1. Introduction
Protobox is operated by Vimix, Inc., a Delaware corporation ("Protobox," "Vimix," "we," "us," or "our"). We respect your privacy and are committed to protecting your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use Protobox — our managed Model Context Protocol (MCP) server hosting platform — together with our websites, applications, APIs, command-line tools, and related services (collectively, the "Services").
Protobox lets you publish your own tools, prompts, skills, and knowledge to a hosted MCP endpoint so that AI agents and assistants (such as Claude, Cursor, ChatGPT, and other MCP-compatible clients) you authorize can connect to and use them.
This Privacy Policy applies to all users of our Services, including visitors, registered users, and customers. By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. For purposes of the GDPR and similar laws, Vimix, Inc. is the controller of the personal information described here.
2. Information We Collect
2.1 Information You Provide Directly
Account and Authentication Information
- Name, email address, and authentication credentials, which are managed through our identity provider (Google Firebase Authentication)
- Workspace and organization details
- Billing and payment information (processed by our payment provider; see Section 5)
Workspace Content You Upload
- Tool and toolset definitions, including any code, configuration, and metadata you create
- Prompts, skills, and instructions
- Knowledge documents and their contents
- API keys, secrets, and connection credentials you store to enable your tools (stored encrypted; see Section 9)
- Support requests and other communications you send to us
You control the content you place in your workspace. This content may contain personal or sensitive information if you choose to include it; you are responsible for ensuring you have the right to upload and process it.
2.2 Information Collected Automatically
Usage and Request Data
- MCP request logs and metadata (such as which tools were invoked, timestamps, and request volume) used to operate the Services and to calculate usage-based billing
- Service feature usage and interactions
- Error logs and diagnostic information
Device and Technical Information
- IP address and approximate location
- Browser type and version
- Operating system and platform
- Device and connection information
Cookies and Similar Technologies
- Essential cookies for authentication and security
- Analytics cookies (with consent where required)
- See Section 12 for details
2.3 Information from Third Parties
- Authentication data from sign-in providers you use (for example, Google) when you log in
- Billing and payment status from our payment processor
We do not collect voice recordings, biometric identifiers, call recordings, or telephony data. Protobox does not process voice or biometric data of any kind.
3. How We Use Your Information
3.1 Primary Purposes
We use your information to:
Provide and Operate the Services
- Host your MCP server and route authorized requests to your tools, prompts, skills, and knowledge
- Store and serve your Workspace Content
- Authenticate users and authorize access to workspaces
Billing and Account Management
- Create and manage accounts and workspaces
- Measure usage and process payments and billing
- Provide customer support and send service-related communications
Security and Compliance
- Detect, prevent, and respond to fraud, abuse, and security threats
- Enforce our Terms of Service and acceptable use rules
- Comply with legal obligations
Improve the Services
- Monitor performance and reliability
- Diagnose and fix problems
- Develop new features
3.2 Legal Bases for Processing (GDPR)
For users in the European Economic Area and the United Kingdom, we process personal data on the following bases:
- Contract Performance — processing necessary to provide the Services you request
- Legitimate Interests — improving and securing the Services and operating our business, where those interests are not overridden by your rights
- Consent — for optional analytics and marketing communications, which you may withdraw at any time
- Legal Obligations — compliance with applicable laws
4. Workspace Content and Customer Data
4.1 You Control Your Content
The tools, prompts, skills, knowledge documents, secrets, and other content you place in your workspace ("Workspace Content") belong to you. We process Workspace Content only to provide the Services to you, as instructed by you through the Services, and as described in this Privacy Policy. Where we process Workspace Content that includes personal information on your behalf, we act as a processor and you act as the controller.
4.2 How Workspace Content Is Used
- We store Workspace Content so that it is available to your hosted MCP server.
- When an AI agent or MCP client you have authorized connects to your endpoint, we route its requests to the relevant tools, prompts, skills, and knowledge and return the results.
- We do not sell Workspace Content, and we do not use the contents of your knowledge documents, prompts, or tool definitions to train machine-learning models.
4.3 Secrets and API Keys
API keys and secrets you store are encrypted at rest. They are decrypted only at runtime when needed to execute a tool you have configured. See Section 9 for more on security.
5. Information Sharing, Disclosure, and Sub-Processors
5.1 We Do Not Sell Personal Information
We do not sell, rent, or trade your personal information to third parties for their commercial purposes.
5.2 Sub-Processors and Service Providers
We rely on a small set of trusted infrastructure and service providers ("sub-processors") to operate the Services. Each processes data only as needed to provide its service to us and is bound by appropriate confidentiality and data-protection obligations. Our current sub-processors include:
| Provider | Purpose | Data involved |
|---|---|---|
| Google LLC (Firebase Authentication) | User authentication and account identity | Account and authentication data |
| Google LLC (Google Cloud Platform) | Supporting infrastructure for Firebase services | Account and authentication data |
| Vercel Inc. | Hosting of the MCP runtime, web application, and marketing site | Request and usage data, technical data |
| Fly.io, Inc. | Hosting of the backend and API platform | Account data, Workspace Content, usage data |
| MongoDB, Inc. (MongoDB Atlas) | Primary application database | Account data, Workspace Content, usage data |
| Stripe, Inc. | Payment processing and billing | Billing and payment data |
| Resend (Plus Five Five, Inc.) | Transactional and notification email delivery | Name, email address |
| Google LLC (Google Analytics) | Website analytics, with consent where required | Technical and usage data |
We may add or change sub-processors as the Services evolve. When we do, we will update this list, and for material changes affecting how personal information is processed, we will provide notice as described in Section 16.
