Privacy Policy

Effective: May 2026

SubVault Labs LLC (“SubVault,” “we,” “us,” or “our”) operates the SubVault platform, MCP server, and related services (the “Service”). This policy describes how we collect, use, and protect your information.

1. Information we collect

1.1 Account information

Your email address, a unique user identifier, and your subscription status. We store a hashed version of your API key for authentication; we never store the plaintext key.

1.2 Vault data

When you use the vault tool through a connected AI tool, the structured knowledge you save — facts, decisions, action items, and context — is stored in an isolated, per-customer database. No two customers share a database.

1.3 Document processing (when applicable)

If you use SubVault's document connectors (drives, mail, local files), documents are fragmented into small de-identified text segments before transmission. Fragments are processed transiently and deleted upon completion of extraction. Source text is not retained. The original document cannot be reconstructed from what we keep.

1.4 MCP connection metadata

When your AI tool connects via MCP, we log timestamps, the name of the tool being called, and response time. We do not log the content of your prompts or AI responses.

1.5 Usage and diagnostic data

Aggregate counts of vault operations, error logs, and subscription checks. No keystroke data, no clipboard content, no screen recordings, no browsing history.

1.6 Payment information

Subscription payments are processed by Stripe. We do not receive or store full card numbers or bank credentials. Stripe's handling of your payment information is governed by Stripe's Privacy Policy.

2. How we use your information

• Provide the Service: Store your vault, assemble context for your AI tools, process documents when you connect them.
• Maintain your account: Authenticate, manage subscription, send service-related email.
• Improve the Service: Aggregate, de-identified usage analysis for reliability and quality.
• Protect the Service: Detect fraud, abuse, and security incidents.
• Comply with law: Meet legal obligations and respond to valid legal process.

3. Legal basis for processing

• Contract performance: Storing your vault and assembling context is necessary to provide the Service.
• Consent: Explicit consent when connecting data sources.
• Legitimate interest: Service security, fraud prevention, aggregate quality improvement.
• Legal obligation: Where required by applicable law.

4. Data storage and retention

4.1 Vault data

Customer vault data is stored on EU-based cloud infrastructure. Each customer has an isolated database; there is no shared data layer. Your vault persists until you delete it.

4.2 Document fragments (transient)

During active extraction only, typically seconds to minutes. Processed in memory; not written to persistent storage.

4.3 Account data

Retained while your account is active. On deletion, account and vault data are removed within 30 days, except where retention is required by law (for example, financial-record requirements for past transactions).

4.4 Server logs

Retained up to 90 days for security monitoring. Logs do not contain vault or document content.

5. Data sharing and disclosure

We do not sell, rent, or trade your information. We share only in these circumstances:

• Service providers: Stripe (payments) and our cloud-infrastructure provider, both processing on our behalf under contract.
• Your AI tools: When you connect an AI tool via MCP, that tool can read your vault through the remember tool and write to it through the vault tool. We do not control how connected tools use the context we return.
• Legal requirements: If required by law or valid legal process, or in good-faith belief that disclosure is necessary to protect rights or safety.
• Business transfers: In a merger, acquisition, or asset sale. You will be notified before your information becomes subject to a different policy.

We do not share information with third parties for their marketing. We do not run advertising. We do not provide data to advertisers.

6. What we do not do

• We do not sell your data.
• We do not use your vault data or document content to train, fine-tune, or improve AI or ML models.
• We do not retain original document text beyond the seconds required for extraction.
• We do not serve advertisements or share data with advertisers.
• We do not track you across websites or applications.
• We do not use tracking or advertising cookies.
• We do not access your vault data except for support requests you initiate, security investigation, or where required by law.

7. Third-party AI tools and MCP connections

SubVault is designed to work with AI tools that speak the Model Context Protocol. When you connect one:

• It authenticates with your API key.
• It can call the remember tool to read context and the vault tool to save knowledge.
• SubVault returns only data stored in your vault. We do not intercept, log, or store your conversations with the AI tool.
• Each AI tool's use of your data is governed by that tool's own privacy policy.

To revoke access, regenerate your API key. The old key is invalidated immediately.

8. Data sources and permissions

When you connect document sources, SubVault requests the minimum permissions needed:

• Google services (Gmail, Drive, Calendar): read-only access via OAuth 2.0. We cannot send mail, modify files, or create events on your behalf.
• Local files: read-only access on your machine, processed locally or transmitted as de-identified fragments.

You may disconnect any source at any time. Knowledge derived from a disconnected source can be removed from your vault upon request.

9. Google API Services

SubVault's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We access Google user data only to provide the document-processing features you have explicitly requested. We do not use Google user data for advertising, do not transfer it to third parties except as needed to provide the Service or comply with law, do not use it to train AI or ML models, and limit human access to debugging and security purposes with your consent.

10. International data transfer

SubVault Labs LLC is a United States company. Customer vault data is stored on EU-based infrastructure and remains in the EU. Account data (email, user ID, subscription status) is processed in the United States. Cross-border transfers of account data are made on the basis of Standard Contractual Clauses or your explicit consent, as applicable.

11. Security

Our security posture is documented in detail on our security page. In summary:

• All network traffic uses HTTPS/TLS 1.2 or higher.
• API keys are hashed before storage; plaintext keys are never retained.
• Each customer's vault lives in an isolated database with no shared tables.
• Per-key rate limiting protects against abuse.
• Document fragments are de-identified before transmission.
• Production access is restricted to authorized personnel and audited.

12. Data breach notification

In the event of a data breach affecting your personal information, we will notify affected users by email within 72 hours of becoming aware of the breach, and notify supervisory authorities as required by applicable law.

13. Your rights

Depending on jurisdiction, you may have the following rights:

• Access: Request a copy of personal information we hold about you.
• Correction: Request correction of inaccurate information.
• Deletion: Request deletion of your account and vault.
• Portability: Request a portable, machine-readable copy of your information.
• Restriction: Restrict processing in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Withdraw consent for processing.

Contact info@subvault.ai to exercise any of these rights. We respond to verifiable requests within 30 days.

14. California residents (CCPA / CPRA)

California residents have additional rights:

• Right to know the categories and specific pieces of personal information we have collected.
• Right to delete personal information, subject to certain legal exceptions.
• Right to opt out of sale — not applicable, we do not sell personal information.
• Right to non-discrimination for exercising CCPA or CPRA rights.

To submit a verifiable consumer request, contact info@subvault.ai.

In the preceding 12 months we have collected the following categories of personal information: identifiers (email, user ID), commercial information (subscription status), and internet activity (usage telemetry). We have not sold personal information.

15. Children

SubVault is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect personal information from children. If you believe a child has provided personal information, contact info@subvault.ai and we will delete it.

16. Cookies and tracking

The SubVault website does not use cookies for tracking, analytics, or advertising. The Service does not contain tracking pixels, analytics SDKs, or advertising frameworks.

17. Changes to this policy

We may update this policy from time to time. Material changes will be announced by email or prominent notice at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.

18. Contact

SubVault Labs LLC
Email: info@subvault.ai