ProtoboxProtobox

Protobox Privacy Policy

Last updated June 21, 2026

1. Introduction

Protobox is operated by Vimix, Inc., a Delaware corporation ("Protobox," "Vimix," "we," "us," or "our"). We respect your privacy and are committed to protecting your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use Protobox — our managed Model Context Protocol (MCP) server hosting platform — together with our websites, applications, APIs, command-line tools, and related services (collectively, the "Services").

Protobox lets you publish your own tools, prompts, skills, and knowledge to a hosted MCP endpoint so that AI agents and assistants (such as Claude, Cursor, ChatGPT, and other MCP-compatible clients) you authorize can connect to and use them.

This Privacy Policy applies to all users of our Services, including visitors, registered users, and customers. By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. For purposes of the GDPR and similar laws, Vimix, Inc. is the controller of the personal information described here.

2. Information We Collect

2.1 Information You Provide Directly

Account and Authentication Information

  • Name, email address, and authentication credentials, which are managed through our identity provider (Google Firebase Authentication)
  • Workspace and organization details
  • Billing and payment information (processed by our payment provider; see Section 5)

Workspace Content You Upload

  • Tool and toolset definitions, including any code, configuration, and metadata you create
  • Prompts, skills, and instructions
  • Knowledge documents and their contents
  • API keys, secrets, and connection credentials you store to enable your tools (stored encrypted; see Section 9)
  • Support requests and other communications you send to us

You control the content you place in your workspace. This content may contain personal or sensitive information if you choose to include it; you are responsible for ensuring you have the right to upload and process it.

2.2 Information Collected Automatically

Usage and Request Data

  • MCP request logs and metadata (such as which tools were invoked, timestamps, and request volume) used to operate the Services and to calculate usage-based billing
  • Service feature usage and interactions
  • Error logs and diagnostic information

Device and Technical Information

  • IP address and approximate location
  • Browser type and version
  • Operating system and platform
  • Device and connection information

Cookies and Similar Technologies

  • Essential cookies for authentication and security
  • Analytics cookies (with consent where required)
  • See Section 12 for details

2.3 Information from Third Parties

  • Authentication data from sign-in providers you use (for example, Google) when you log in
  • Billing and payment status from our payment processor

We do not collect voice recordings, biometric identifiers, call recordings, or telephony data. Protobox does not process voice or biometric data of any kind.

3. How We Use Your Information

3.1 Primary Purposes

We use your information to:

Provide and Operate the Services

  • Host your MCP server and route authorized requests to your tools, prompts, skills, and knowledge
  • Store and serve your Workspace Content
  • Authenticate users and authorize access to workspaces

Billing and Account Management

  • Create and manage accounts and workspaces
  • Measure usage and process payments and billing
  • Provide customer support and send service-related communications

Security and Compliance

  • Detect, prevent, and respond to fraud, abuse, and security threats
  • Enforce our Terms of Service and acceptable use rules
  • Comply with legal obligations

Improve the Services

  • Monitor performance and reliability
  • Diagnose and fix problems
  • Develop new features

For users in the European Economic Area and the United Kingdom, we process personal data on the following bases:

  • Contract Performance — processing necessary to provide the Services you request
  • Legitimate Interests — improving and securing the Services and operating our business, where those interests are not overridden by your rights
  • Consent — for optional analytics and marketing communications, which you may withdraw at any time
  • Legal Obligations — compliance with applicable laws

4. Workspace Content and Customer Data

4.1 You Control Your Content

The tools, prompts, skills, knowledge documents, secrets, and other content you place in your workspace ("Workspace Content") belong to you. We process Workspace Content only to provide the Services to you, as instructed by you through the Services, and as described in this Privacy Policy. Where we process Workspace Content that includes personal information on your behalf, we act as a processor and you act as the controller.

4.2 How Workspace Content Is Used

  • We store Workspace Content so that it is available to your hosted MCP server.
  • When an AI agent or MCP client you have authorized connects to your endpoint, we route its requests to the relevant tools, prompts, skills, and knowledge and return the results.
  • We do not sell Workspace Content, and we do not use the contents of your knowledge documents, prompts, or tool definitions to train machine-learning models.

4.3 Secrets and API Keys

API keys and secrets you store are encrypted at rest. They are decrypted only at runtime when needed to execute a tool you have configured. See Section 9 for more on security.

5. Information Sharing, Disclosure, and Sub-Processors

5.1 We Do Not Sell Personal Information

We do not sell, rent, or trade your personal information to third parties for their commercial purposes.

5.2 Sub-Processors and Service Providers

We rely on a small set of trusted infrastructure and service providers ("sub-processors") to operate the Services. Each processes data only as needed to provide its service to us and is bound by appropriate confidentiality and data-protection obligations. Our current sub-processors include:

ProviderPurposeData involved
Google LLC (Firebase Authentication)User authentication and account identityAccount and authentication data
Google LLC (Google Cloud Platform)Supporting infrastructure for Firebase servicesAccount and authentication data
Vercel Inc.Hosting of the MCP runtime, web application, and marketing siteRequest and usage data, technical data
Fly.io, Inc.Hosting of the backend and API platformAccount data, Workspace Content, usage data
MongoDB, Inc. (MongoDB Atlas)Primary application databaseAccount data, Workspace Content, usage data
Stripe, Inc.Payment processing and billingBilling and payment data
Resend (Plus Five Five, Inc.)Transactional and notification email deliveryName, email address
Google LLC (Google Analytics)Website analytics, with consent where requiredTechnical and usage data

We may add or change sub-processors as the Services evolve. When we do, we will update this list, and for material changes affecting how personal information is processed, we will provide notice as described in Section 16.

5.3 Other Disclosures

We may also disclose information in the following circumstances:

Legal and Safety

  • To comply with legal obligations and respond to lawful requests and legal process
  • To protect the rights, property, and safety of Protobox, our users, or the public
  • To detect, prevent, or address fraud, security, or technical issues

Business Transfers

  • In connection with a merger, acquisition, financing, or sale of assets, or during insolvency proceedings, subject to this Privacy Policy

Aggregated or De-Identified Information

  • We may share aggregated or de-identified information that cannot reasonably be used to identify you

5.4 International Data Transfers

We and our sub-processors may process data in the United States and in other countries. Where we transfer personal information out of the European Economic Area, the United Kingdom, or other regions that restrict cross-border transfers, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) or another lawful transfer mechanism. You may contact us for more information about these safeguards.

6. Data Retention

We retain personal information and Workspace Content for as long as your account is active and as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements.

  • Account information — retained for the life of the account and for a reasonable period afterward.
  • Workspace Content — retained until you delete it or close your workspace, after which it is removed from production systems and purged from backups in the ordinary course of backup rotation.
  • Usage and request logs — retained for a limited period for billing, security, and operational purposes, typically up to twelve (12) months unless a longer period is required for legal or security reasons.
  • Billing records — retained as required by applicable tax and accounting laws.

When you delete content or close your account, we delete or de-identify the associated data from production systems, and residual copies in backups are purged in the ordinary course of backup rotation.

7. Your Privacy Rights

7.1 Rights for All Users

Subject to applicable law, you have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate information
  • Request deletion of your data
  • Export your Workspace Content
  • Object to or restrict certain processing
  • Opt out of non-essential communications

You can access, export, and delete most Workspace Content directly from your workspace. For other requests, contact us using the details in Section 17.

7.2 California Privacy Rights (CCPA/CPRA)

California residents have the right to know what personal information we collect and how we use it; to request access to and deletion of personal information; to correct inaccurate personal information; to opt out of the sale or sharing of personal information; and not to be discriminated against for exercising these rights. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. You may exercise these rights using the contact details in Section 17, and you may use an authorized agent to submit a request on your behalf.

7.3 European and UK Privacy Rights (GDPR/UK GDPR)

Residents of the EEA and the UK have the rights of access, rectification, erasure, restriction of processing, objection to processing, and data portability, and the right to withdraw consent at any time (without affecting processing carried out before withdrawal). You also have the right to lodge a complaint with your local supervisory authority.

7.4 Other State Privacy Rights

Residents of other U.S. states with comprehensive privacy laws (such as Colorado, Connecticut, Texas, Virginia, and Utah) may have similar rights, including the rights to access, correct, delete, and obtain a portable copy of their personal information, and to opt out of targeted advertising, sale, and certain profiling. Contact us for state-specific information.

8. Exercising Your Rights

To submit a privacy request, email privacy@protobox.ai or contact us through our website. To protect your privacy, we may need to verify your identity before acting on a request, typically by confirming control of the account email. We will respond within the timeframes required by applicable law. We will not discriminate against you for exercising any of these rights.

9. Data Security

We implement technical and organizational measures designed to protect personal information and Workspace Content, including:

  • Encryption in transit (TLS) and encryption of stored secrets and API keys at rest
  • Workspace isolation so that each customer's data and MCP endpoint are logically separated
  • Role-based access controls and least-privilege access for personnel
  • Authentication managed through an established identity provider
  • Monitoring, logging, and incident-response procedures

No method of electronic storage or transmission is completely secure, and we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify affected users and regulators as required by, and within the timeframes set by, applicable law.

10. Children's Privacy

Our Services are intended for users aged 16 and older and are not directed to children. We do not knowingly collect personal information from anyone under 16 (or under 13 in the United States). If we learn that we have collected such information, we will delete it. If you believe a child has provided us personal information, contact us at privacy@protobox.ai.

11. Marketing and Communications

We send transactional communications (such as service, security, and billing notices) as part of operating the Services. We send marketing or product-update communications only where permitted, and you can opt out at any time using the unsubscribe link in those emails or by contacting us.

12. Cookies and Tracking

We use cookies and similar technologies for the following purposes:

  • Essential cookies — required for authentication, security, and core site functionality.
  • Analytics cookies — used, with consent where required, to understand how the site is used and to improve it (for example, through Vercel Analytics and Google Analytics).

You can manage cookies through your browser settings and through any cookie-consent controls we provide on our website. We honor recognized opt-out signals (such as Global Privacy Control) where required by law.

The Services may link to third-party websites and may allow you to connect your workspace and tools to third-party systems you choose. We are not responsible for the privacy practices of those third parties, and we encourage you to review their privacy policies.

14. Automated Processing

Protobox routes requests between AI agents and your hosted tools, prompts, skills, and knowledge, but Protobox itself does not make automated decisions that produce legal or similarly significant effects about you. Any AI outputs are generated by the tools and AI clients you configure and authorize.

15. International Users

Data Controller: Vimix, Inc., 8 The Green, Suite B, Dover, DE 19901, United States.

We are based in the United States, and your information may be processed there and in other countries where our sub-processors operate. See Section 5.4 for the safeguards that apply to international transfers.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will post the updated policy with a new "Last updated" date and, for material changes, provide additional notice (such as by email or an in-product notice). Changes are effective when posted unless stated otherwise.

17. Contact Information

If you have questions about this Privacy Policy or our data practices, contact us:

Protobox — a product of Vimix, Inc. Privacy inquiries: privacy@protobox.ai Mailing address: 8 The Green, Suite B, Dover, DE 19901, United States


By using our Services, you acknowledge that you have read and understood this Privacy Policy.

© 2026 Vimix, Inc. All rights reserved.