Privacy Policy

Information you provide directly

• Account information: email address, name, and password when you register.
• Billing information: processed by Stripe. We store only your Stripe customer ID — we never receive or store raw card numbers.
• MCP configs submitted for scanning: the JSON configs you paste or upload. Anonymous scans are discarded within 60 seconds of completion. Authenticated users may save configs for monitoring.
• Communications: any messages you send us via email or support channels.

Information we collect automatically

• Log data: IP addresses, request URLs, HTTP method, status codes, user-agent, timestamps, and response times. Retained for up to 30 days.
• Usage data: feature interactions, scan counts, and API call patterns — used to improve the service and enforce rate limits.
• Device data: browser type, operating system, viewport size, and referring URL via standard HTTP headers.

Information from third parties

• Authentication data from Clerk (our identity provider): OAuth profile data if you sign in with Google or GitHub.
• Payment events from Stripe webhooks: subscription status, plan tier, and invoice data.

We use the information we collect to:

• Provide, operate, and improve the Service — including running scans, delivering scan results, and maintaining monitoring jobs.
• Process payments and manage your subscription via Stripe.
• Enforce rate limits and plan quotas per our Terms of Service.
• Send transactional emails: scan alerts, invoice receipts, account confirmations. We do not send unsolicited marketing without consent.
• Detect and prevent abuse, fraud, and violations of our acceptable-use policy.
• Comply with legal obligations, including responding to lawful requests from government authorities.
• Aggregate and anonymize data to understand usage trends and improve detection accuracy. We do not sell this data.

We do not sell your personal data. We share information only in the following circumstances:

Service providers

We use third-party vendors to operate the Service. These vendors process data only on our behalf and under contractual data-processing agreements:

• Clerk — authentication and session management.
• Stripe — payment processing and subscription management.
• Vercel — cloud hosting, edge functions, and log aggregation.
• Neon — PostgreSQL database hosting.
• Resend — transactional email delivery.
• Vercel Analytics / Speed Insights — anonymized performance monitoring.

Legal requirements

We may disclose your information if required by law, subpoena, or other legal process, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Cavexia, our users, or others.

Business transfers

If Cavexia is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy.

We retain your data for as long as necessary to provide the Service and comply with our legal obligations:

• Anonymous scan inputs: discarded within 60 seconds of scan completion.
• Scan results for authenticated users: retained per your plan's scan history limit (0–365 days, or unlimited for Enterprise).
• Account data: retained while your account is active. Deleted within 30 days of account deletion request.
• Billing records: retained for 7 years to comply with financial regulations.
• Server logs: retained for up to 30 days, then automatically purged.

You may request deletion of your account and associated data at any time by emailing privacy@cavexia.com.

We implement industry-standard security measures to protect your data, including TLS encryption in transit, AES-256 encryption at rest for sensitive fields, role-based access controls, and regular dependency auditing via the Cavexia scanner itself.

No method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security. If you discover a security vulnerability, please disclose it responsibly to security@cavexia.com.

We use cookies and similar technologies to maintain sessions, enforce rate limits, and measure performance. We do not use third-party advertising cookies.

Cookies we set:

• __clerk_session — session authentication token (HttpOnly, Secure, SameSite=Lax). Required for sign-in.
• __stripe_mid / __stripe_sid — Stripe fraud-prevention cookies. Set only on billing pages.
• _vercel_analytics — anonymous performance metric. Does not track individuals.

You may disable cookies in your browser settings, but doing so will prevent sign-in and monitoring features from functioning correctly.

Cavexia is operated in the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the US and other countries where our service providers operate.

For users in the European Economic Area (EEA) or United Kingdom, we rely on Standard Contractual Clauses (SCCs) as our transfer mechanism where required by GDPR. Our sub-processors (Clerk, Stripe, Vercel, Neon, Resend) maintain SCCs with their customers.

Depending on your location, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate or incomplete data.
• Deletion ("right to be forgotten"): request deletion of your data, subject to legal retention requirements.
• Portability: receive your data in a structured, machine-readable format.
• Objection / restriction: object to or request restriction of certain processing activities.
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email privacy@cavexia.com. We will respond within 30 days. If you are in the EEA, you also have the right to lodge a complaint with your local supervisory authority.

California residents (CCPA): You have the right to know, delete, and opt-out of the sale of personal information. We do not sell personal information. To make a verifiable consumer request, contact us at the email above.

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately at privacy@cavexia.com and we will promptly delete it.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page with an updated "Last updated" date, and where appropriate, by sending an email to the address associated with your account.

Your continued use of the Service after the effective date of the revised policy constitutes your acceptance of the changes.

If you have questions about this Privacy Policy or our data practices, please contact us: