAP, QuickBooks, and similar) are configured per-workspace and initiated explicitly by the workspace owner, never by Claude on their behalf without a deliberate tool call.

We will post updates to this policy at https://kabaido.com/privacy. Material changes will be announced 30 days in advance via email to workspace admins.

• Kabaido Ltd
• Privacy contact: privacy@kabaido.com
• Support contact: support@kabaido.com
• Address: Dublin, Ireland