Privacy Policy

1. Introduction

This Privacy Policy explains how Vayro ("we", "us", "our") collects, uses, shares, and protects your personal data when you use our platform at app.vayro.ai and mcp.vayro.ai (the "Service").

Vayro is operated by an individual based in the United Kingdom. For the purposes of the UK General Data Protection Regulation (UK GDPR), we are the data controller. Our contact email is privacy@vayro.ai.

2. Data We Collect

Account Data

When you sign in via Google OAuth, we receive and store your name, email address, and profile image. We do not receive or store your Google password.

Project Data

We store your project configurations, including project names, OpenAPI specification URLs, OAuth app settings, and runtime configuration.

Upstream API Credentials

If you provide API keys, bearer tokens, or other credentials for your upstream API, they are encrypted at rest using AES-256-GCM encryption. Credentials are decrypted only in-memory during tool call execution and are never logged in plaintext.

Usage Data

We log each MCP tool call with the following data: tool name, HTTP status code, response latency, request and response sizes, AI client type (e.g. Claude, ChatGPT), and any error messages. Request logs are retained for 30 days and then automatically deleted.

Payment Data

Payments are processed by Stripe. We do not store your credit card number, expiry date, or CVC. We store only your Stripe customer ID to manage your subscription.

Technical Data

We may collect your IP address, browser User-Agent string, and session identifiers for security, client detection, and abuse prevention purposes.

3. Legal Basis for Processing

Under UK GDPR Article 6, we process your personal data on the following bases:

• Contract performance — To provide the Service, manage your account, process payments, and host your MCP servers.
• Legitimate interests — To monitor usage, enforce plan limits, detect abuse, improve the Service, and ensure security. We balance these interests against your rights and freedoms.
• Consent — For any optional marketing communications (if introduced in the future). You can withdraw consent at any time.
• Legal obligation — To comply with applicable laws, regulations, or legal proceedings.

4. How We Use Your Data

• Provide, maintain, and improve the Service.
• Process payments and manage subscriptions via Stripe.
• Monitor usage and enforce plan limits and rate limits.
• Detect and prevent abuse, fraud, and security threats.
• Communicate important service updates (e.g. Terms changes, security incidents).
• Generate aggregate, anonymised analytics to improve the Service.

We do not use your data to train AI or machine learning models. We do not sell your data. We do not serve advertising.

5. Data Sharing — Third-Party Processors

We share your data only with the following third-party service providers who process data on our behalf:

We do not share your data with any other third parties for their own purposes.

6. International Data Transfers

Your data is processed and stored in the United States and globally via our cloud service providers. Where personal data is transferred outside the United Kingdom, we rely on appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office, to ensure an adequate level of data protection.

7. Data Retention

• Account data — Retained while your account is active. Deleted upon account termination or upon your request.
• Request logs — Retained for 30 days, then automatically deleted by a daily cleanup process.
• Upstream API credentials — Deleted when you remove them or delete the associated project.
• Payment data — Retained by Stripe in accordance with their Privacy Policy. We retain only your Stripe customer ID.

8. Your Rights (UK GDPR)

Under the UK GDPR, you have the following rights regarding your personal data:

• Access — Request a copy of the personal data we hold about you.
• Rectification — Request correction of inaccurate or incomplete data.
• Erasure ("Right to be forgotten") — Request deletion of your personal data.
• Restriction — Request that we restrict processing of your data in certain circumstances.
• Portability — Request your data in a structured, machine-readable format.
• Objection — Object to processing based on legitimate interests.
• Withdraw consent — Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email us at privacy@vayro.ai. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

9. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

• Right to know — Request details about the categories and specific pieces of personal information we collect.
• Right to delete — Request deletion of your personal information.
• Right to opt-out of sale — We do not sell your personal information.
• Non-discrimination — We will not discriminate against you for exercising your rights.

10. Cookies

We use a single essential cookie for authentication (NextAuth session cookie). This cookie is necessary for the Service to function and does not require consent under UK GDPR. We do not use any analytics cookies, advertising cookies, or third-party tracking cookies.

11. Children

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at privacy@vayro.ai and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance via email or a notice in the dashboard. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at privacy@vayro.ai.