Effective: March 4, 2026
We collect: (a) your email address, provided through our authentication provider Clerk, for account creation and communication; (b) OAuth tokens from third-party services you connect, encrypted using AES-256-GCM with a key derived from your secret URL; (c) usage metadata including request timestamps and HTTP status codes for service monitoring and debugging.
We explicitly do not collect, store, or have access to: (a) your secret2 encryption key — it exists only in the URL or API key you control; (b) the content of MCP requests or responses proxied through our Service; (c) your plaintext OAuth tokens — we only store the encrypted form, which is useless without your secret2.
Bindify employs a zero-knowledge encryption architecture. OAuth tokens are encrypted at rest using AES-256-GCM with keys derived via HKDF from a secret that is never stored on our servers. This means Bindify employees cannot access your credentials, and a database breach would not expose usable token data. For a detailed technical explanation, see our Security page.
We use your data solely for: (a) providing and maintaining the Service; (b) processing payments through Stripe; (c) communicating with you about your account, including service announcements and support; (d) monitoring service health and debugging issues using aggregated, non-personally-identifiable metadata.
The Service integrates with the following third-party providers:
We use only essential cookies: (a) session cookies set by Clerk for authentication purposes. We do not use advertising or third-party tracking cookies. Cloudflare Analytics, which we use for aggregated traffic metrics, does not use cookies and does not track individual users across websites.
We retain your personal data for as long as your account remains active. Upon account closure or termination, we will delete your personal data, including all encrypted OAuth tokens and connection records, within thirty (30) days. Aggregated, non-personally-identifiable usage metrics may be retained indefinitely for service improvement.
You have the right to: (a) access the personal data we hold about you; (b) request deletion of your personal data; (c) request an export of your data in a portable format; (d) withdraw consent for optional data processing. To exercise any of these rights, contact us at support@bindify.dev. We will respond within thirty (30) days.
The Service is not directed at children under the age of thirteen (13). We do not knowingly collect personal information from children under 13. If we learn that we have collected personal data from a child under 13, we will delete that information promptly.
We may update this Privacy Policy from time to time. We will notify you of material changes via the email address associated with your account. Your continued use of the Service after notification constitutes acceptance of the updated policy.
Privacy questions? Email support@bindify.dev. Security concerns? Email security@bindify.dev.