gigamcp

Privacy Policy

Last updated: 2026-04-01

This Privacy Policy explains how Bord OÜ ("Bord", "we") collects and processes personal data when you use the Gigamcp platform (the "Service"). This policy is intended to comply with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

1. Data controller

Bord OÜ is the data controller for personal data of:

  • Visitors to gigamcp.io and Bord's marketing pages.
  • Workspace owners during account creation and billing.

For Customer Data uploaded into a Workspace, Bord acts as a data processor on behalf of the Workspace owner (the controller). The terms of that processing are governed by the Data Processing Addendum.

2. Categories of personal data

We process the following categories of personal data:

  • Account data: name, email, profile picture (from WorkOS AuthKit during sign-up).
  • Billing data: company name, billing address, VAT number, last-four of payment card (handled by Stripe; we never touch full card data).
  • Usage data: per-tenant counters of MCP tool invocations and knowledge-source ingest jobs, used for billing and rate-limiting.
  • Audit logs: timestamped record of security-relevant events (logins, invites, role changes, connector edits, deletion requests). Retention follows the plan tier (free: 90 days, starter+: 1 year, enterprise: unlimited).
  • Connector tokens: per-tenant or per-user OAuth access/refresh tokens for GitHub and Google Drive. Stored as AWS-KMS-encrypted SecureStrings; never logged.

3. Legal bases

  • Contract performance (Art. 6(1)(b)) — to provide the Service you signed up for.
  • Legitimate interest (Art. 6(1)(f)) — operational security (audit logs, rate-limiting, fraud prevention).
  • Consent (Art. 6(1)(a)) — non-essential cookies and marketing emails (where applicable).
  • Legal obligation (Art. 6(1)(c)) — VAT records, law-enforcement requests.

4. Sub-processors

We rely on the following sub-processors to deliver the Service. All are bound by GDPR-compliant data processing agreements:

  • AWS (eu-central-1, Frankfurt) — RDS Postgres, OpenSearch Serverless, S3, ECS, KMS, SES, Bedrock embeddings.
  • WorkOS — authentication and SSO.
  • Stripe — billing, payment processing.
  • Sentry (eu.sentry.io) — error reporting; request bodies are scrubbed.
  • GitHub and Google — connector providers; we hold your tokens, the data flows through their APIs.

5. International transfers

All Customer Data is stored in AWS eu-central-1 (Frankfurt). Some sub-processors (Stripe, Sentry, WorkOS) may process a small amount of metadata in the US; transfers to those processors rely on the EU-US Data Privacy Framework or Standard Contractual Clauses.

6. Retention

Personal data is retained for the lifetime of your account. After account deletion: 30-day soft-delete window for recovery, then permanent purge. Audit logs follow the per-plan retention table above. Billing records are kept for 7 years to satisfy Estonian tax law.

7. Your rights

You have the rights of access, rectification, erasure, restriction, portability, and objection. Workspace owners can:

  • Export their workspace data via GET /api/t/<slug>/export (Article 15 / 20).
  • Schedule workspace deletion in Settings → Danger zone (Article 17).

Other rights, or a complaint to the supervisory authority (in Estonia: Andmekaitse Inspektsioon), can be raised via privacy@gigamcp.io.

8. Security

Encryption in transit (TLS), encryption at rest (RDS storage + S3 SSE-KMS), per-tenant AWS Secrets Manager entries, WAFv2 in front of the ALB, and SOC 2 Type I in progress. Pen-testing is performed annually by an independent firm.

9. Contact

Privacy questions: privacy@gigamcp.io.