Bexio MCP

Privacy Policy

Last updated: March 2025

1. Who We Are

Bexio MCP is operated by Soulcode AG, a software company based in Switzerland. We are the data controller responsible for the personal data you provide when using this Service.

This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights in relation to it. It applies to all users of bexio-mcp.soulcode.io and the associated API.

2. Data We Collect

Account Information

When you create an account, we collect your email address. We use this to identify you, send you important service notifications, and provide account recovery.

Organisation Data

We store the name of your organisation(s) and the association between your account and those organisations, including your role (owner or member).

Bexio Personal Access Token (PAT)

To connect your AI assistant to Bexio, you provide your Bexio PAT. We store it encrypted at rest using AES-256-GCM. The PAT is decrypted in memory only at the moment an authorised API request is processed and is never logged, cached in decrypted form, or shared with any third party. You can delete your PAT at any time from the dashboard.

API Keys

We store a SHA-256 hash of each API key you generate. The plaintext key is shown to you exactly once at creation and is never stored by us.

Usage Data

We record per-organisation request counts (per-hour and weekly totals) in order to enforce your plan's rate limits and to display usage statistics in your dashboard. These counters are keyed by organisation ID only and do not contain the content of any Bexio API requests or responses.

Billing Data

If you subscribe to a paid plan, payment is handled entirely by Stripe. We store your Stripe customer ID and subscription status but do not hold your credit card number or other raw payment details.

Log Data

Our infrastructure (Vercel) may automatically collect standard server log data including IP addresses, request timestamps, HTTP methods, and status codes. Logs are retained for a short period for debugging and security purposes.

3. How We Use Your Data

We use the data we collect to:

  • Provide, operate, and maintain the Service.
  • Authenticate you and authorise AI client requests to the Bexio API on your behalf.
  • Enforce subscription plan limits (rate limits and weekly quotas).
  • Send you transactional emails (account confirmations, billing receipts, important service changes). We do not send marketing emails without your explicit consent.
  • Detect and prevent fraud, abuse, and security incidents.
  • Comply with legal obligations.

We do not sell your personal data to third parties. We do not use your Bexio data to train AI models or for any purpose other than routing authorised requests back to you.

4. Legal Basis for Processing

We process your personal data on the following legal bases under the Swiss Federal Act on Data Protection (revDSG) and, where applicable, the EU General Data Protection Regulation (GDPR):

  • Contract performance: Processing your account information, credentials, and usage data is necessary to provide the Service you have signed up for.
  • Legitimate interests: Security logging, fraud prevention, and service improvement.
  • Legal obligation: Complying with applicable Swiss and EU law.

5. Data Storage and Sub-processors

Your data is stored and processed using the following sub-processors:

  • Supabase — primary database and authentication. Stores your account, organisation, PAT (encrypted), and API key (hashed) data. Data is hosted in the EU.
  • Upstash — Redis-based rate-limit counters and short-lived API key cache (encrypted values only, 5-minute TTL). Data is hosted in the EU.
  • Vercel — serverless hosting for the MCP API and web application.
  • Stripe — payment processing for paid subscriptions.

All sub-processors are bound by data processing agreements and are required to maintain appropriate security measures.

6. Data Retention

We retain your personal data for as long as your account is active or as necessary to provide the Service. Specifically:

  • Account and organisation data is retained until you delete your account.
  • Your Bexio PAT is deleted immediately when you remove it from the dashboard, or within 30 days of account deletion.
  • Usage counters in Redis expire automatically (per-hour: 2 h, weekly: 8 days).
  • Billing records are retained for the period required by Swiss commercial law (currently 10 years).

7. Cookies and Local Storage

The Service uses strictly necessary cookies and browser local storage to manage your authenticated session (provided by Supabase Auth). We do not use tracking cookies, advertising cookies, or third-party analytics scripts.

8. Your Rights

Under the Swiss revDSG and, where applicable, the EU GDPR, you have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Restriction: Request that we restrict processing in certain circumstances.

Most account data can be managed directly in the dashboard. For requests you cannot fulfil yourself, contact us. We will respond within 30 days. If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or your local supervisory authority.

9. Security

We take the security of your data seriously. Measures include:

  • AES-256-GCM encryption for Bexio PATs at rest.
  • SHA-256 hashing for API keys (plaintext never stored).
  • TLS encryption for all data in transit.
  • Short-lived cache entries for API key lookups; no caching of decrypted credentials.
  • Role-based access controls within the Supabase database.

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please disclose it responsibly via our contact page.

10. Children's Privacy

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and notify you by email or through the dashboard. Continued use of the Service after the updated policy takes effect constitutes your acceptance of the changes.

12. Contact

For any questions or requests relating to this Privacy Policy or your personal data, please contact us at:

Soulcode AG
Switzerland
soulcode.agency/contact