CovaSyn Logo

Privacy Policy

Last updated: 30 April 2026

1. Overview

This policy describes how CovaSyn GmbH processes personal data when you use covasyn.com and the CovaSyn MCP platform.

2. Controller

CovaSyn GmbH
Managing Director: Oliver Kraft
Naunhofer Straße 67, 04299 Leipzig, Germany
Privacy contact: privacy@covasyn.com

3. Server logs

Our hosting provider automatically records browser type, OS, referrer URL, IP address, and access time for security and operational purposes. Legal basis: Art. 6(1)(f) GDPR.

4. Contact form

Submissions through the contact form are stored to handle your inquiry. Legal basis: Art. 6(1)(b) GDPR.

5. Account, billing and API keys (CovaSyn MCP)

When you sign up for the MCP platform we process email, password hash, language preference, and MCP tool-call metadata (tool name, timestamp, credits consumed). Legal basis: Art. 6(1)(b) GDPR (contract performance).

6. Sub-processors

We use the following sub-processors under Art. 28 GDPR. Data processing agreements (DPA / AVV) are in place and available on request via privacy@covasyn.com.

  • Vercel Inc. (USA, EU edge in Frankfurt) — hosting of marketing site and MCP application routes. Standard Contractual Clauses (SCCs) signed.
  • Cloudflare Germany GmbH — DNS and reverse proxy for covasyn.com. EU processing.
  • Stripe Payments Europe Ltd. (Ireland) — payment processing, invoicing, Stripe Tax. Data processed: email, billing address, VAT ID (if provided), card data (handled exclusively by Stripe). Legal basis: Art. 6(1)(b).
  • Supabase Inc. (USA, database region Frankfurt eu-central-1) — authentication and database for the MCP platform. Data: email, password hash, profile, tool-call logs, API key hashes. SCCs signed; data resides in the EU.
  • Resend Inc. (USA, AWS infrastructure in Europe) — transactional email. Data: email address and message content. SCCs signed.
  • MAMCM CRM (hosted by Hetzner Online GmbH, Falkenstein, Germany) — CovaSyn's internal CRM. Data: contact and deal information, lead source. Processed in Germany.
  • CovaSyn MCP Gateway (hosted by Hetzner Online GmbH, Falkenstein) — authentication and tier filtering for MCP calls. Data: API key hash, tool name, timestamp, credit cost.
  • Hetzner Online GmbH (Industriestraße 25, 91710 Gunzenhausen) — hosting for MAMCM and the MCP gateway. EU processing.

7. Cookies and telemetry

Essential cookies are set for application functionality (login session, locale). Analytics and marketing cookies (Google Analytics 4, Google Ads) are loaded only after explicit consent via the cookie banner (Section 25 TTDSG, Art. 6(1)(a) GDPR). Consent can be withdrawn anytime via the banner.

8. Retention

Account and billing data are retained until account deletion plus statutory retention (Section 147 AO: 10 years for invoices). Tool-call logs are retained for 13 months.

9. Your rights

You have rights to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21) under GDPR. Contact privacy@covasyn.com. You may also lodge a complaint with the competent supervisory authority (Saxon Data Protection Commissioner).

10. DPA / AVV

Business customers processing third-party personal data via the MCP platform require a Data Processing Agreement with CovaSyn GmbH. We provide the DPA on request at privacy@covasyn.com.

Datenschutzerklärung - CovaSyn