Privacy Policy

Last updated: 17 May 2026

ApexMCP ("we", "us", "our") is committed to protecting your personal data. This policy explains what we collect, why, and your rights under GDPR and applicable privacy law.

1. Who we are

ApexMCP operates the website apexmcp.ai and the associated SaaS platform. For privacy enquiries contact us at [email protected].

2. What we collect and why

• Email address — collected when you join our waitlist. Used to notify you when access is available and to send product updates you have consented to receive.
• Usage data — when you use the platform, we log API calls, connector activity, and tool invocations for billing, security, and debugging purposes.
• Account data — name, email, organisation name provided during sign-up.

We do not sell your personal data to third parties.

3. Legal basis for processing (GDPR)

• Consent — for waitlist marketing emails. You may withdraw consent at any time.
• Contract performance — to deliver the service you signed up for.
• Legitimate interests — for security, fraud prevention, and product improvement.

4. Cookies

This website uses only essential cookies required for the site to function. We do not use tracking or advertising cookies. See our Cookie Policy for details.

5. Data retention

Waitlist emails are retained until you unsubscribe or request deletion. Platform data is retained for the duration of your account and deleted within 30 days of account closure.

6. Your rights

Under GDPR you have the right to: access your data, correct inaccuracies, request deletion, object to processing, and data portability. To exercise any right email [email protected].

7. Sub-processors

We engage the following sub-processors to deliver the Service. Each operates under a Data Processing Agreement that incorporates GDPR Article 28 obligations and, where applicable, the 2021 Standard Contractual Clauses for international transfers.

• Hetzner Online GmbH (Germany) — application hosting (compute, storage). Data centres in Finland (EU).
• Neon Inc. (USA, infrastructure on AWS) — managed PostgreSQL. Hosted in AWS eu-central-1, Frankfurt.
• Upstash Inc. (USA, infrastructure on AWS) — managed Redis (cache, rate limiting, queues). Hosted in AWS eu-central-1, Frankfurt.
• Cloudflare, Inc. (USA) — DNS, CDN, edge worker, email routing. Global edge network with EU presence. Customer DPA incorporates SCCs.
• Sendinblue SA (Brevo) (France) — transactional and waitlist email. EU.
• Stripe Payments Europe Ltd (Ireland) — payment processing for paid plans. Card data is never stored on our servers.
• GitHub Inc. (USA) — used to manage waitlist entries (private repository issues) and feedback issues.

The current list is also maintained in our Data Processing Agreement template — enterprise customers may request a copy at [email protected].

8. Changes

We may update this policy. Material changes will be notified by email to registered users. Continued use after changes constitutes acceptance.

9. Contact

Questions? Email [email protected].