Privacy Policy

1. Introduction

This Privacy Policy describes how Kabaido Ltd., a company registered in the United Kingdom ("Kabaido", "we", "us", or "our"), processes personal and business data through the Kabaido CPQ platform, the Kabaido marketing website at kabaido.com, and the Kabaido MCP connector at https://mcp.kabaido.com/mcp. The MCP connector exposes 84 tools over an OAuth 2.0 + PKCE server documented at https://platform.kabaido.com/docs/mcp. This document is the canonical public version of our privacy policy. The in-product version available at platform.kabaido.com/privacy contains the same content.

2. Data the Kabaido MCP Connector Can Read

When a Claude session is connected to the Kabaido MCP connector, the connector can read the following categories of workspace data on behalf of the connected user. Every read is scoped to the connected user's workspace and enforced by Postgres row-level security. There is no cross-tenant access.

• Catalog: products, categories, configurators, stock and inventory records
• Quotes and quote line items, revisions, and pricing snapshots
• Customers and customer contacts
• Manufacturing operations: machines, resources, consumables, process chains, and production orders
• Portal links and customer portal sessions
• Workspace settings and configuration
• Team members and role assignments
• Analytics rollups and reporting aggregates
• Knowledge-base documents and uploaded files

3. Data the Kabaido MCP Connector Can Write

The connector can write to the same categories of workspace data listed above. Destructive write operations (create, update, delete, send) are recorded as audited events. Every audited write is logged in theactivity_eventstable with category set tomcp, including the tool name, hashed input, outcome, and timestamp.

4. What the Connector Does Not Process

The Kabaido MCP connector does not store Claude conversation prompts or completions. The connector only persists tool inputs (SHA-256 hashed) and tool outcomes in theactivity_eventstable. The connector does not transmit user data to third parties for advertising or profiling.

5. Token Storage

OAuth access tokens and refresh tokens issued by the Kabaido MCP connector are opaque 32-byte random strings. Tokens are stored only as SHA-256 hashes. Plaintext tokens are never written to the database or to logs.

6. Retention

• Workspace data: retained for the life of the workspace. When a workspace is deleted, the underlying records are removed.
• MCP activity logs: retained for 90 days in theactivity_eventstable where category equalsmcp, then expired.
• OAuth access tokens: 1 hour lifetime.
• OAuth refresh tokens: 30 day lifetime, rotated on every refresh.

Tokens can be revoked at any time from your workspace settings, or by calling the RFC 7009 revocation endpoint at https://mcp.kabaido.com/api/mcp/oauth/revoke.

7. Subprocessors

Kabaido relies on the following subprocessors to operate the platform and the MCP connector:

• Supabase: managed Postgres, Auth, and Storage. Hosted in the EU-West region.
• Vercel: compute and edge delivery. Functions run in the lhr1 region.
• Cloudflare: DNS, WAF, and TLS termination.
• Resend: transactional email delivery.
• Sentry: error monitoring and exception aggregation.

For details on the contractual basis with each subprocessor, contact security@kabaido.com.

8. Data Subject Requests and Deletion

Data subjects may request access, correction, export, or deletion of personal data held by Kabaido. To exercise any of these rights, email security@kabaido.com. We acknowledge requests within a 24 hour SLA.

9. Data Controller

The data controller is Kabaido Ltd., United Kingdom.

• Privacy and security: security@kabaido.com
• Product and support: support@kabaido.com

For further details on our data protection arrangements, including any data processing agreement, contact security@kabaido.com.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The revised "Last updated" date at the top of this page reflects the most recent change. Material changes will be communicated through the platform.