Kestal is a product of SaaSCrest Labs Inc. ("we", "our", or "us"), a corporation incorporated in the Province of British Columbia, Canada.

This Privacy Policy operates alongside the SaaSCrest Labs Inc. Corporate Privacy Policy. The Corporate Privacy Policy describes how SaaSCrest manages personal information at an organizational level. In the event of any inconsistency between this document and the Corporate Privacy Policy, this Kestal Privacy Policy governs with respect to Kestal products and services.

This Privacy Policy explains how we collect, use, disclose, and protect information when you use the Kestal platform, including MCP server products, and related services (the "Service").

This Privacy Policy is intended to provide notice about our data practices. Where consent is required by applicable law, we seek that consent through the relevant account, connection, billing, or product flow. Your use of the Service is also subject to the Kestal Terms of Service.

This Privacy Policy is designed to comply with the Personal Information Protection Act (British Columbia).

SaaSCrest Labs Inc. is responsible for personal information under its control and has designated a Privacy Officer to oversee compliance with applicable privacy laws, as described in the SaaSCrest Labs Inc. Corporate Privacy Policy.

1. What Kestal Does

Kestal is a platform that provides MCP (Model Context Protocol) server products. MCP is an open protocol developed by Anthropic that allows AI assistants such as Claude to connect to external data sources and tools.

Kestal products act as a data connectivity layer between the user's AI assistant and the user's existing third-party business platforms. Kestal does not provide AI services, send emails, manage subscriber lists, or generate AI-powered recommendations. Kestal retrieves and delivers data at the user's explicit request.

Understanding this architecture is important for understanding our data practices: much of the data that passes through Kestal is transient and is not intentionally stored in our application database.

2. Information We Collect

We collect only the information reasonably necessary to operate, improve, and secure the Service.

2.1 Account Information

When you create a Kestal account, we collect:

Email address
Name
Authentication provider identifier (for example, an identity provider user ID)
Account creation date

Authentication is handled by a third-party identity provider. We do not store passwords.

2.2 Authentication and Connection Data

When you connect a third-party platform, we collect and store:

OAuth access tokens (encrypted at rest using AES-256-GCM)
OAuth refresh tokens (where applicable)
Platform user identifier
Platform metadata required for API routing (e.g., data center prefix)
Connection status and timestamp

OAuth tokens are stored solely to authenticate API requests to your connected platform on your behalf. You may disconnect a platform at any time, which immediately deletes the stored token from our active application database, subject to ordinary backup, audit, and service-provider retention processes.

2.3 API Key Data

When you generate an API key to authenticate MCP server requests, we store:

A cryptographic hash of the API key (the full key is shown once at creation and cannot be retrieved afterward)
The first 8 characters of the key (for identification in the dashboard)
A user-provided key name or label
Last used timestamp

We do not store API keys in plaintext.

2.4 Subscription and Billing Data

We store subscription-related identifiers synced from our payment processor:

Payment processor customer ID
Payment processor subscription ID
Plan type (eg: free or pro)
Subscription status
Current billing period end date
Cancellation intent (if applicable)

We do not store credit card numbers, bank account details, or full payment information. All payment processing is handled by our payment processor.

2.5 Usage Logs

We collect limited usage logs to support rate limiting, usage metering, security, and service reliability:

Internal user ID
Tool name invoked
Platform queried
Timestamp
Request duration
Success or failure indicator
Error type (if applicable)

These logs are designed to avoid direct identifiers and do not intentionally contain email addresses, subscriber data, campaign content, or other content retrieved from your connected platforms. However, an internal user ID may still constitute personal information where it can reasonably be linked back to an individual within our systems.

Retention: Usage logs are retained on a rolling basis (currently 90 days) and are automatically purged thereafter, subject to legal requirements or legitimate security needs.

3. Data We Access But Do Not Intentionally Store

This is the most important section of this Privacy Policy.

When you use a Kestal MCP tool, the server fetches data in real time from your connected third-party platform and returns it to your AI assistant. This data ordinarily passes through our server in transient processing memory only. We do not intentionally store retrieved content in our application database or ordinary usage logs.

