Privacy Policy
How we process personal data in connection with our website and MCP hosting service.
Last updated: 23 April 2026 · Version 2.0
This Privacy Policy explains how we process personal data in connection with our website (bridge.ls) and our MCP hosting service (the "Service"). It is written to comply with Regulation (EU) 2016/679 (GDPR), the German Federal Data Protection Act (BDSG), and the German Telecommunications Digital Services Data Protection Act (TDDDG).
1. Controller
The controller responsible for the processing of personal data described in this policy is:
Gabriel Beslic (Einzelunternehmen)
Homburger Landstraße 455
60433 Frankfurt am Main
Germany
Email: gabriel@bridge.ls
Privacy inquiries: privacy@bridge.ls
Our separate legal notice (Imprint) is available at bridge.ls/imprint.
2. Data Protection Officer
We have assessed our obligation to appoint a Data Protection Officer ("DPO") under Art. 37 GDPR and § 38 BDSG and concluded that no appointment is required. In particular:
- fewer than 20 persons are regularly engaged in the automated processing of personal data (§ 38(1) BDSG);
- our core activities do not consist of processing operations that, by their nature, scope, or purposes, require regular and systematic monitoring of data subjects on a large scale (Art. 37(1)(b) GDPR) — we do not log or store the payloads of MCP requests or responses (see Section 5); and
- we do not process special categories of personal data on a large scale (Art. 37(1)(c) GDPR).
We review this assessment periodically and will appoint a DPO and update this policy if the legal threshold is met. For any privacy-related inquiry, please contact privacy@bridge.ls.
3. Our role under the GDPR
We act in two capacities, depending on the data in question:
- As controller, we determine the purposes and means of processing personal data relating to our website visitors, our account holders (the individuals who register and administer an account with us), our billing contacts, and individuals who contact us directly. This policy describes that processing.
- As processor, we process personal data on behalf of our business customers when we host MCP (Model Context Protocol) endpoints that they deploy on our Service. Any personal data that flows through those endpoints at runtime is processed strictly on the customer's documented instructions, under the terms of the Data Processing Agreement (DPA) concluded with that customer (Art. 28 GDPR). This policy does not govern that processing; the DPA does.
We are not a joint controller (Art. 26 GDPR) with our customers in respect of MCP endpoint traffic.
4. Categories of data we process, purposes, and legal bases
The following table summarises our processing activities as controller:
| Data category | Purpose | Legal basis | Retention |
|---|---|---|---|
| Website server logs (IP address, user agent, referrer, timestamp, requested URL) | Providing the website, ensuring security and stability | Art. 6(1)(f) GDPR – legitimate interest in a secure and stable website | 7 days, unless needed for an ongoing security investigation (then: until investigation concluded) |
| Account data (name, business email, password hash, account settings) | Providing the Service, account administration, customer support | Art. 6(1)(b) GDPR – performance of contract | Duration of account + 30 days after termination; statutory tax/commercial retention periods may apply to related records |
| MCP endpoint metadata (timestamps, HTTP status codes, endpoint identifiers, aggregate throughput) | Operating and monitoring the Service, billing, abuse prevention | Art. 6(1)(b) GDPR – performance of contract; Art. 6(1)(f) GDPR – legitimate interest in service integrity and security | Up to 12 months |
| Billing and invoicing data (name, postal address, VAT ID, transaction records) | Issuing and recording invoices, tax compliance | Art. 6(1)(b) GDPR – performance of contract; Art. 6(1)(c) GDPR – legal obligation (§ 147 AO, § 257 HGB) | 10 years from end of the calendar year in which the document was issued |
| Support correspondence (email content, contact details) | Responding to inquiries and support requests | Art. 6(1)(b) GDPR – (pre-)contractual measures; Art. 6(1)(f) GDPR – legitimate interest in responding to and documenting inquiries | Up to 3 years after case closure |
| Transactional email events (delivery, bounce, open status for service emails) | Delivering and monitoring transactional emails | Art. 6(1)(b) GDPR – performance of contract; Art. 6(1)(f) GDPR – legitimate interest in deliverability | Up to 12 months |
Source of data. We collect personal data directly from the data subject during account creation, Service use, and correspondence. Where a business customer provides us with the contact details of its employees (e.g. a named billing contact or administrator), that data is received from the customer; we inform those individuals via this policy on first contact (Art. 14 GDPR).
Is data provision mandatory? Provision of account and billing data is required to conclude and perform the contract. Without this data, we cannot provide the Service (Art. 13(2)(e) GDPR). Other data (e.g. optional support information) is provided voluntarily.
No special categories. We do not intentionally process special categories of personal data within the meaning of Art. 9 GDPR.
No automated decision-making. We do not engage in automated decision-making or profiling with legal or similarly significant effect within the meaning of Art. 22 GDPR.
5. MCP endpoint traffic
When customers deploy MCP endpoints to the Service, requests and responses flow through our infrastructure. We do not log, store, or inspect request or response payloads. We log only metadata such as timestamps, HTTP status codes, endpoint identifiers, and aggregate throughput data, which we use for operating the Service, billing, and abuse prevention.
We currently do not store customer API credentials at rest. Ephemeral credentials may transit our infrastructure in-memory for the duration of a single request. If our architecture changes in a way that alters this commitment, we will update this policy and notify affected customers in accordance with the DPA at least 30 days in advance.
