Legal
Privacy policy
What Vaubaan stores, why we store it, and how to get it removed.
1. Who we are
Vaubaan (“we”, “us”) operates the policy-enforcing MCP gateway available at vaubaan.com. The service lets organizations connect their own GitHub, Vercel and Supabase accounts so that coding agents (Claude Code, Cursor and others) can perform tool calls under explicit, audited policies — without ever receiving a provider access token directly.
The data controller for personal data processed through the service is the legal entity operating Vaubaan. For privacy questions, contact privacy@vaubaan.com.
2. Data we collect
We collect the minimum needed to operate the gateway.
Account data
- Email address (for sign-in via Supabase Auth).
- Organization name and slug you create.
- Members you invite (email address and role).
Provider connection metadata
- GitHub: installation ID, the organization or user that installed the GitHub App, and the list of repositories you bound to a project.
- Vercel: team ID and the projects you bound. Tokens you provide are stored encrypted at rest (see §4).
- Supabase: project_ref and team you bound. Tokens you provide are stored encrypted at rest.
Audit data
- For every MCP call routed through the gateway: the calling bot id, the tool name, the resolved upstream resource, the policy decision (allow / deny), a hash of the arguments and a coarse timing. We do not store request bodies or upstream response bodies.
Technical data
- HTTP request logs (IP, user agent, status code) retained for 30 days for abuse and operations.
3. How we use data
- Run the service (authenticate users, mint upstream tokens, enforce policies).
- Produce the org-scoped audit log so admins can review what their agents did. Audit data is never shared across organizations.
- Detect abuse, debug incidents, and improve reliability.
- Send transactional emails (sign-in magic links, security notifications).
We do not sell personal data and we do not use customer data to train AI models.
4. Tokens and secrets
Vaubaan never asks coding agents to paste provider tokens. The data flow is:
- For GitHub, we use the GitHub App install flow. We store the
installation_idand use it to mint short-lived (1 hour) installation tokens on demand, then drop them from memory after the upstream call. - For Vercel and Supabase, the org admin pastes a provider-issued PAT once through an authenticated channel. We encrypt it with AES-256-GCM using a key that lives in our infrastructure secrets manager. Decryption happens in memory only when minting a per-call upstream call.
- Agent-facing API keys (
vbn_live_…) are returned to the org admin exactly once; we store only an HMAC for verification.
5. Audit log
The audit log is the heart of the service and is visible to admins of the organization that owns the bot. Each entry records: timestamp, bot id, tool name, target resource, policy decision, deny reason (if any), and an opaque correlation id. Arguments and responses are not stored.
6. Sharing & subprocessors
We share data only with subprocessors that help us run the service. See the current list at /subprocessors. We never sell data and never share with advertisers.
7. Data retention
- Account and organization data: retained while the account is active.
- Audit log: 90 days by default; configurable per-org up to 2 years.
- HTTP request logs: 30 days.
- On deletion, we purge all primary data within 30 days; encrypted backups age out within 35 days.
8. Your rights
Depending on your jurisdiction, you may have rights to access, correct, port or delete the personal data we hold about you. Email privacy@vaubaan.com and we will respond within 30 days.
9. Changes
We will post material changes to this page and notify org admins by email at least 14 days before they take effect.
10. Contact
Privacy: privacy@vaubaan.com
Security: security@vaubaan.com
General: hello@vaubaan.com