5.3 Other Disclosures
We may also disclose information in the following circumstances:
Legal and Safety
- To comply with legal obligations and respond to lawful requests and legal process
- To protect the rights, property, and safety of Protobox, our users, or the public
- To detect, prevent, or address fraud, security, or technical issues
Business Transfers
- In connection with a merger, acquisition, financing, or sale of assets, or during insolvency proceedings, subject to this Privacy Policy
Aggregated or De-Identified Information
- We may share aggregated or de-identified information that cannot reasonably be used to identify you
5.4 International Data Transfers
We and our sub-processors may process data in the United States and in other countries. Where we transfer personal information out of the European Economic Area, the United Kingdom, or other regions that restrict cross-border transfers, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) or another lawful transfer mechanism. You may contact us for more information about these safeguards.
6. Data Retention
We retain personal information and Workspace Content for as long as your account is active and as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements.
- Account information — retained for the life of the account and for a reasonable period afterward.
- Workspace Content — retained until you delete it or close your workspace, after which it is removed from production systems and purged from backups in the ordinary course of backup rotation.
- Usage and request logs — retained for a limited period for billing, security, and operational purposes, typically up to twelve (12) months unless a longer period is required for legal or security reasons.
- Billing records — retained as required by applicable tax and accounting laws.
When you delete content or close your account, we delete or de-identify the associated data from production systems, and residual copies in backups are purged in the ordinary course of backup rotation.
7. Your Privacy Rights
7.1 Rights for All Users
Subject to applicable law, you have the right to:
- Access the personal information we hold about you
- Correct inaccurate information
- Request deletion of your data
- Export your Workspace Content
- Object to or restrict certain processing
- Opt out of non-essential communications
You can access, export, and delete most Workspace Content directly from your workspace. For other requests, contact us using the details in Section 17.
7.2 California Privacy Rights (CCPA/CPRA)
California residents have the right to know what personal information we collect and how we use it; to request access to and deletion of personal information; to correct inaccurate personal information; to opt out of the sale or sharing of personal information; and not to be discriminated against for exercising these rights. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. You may exercise these rights using the contact details in Section 17, and you may use an authorized agent to submit a request on your behalf.
7.3 European and UK Privacy Rights (GDPR/UK GDPR)
Residents of the EEA and the UK have the rights of access, rectification, erasure, restriction of processing, objection to processing, and data portability, and the right to withdraw consent at any time (without affecting processing carried out before withdrawal). You also have the right to lodge a complaint with your local supervisory authority.
7.4 Other State Privacy Rights
Residents of other U.S. states with comprehensive privacy laws (such as Colorado, Connecticut, Texas, Virginia, and Utah) may have similar rights, including the rights to access, correct, delete, and obtain a portable copy of their personal information, and to opt out of targeted advertising, sale, and certain profiling. Contact us for state-specific information.
8. Exercising Your Rights
To submit a privacy request, email privacy@protobox.ai or contact us through our website. To protect your privacy, we may need to verify your identity before acting on a request, typically by confirming control of the account email. We will respond within the timeframes required by applicable law. We will not discriminate against you for exercising any of these rights.
9. Data Security
We implement technical and organizational measures designed to protect personal information and Workspace Content, including:
- Encryption in transit (TLS) and encryption of stored secrets and API keys at rest
- Workspace isolation so that each customer's data and MCP endpoint are logically separated
- Role-based access controls and least-privilege access for personnel
- Authentication managed through an established identity provider
- Monitoring, logging, and incident-response procedures
No method of electronic storage or transmission is completely secure, and we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify affected users and regulators as required by, and within the timeframes set by, applicable law.
10. Children's Privacy
Our Services are intended for users aged 16 and older and are not directed to children. We do not knowingly collect personal information from anyone under 16 (or under 13 in the United States). If we learn that we have collected such information, we will delete it. If you believe a child has provided us personal information, contact us at privacy@protobox.ai.
11. Marketing and Communications
We send transactional communications (such as service, security, and billing notices) as part of operating the Services. We send marketing or product-update communications only where permitted, and you can opt out at any time using the unsubscribe link in those emails or by contacting us.
12. Cookies and Tracking
We use cookies and similar technologies for the following purposes:
- Essential cookies — required for authentication, security, and core site functionality.
- Analytics cookies — used, with consent where required, to understand how the site is used and to improve it (for example, through Vercel Analytics and Google Analytics).
You can manage cookies through your browser settings and through any cookie-consent controls we provide on our website. We honor recognized opt-out signals (such as Global Privacy Control) where required by law.
13. Third-Party Services and Links
The Services may link to third-party websites and may allow you to connect your workspace and tools to third-party systems you choose. We are not responsible for the privacy practices of those third parties, and we encourage you to review their privacy policies.
14. Automated Processing
Protobox routes requests between AI agents and your hosted tools, prompts, skills, and knowledge, but Protobox itself does not make automated decisions that produce legal or similarly significant effects about you. Any AI outputs are generated by the tools and AI clients you configure and authorize.
15. International Users
Data Controller: Vimix, Inc., 8 The Green, Suite B, Dover, DE 19901, United States.
We are based in the United States, and your information may be processed there and in other countries where our sub-processors operate. See Section 5.4 for the safeguards that apply to international transfers.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will post the updated policy with a new "Last updated" date and, for material changes, provide additional notice (such as by email or an in-product notice). Changes are effective when posted unless stated otherwise.
17. Contact Information
If you have questions about this Privacy Policy or our data practices, contact us:
Protobox — a product of Vimix, Inc. Privacy inquiries: privacy@protobox.ai Mailing address: 8 The Green, Suite B, Dover, DE 19901, United States
By using our Services, you acknowledge that you have read and understood this Privacy Policy.
© 2026 Vimix, Inc. All rights reserved.