Depending on the tools you use and the platforms you connect, this transient data may include, for example:

Business records or configuration data (such as projects, workspaces, repositories, environments, or settings)
Communications and content (such as messages, documents, tickets, tasks, files, code, notes, or campaign content)
Analytics or performance data (such as usage metrics, engagement metrics, financial or operational reports, or logs)
Customer, subscriber, or contact information (such as names, email addresses, identifiers, profile attributes, or activity history)
Operational or automation data (such as workflow definitions, triggers, statuses, or schedules)
Any other data retrieved from your connected third-party accounts that is necessary for the requested tool operation

Although we design the Service so that this content is not intentionally stored after the request is completed, limited technical traces may exist temporarily in memory during processing or may appear in restricted infrastructure, security, or error-monitoring metadata if needed for debugging, abuse prevention, legal compliance, or service integrity. We do not intentionally use retrieved content for model training, product analytics, profiling, or advertising.

Data flow: Your third-party platform API → Kestal server (transient processing) → your chosen AI assistant service → displayed to you.

4. How We Use Information

We use collected information to:

Authenticate your identity and manage your account
Authenticate API requests to your connected platforms
Enforce usage limits and rate limiting
Process subscriptions and billing
Monitor service reliability, security, and performance
Detect misuse, abuse, fraud, or unauthorized access
Provide customer support
Comply with legal obligations
Enforce our agreements and protect our rights

We do not sell personal information.

We do not use personal information for targeted advertising.

5. Third-Party Platform Data and OAuth

5.1 OAuth Access Patterns

Some third-party platforms grant all-or-nothing account access and do not support scoped permissions. When you authorize access to such a platform, we may receive full account access. However, we only use the access capabilities reasonably required by our published tool set (listed in our product documentation). We do not intentionally access platform features or data beyond what is necessary to provide the Service.

Other third-party platforms support scoped access. Where available, we request only the specific scopes necessary to operate our published tools (for example, read access to accounts, profiles, lists, segments, campaigns, metrics, flows, events, or tags), together with any additional scopes required for product features you choose to enable.

5.2 Revoking Access

You may revoke platform access at any time by:

Disconnecting the platform in your Kestal dashboard (which deletes the stored token from active application storage), or
Revoking access from within the connected platform's settings

If you revoke access from the platform side without disconnecting in Kestal, the stored token becomes invalid. Any subsequent API request will fail. You would need to disconnect and reconnect to restore functionality.

5.3 Your Responsibility for Third-Party Personal Information

If you connect a platform containing personal information relating to subscribers, customers, prospects, or other third parties, you are responsible for ensuring that you have all rights, consents, notices, and other lawful authority required to allow:

Your disclosure of that information to Kestal for processing
Kestal's processing of that information to provide the Service
The transmission of requested outputs to your chosen AI assistant provider

You should not use the Service to process third-party personal information unless you are authorized to do so under applicable law and your own privacy notices, contracts, and platform terms.

6. Third-Party Service Providers

We use third-party service providers to operate the Service:

Category	What They Receive	Purpose
Identity provider	Email, name, session data	Identity and authentication
Database and backend provider	Stored data described in Section 2	Database and backend infrastructure
Payment processor	Email, payment method, billing address, subscription details	Payment processing
Hosting, CDN, and security	Request metadata (IP, headers, request path)	Hosting, CDN, security, and MCP server endpoint
Error monitoring provider	Error stack traces, technical metadata, and limited request context configured by us to avoid direct identifiers where reasonably possible	Error monitoring and debugging

These providers process data only as necessary to deliver services on our behalf, subject to contractual, organizational, and technical restrictions.

7. AI Assistants

Kestal is an MCP server that supported AI assistants connect to. When you invoke a tool through your chosen AI assistant, that assistant sends a request to our server and we return data. Your AI assistant provider does not have access to our user database, stored tokens, or subscription data solely by virtue of our operation of Kestal.

However, data returned to your AI assistant — including data originating from your connected platforms — enters that provider's ecosystem and is subject to the provider's own terms, privacy disclosures, retention practices, and product settings. We recommend that you review your chosen AI assistant provider's privacy and product documentation to understand how data within assistant conversations is handled.

We do not control, and are not responsible for, any AI assistant provider's data practices.

8. Cross-Border Data Transfers

Our infrastructure and service providers may store and process personal information outside Canada, including in the United States.

As a result, your personal information may be accessible to courts, law enforcement, regulators, and national security authorities in those jurisdictions in accordance with applicable laws.

