Privacy Policy

Effective date: May 16, 2026

1. What We Collect

When you create an account, we collect your email address. When you use the SpacialMCP API, we log tool calls (method name, timestamp, response status) for audit and debugging. We do not sell your data to third parties.

2. How We Store It

Your data is stored in PostgreSQL on infrastructure we control. API keys are hashed with Argon2id before storage — we cannot recover your raw key. All traffic is encrypted in transit via TLS (Caddy + Let's Encrypt).

3. Audit Logs

Every MCP tool call generates an audit event including the tool name, timestamp, and calling key ID. Sensitive arguments (system prompts, knowledge entries) are redacted to character-count summaries. Audit logs are retained for 30 days.

4. Soft Deletion

When you delete a project, task, or agent, the record is soft-deleted (marked with a deletedAt timestamp). Soft-deleted records are recoverable for 30 days, after which they are permanently purged.

5. Cookies

We use a single session cookie for authentication after login. We do not use tracking cookies or third-party analytics.

6. Your Rights

You can export or delete your data at any time by contacting us. We will respond within 30 days.

7. Contact

Questions about this policy? Email [email protected].