Integritetspolicy

This policy describes how Sidcom AB, Sweden ("we", "us") collects and uses information when you use the Sidcom MCP platform at sidcom.app and its integration subdomains ("the Service").

1. Information we process

• Authentication tokens. For OAuth-based integrations (e.g. Fortnox), we store the access and refresh tokens issued by the third-party provider. For credential-based integrations (e.g. Valu8), the credentials you enter are sent directly to the provider in exchange for an access token; we do not store the credentials themselves, only the resulting token.
• MCP session tokens. Short-lived tokens issued by the Service to your AI client (Claude Desktop, Claude Code) so it can call the integration on your behalf.
• Business data in transit. Whatever your AI client requests through the integration — invoices, customers, company data, etc. — passes through the Service while a tool call is executing. It is not persisted, logged in identifiable form, or shared.
• Technical data. IP address and standard request metadata captured by our hosting provider for security, abuse-prevention, and reliability.

2. How we use it

• To authenticate you to third-party providers and to your AI client.
• To execute the API calls your AI client initiates against the connected provider.
• To prevent abuse, debug issues, and keep the Service available.
• To contact you about your account, security, or significant changes to the Service.

3. Storage and retention

• OAuth tokens are stored in Cloudflare KV with a lifetime bounded by the third-party refresh token (typically up to 44 days for Fortnox).
• Credential-flow access tokens are stored in Cloudflare KV for up to 365 days. The Service automatically re-authenticates if the token expires.
• Business data passing through tool calls is not persisted by the Service.
• You can delete stored tokens at any time by revoking access at the third-party provider, or by contacting us.

4. Subprocessors

We rely on the following third parties to deliver the Service. Each is contractually bound to handle data only on our instructions.

• Cloudflare — hosting (Workers), token storage (KV), DNS, TLS. cloudflare.com/privacypolicy

The third-party providers you connect to (Fortnox, Valu8, and so on) are not our subprocessors — they are independent controllers of the data you exchange with them. Their own privacy policies apply.

5. Cookies and local storage

The Service does not set tracking or advertising cookies. Short-lived state needed for the OAuth/PKCE handshake may be kept during a sign-in flow. A sidcom_lang cookie may be set when you pick a language manually; it stores only your locale preference.

6. Your rights (GDPR)

If you are in the EEA, UK, or Switzerland, you have the right to access, correct, port, or delete the personal data we hold about you, and to object to or restrict our processing of it. To exercise any of these rights, contact us at hello@sidcom.app.

7. International transfers

Our hosting provider may process data outside the EEA. Where it does, transfers are governed by Standard Contractual Clauses or equivalent safeguards.

8. Security

We use TLS for all network traffic, store tokens in a managed key-value store, and verify MCP/OAuth tokens on every request. No system is perfect — if you spot a security issue, please report it to hello@sidcom.app.

9. Changes

We may update this policy. The "Last updated" date above reflects the current version. Significant changes will be highlighted on this page.

10. Contact

Questions about this policy or your data: hello@sidcom.app