We take reasonable contractual and technical measures intended to provide a level of protection for transferred personal information that is comparable to that required under applicable Canadian privacy laws, recognizing that no transfer mechanism can eliminate all jurisdictional risk.

9. Data Retention

We retain personal data only as long as reasonably necessary to:

Provide the Service
Maintain your account
Comply with legal obligations
Resolve disputes
Enforce agreements
Investigate misuse, fraud, or security incidents

Usage logs are retained on a 90-day rolling basis, unless a longer retention period is reasonably necessary for legal, accounting, fraud-prevention, or security purposes.

If you delete your account, we delete or de-identify user data from our active application database within a reasonable period, including account information, connection data, API keys, and subscription records, except where retention is reasonably necessary for legal compliance, dispute resolution, fraud prevention, accounting, or enforcement of our agreements. Post-deletion, the following may persist in third-party systems per their own retention policies:

Payment providers may retain transaction history for financial, tax, anti-fraud, and compliance purposes
Identity providers may retain deletion audit logs and related account records
Error monitoring providers may retain technical error logs that referenced internal identifiers or limited metadata
Backup systems may temporarily retain copies until overwritten in the ordinary course

10. Data Security

We implement reasonable technical and organizational safeguards, including:

Encryption at rest for OAuth tokens (AES-256-GCM), with encryption keys stored as infrastructure secrets separate from application code and database
Encryption in transit for all communications (HTTPS enforced)
One-way cryptographic hashing of API keys
Logging practices designed to exclude retrieved platform content and direct identifiers from ordinary usage logs where reasonably possible
CSRF protection on OAuth callbacks (state parameter validation)
PKCE for OAuth flows where supported
Rate limiting and infrastructure-level abuse controls

No system can guarantee absolute security, but we continuously review and improve our safeguards.

11. Your Rights

Subject to applicable law, including British Columbia's Personal Information Protection Act, you may have the right to:

Access your personal information
Request correction of inaccurate information
Request deletion of your account and associated data, subject to lawful retention requirements
Withdraw consent, where processing is based on consent and withdrawal is legally and technically feasible
Ask questions about our privacy practices

We may require sufficient information to verify your identity before fulfilling requests. We will respond within the timeframes required by applicable law.

Access rights apply to personal information about you. They do not extend to proprietary system architecture, internal methodologies, confidential commercial information, privileged materials, or trade secrets used to operate the Service, except as required by law.

12. Information for Users in the European Economic Area and United Kingdom

If you are located in the EEA or the United Kingdom, you may have additional rights under applicable data protection law, including the GDPR or UK GDPR, such as the right to data portability, the right to object to certain processing, the right to request restriction of processing, and the right to lodge a complaint with a supervisory authority.

For users in these jurisdictions, SaaSCrest Labs Inc. is the controller of personal data described in this Privacy Policy unless otherwise stated.

Our legal bases for processing personal data include, as applicable:

Performance of a contract, including providing and securing the Service
Legitimate interests, including service security, fraud prevention, product integrity, support, and limited operational analytics
Compliance with legal obligations
Consent, where we specifically request and rely on consent

Recipients or categories of recipients may include our service providers described in Section 6, connected platforms you authorize, and Anthropic or another AI assistant provider you choose to use through the Service.

Personal data may be transferred outside the EEA or United Kingdom, including to Canada and the United States. Where required, we rely on appropriate transfer mechanisms and contractual protections, recognizing that international transfers involve residual legal risk.

Retention periods are described in Section 9.

To exercise applicable rights, contact our Privacy Officer using the details in Section 15.

13. Information for California Users

If you are a California resident, California privacy laws may provide additional rights regarding your personal information.

Depending on the circumstances, these rights may include:

The right to know the categories of personal information we collect, the sources of that information, the purposes for which we use it, and the categories of third parties to whom we disclose it
The right to request deletion of certain personal information, subject to legal exceptions
The right to correct certain inaccurate personal information
The right to non-discrimination for exercising applicable privacy rights

Categories of personal information we may collect include identifiers, account information, commercial information relating to subscriptions, internet or network activity information, and professional or employment-related information you choose to provide.

Sources of personal information include information you provide directly, authentication and billing providers, connected platforms you authorize, and technical information collected through use of the Service.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising as part of the Service.