6. Sub-processors and recipients
We engage a small number of carefully selected service providers that may process personal data on our behalf as sub-processors. We have concluded data processing agreements with each of them pursuant to Art. 28 GDPR. The current list is:
| Sub-processor | Purpose | Location | Transfer mechanism | DPA |
|---|---|---|---|---|
| Vercel Inc. | Application hosting and deployment platform | United States (EU regions used where available) | EU–US Data Privacy Framework (certified) | vercel.com/legal/dpa |
| Cloudflare, Inc. | Content delivery network, edge compute, DDoS protection, DNS | United States (global edge network) | EU–US Data Privacy Framework (certified) | cloudflare.com/cloudflare-customer-dpa |
| Brevo SAS (formerly Sendinblue SAS) | Transactional email delivery | France (European Union) | Intra-EEA processing — no transfer mechanism required | brevo.com/legal/termsofuse/dpa |
We will provide at least 30 days' advance noticebefore adding or replacing a sub-processor, either by updating this policy, by email to the account's primary contact, or via the Service. If a customer objects to a new sub-processor on reasonable data-protection grounds, the customer may terminate the affected part of the Service as set out in our DPA.
We may also share personal data with professional advisors (accountants, tax advisors, lawyers) bound by statutory confidentiality obligations, and with public authorities where legally required.
7. International data transfers
Some of our sub-processors are established in third countries outside the EEA, in particular the United States. Transfers of personal data to these sub-processors take place under the EU–US Data Privacy Framework (Art. 45 GDPR), the adequacy decision adopted by the European Commission on 10 July 2023 (C(2023) 4745 final).
Each US-based sub-processor listed in Section 6 is actively certified under the Framework. You can verify the current certification status of any such entity in the official list maintained by the U.S. Department of Commerce at dataprivacyframework.gov/list.
Under Art. 45 GDPR, transfers made on the basis of a valid adequacy decision do not require any further authorisation and are treated as equivalent to transfers within the EEA. If the Framework is invalidated or a sub-processor loses its certification, we will promptly implement an alternative transfer mechanism (such as the European Commission's Standard Contractual Clauses) or replace the sub-processor, and will update this policy accordingly.
Copies of the relevant safeguards can be requested at privacy@bridge.ls.
8. Your rights
Under Articles 15 to 22 and 77 GDPR, you have the right to:
- Access (Art. 15) – obtain confirmation of whether we process your data and, if so, a copy of that data;
- Rectification (Art. 16) – have inaccurate or incomplete data corrected;
- Erasure (Art. 17) – have your data deleted, subject to legal retention obligations;
- Restriction (Art. 18) – request that we limit processing in certain circumstances;
- Data portability (Art. 20) – receive your data in a structured, commonly used, machine-readable format;
- Objection (Art. 21) – object to processing based on legitimate interests (including on grounds relating to your particular situation), and at any time to direct marketing;
- Withdrawal of consent (Art. 7(3)) – withdraw consent at any time, where processing is based on consent, without affecting the lawfulness of prior processing;
- Complaint (Art. 77) – lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement. The authority competent for our establishment is:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 3163, 65021 Wiesbaden, Germany
https://datenschutz.hessen.de
Exercising your rights. To exercise any of these rights, contact us at privacy@bridge.ls. To protect your data against unauthorised requests, we may ask you to verify your identity by responding from the email address associated with your account or by providing information that allows us to confirm your identity by equivalent means. We will respond within one month of receipt (Art. 12(3) GDPR). Where requests are complex or numerous, we may extend this period by a further two months and will inform you of the extension and its reasons within the first month.
Exercising your rights is free of charge, except where requests are manifestly unfounded or excessive (Art. 12(5) GDPR).
9. Security
We implement appropriate technical and organisational measures pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk, including:
- encryption of personal data in transit (TLS 1.2+) and at rest on our hosting infrastructure;
- role-based access controls and the principle of least privilege for all personnel and systems;
- multi-factor authentication for administrative access;
- segregation of production and non-production environments;
- regular backups, with restoration tested periodically;
- logging and monitoring of security-relevant events;
- a documented incident response procedure, including assessment, containment, and notification workflows;
- regular review of our sub-processors' security posture.
A detailed summary of our Technical and Organisational Measures (TOMs) is available to customers as an annex to our DPA.
10. Data breaches
In the event of a personal data breach within the meaning of Art. 4(12) GDPR, we will:
- notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons (Art. 33 GDPR); and
- notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34 GDPR).
Where we act as processor, we will notify the relevant controller customer without undue delay, as specified in our DPA.
11. Cookies and tracking
Our website uses only strictly necessary cookies required for the operation of the Service (in particular, authentication session cookies). The legal basis is § 25(2) No. 2 TDDDG — the storage is strictly necessary so that we can provide the service you have explicitly requested — in combination with Art. 6(1)(f) GDPR (legitimate interest in securely operating the Service).
We do not use third-party advertising cookies, analytics trackers, or cross-site tracking. If we introduce analytics, A/B testing, or similar technologies in the future, we will update this policy and, where legally required, obtain your prior consent through a compliant consent management platform (§ 25(1) TDDDG).
12. Children
The Service is directed at business users and is not intended for persons under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at privacy@bridge.ls and we will take steps to delete it.
13. Social media links
Our website may contain links to our profiles on third-party platforms (e.g., LinkedIn, GitHub, X). Clicking such a link will take you to those platforms, which operate under their own privacy policies and terms. We do not embed social plugins or similar "like" buttons that transmit data to these platforms without your active navigation (i.e., we use a two-click or pure-link approach only).
14. Changes to this policy
We may update this policy from time to time to reflect changes in our processing activities or legal requirements. The "Last updated" date at the top indicates when it was last revised. For material changes affecting your rights or the use of your data, we will notify account holders via email and — where legally required — obtain renewed consent before the change takes effect.
Previous versions are archived and available on request.
15. Contact
For any questions about this policy or our processing of your personal data:
Email: privacy@bridge.ls
Post: Gabriel Beslic, Homburger Landstraße 455, 60433 Frankfurt am Main, Germany