Legal

Privacy Policy

Last updated:

1. Introduction

takizen ("we", "us", "our") operates the MCP memory service available at mcp.takizen.xyz and the web interface at takizen.xyz. This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have over it.

We process personal data in accordance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable privacy laws. By using takizen, you agree to the practices described in this policy.

2. Data Controller

The data controller responsible for your personal data is the takizen team. For any privacy-related inquiries, contact us at legal@takizen.xyz.

3. Data We Collect

Account & Authentication

  • Email address — used to identify your account and send service notifications.
  • API key prefix — the first 10 characters of your key, stored to help you identify keys in the dashboard. The full key is never stored; only a SHA-256 hash.
  • Terms of Service acceptance — timestamp, IP address, and user agent recorded for legal compliance.

Memory Content

  • Memory text — the content you or your AI agent stores via the remember tool.
  • Tags and metadata — JSONB-structured labels attached to memories.
  • Vector embeddings — 1536-dimension numerical representations of memory content, generated via OpenRouter. These are derived data, not the original text, and cannot be reversed to reconstruct content reliably.
  • Memory links — typed relationships between memories (e.g., supports, caused_by).

Usage & Analytics

  • API request counts — aggregated monthly counters for remember, recall, and forget calls per namespace.
  • Last activity timestamps — when a memory was last recalled.

Audit & Compliance Logs

  • Audit log — append-only record of data operations (create, update, delete) on your namespace. Stored for compliance with GDPR Art. 30 record-keeping requirements. Contains operation type, timestamp, affected row ID, actor identifier, and optionally IP address and user agent.

Technical Data

  • IP address — logged transiently via Cloudflare infrastructure for abuse prevention. Not stored in our database beyond standard CDN logs.
  • User agent — collected at API key creation and ToS acceptance for audit purposes.

4. How We Use Your Data

PurposeLegal Basis
Providing the memory service (storing and retrieving memories)Contract performance (Art. 6(1)(b))
Authentication and API key validationContract performance (Art. 6(1)(b))
Abuse prevention and security monitoringLegitimate interest (Art. 6(1)(f))
Maintaining audit records for complianceLegal obligation (Art. 6(1)(c))
Sending service notifications (downtime, policy changes)Legitimate interest (Art. 6(1)(f))
Responding to GDPR data subject requestsLegal obligation (Art. 6(1)(c))

We do not sell your data, use it for advertising, or share it with third parties for marketing purposes.

5. Third-Party Services

ProviderPurposeData Shared
Cloudflare Workers & KVRuntime compute and cold storageRequest data, archived memories
Supabase (EU-West-1)PostgreSQL database + pgvectorAll structured data
OpenRouterGenerating vector embeddingsMemory text (for embedding only)

All providers are contractually bound to process data only as instructed. Our Supabase instance is hosted in the EU (eu-west-1) to ensure GDPR data residency compliance.

6. Data Retention

  • Active memories — retained until you explicitly delete them, or until their strength decays to zero through the automated decay process.
  • Archived memories — moved to Cloudflare KV cold storage when strength reaches zero; retained for 90 days, then permanently deleted.
  • API keys — retained until you revoke them. Key hashes are deleted immediately on revocation.
  • Audit logs — retained for 24 months to comply with GDPR record-keeping obligations.
  • Account data — retained for 30 days after account deletion request, then permanently erased.
  • Usage counters — aggregated monthly stats retained for 12 months.

7. Data Security

We implement technical and organisational measures to protect your data, including: API key hashing (SHA-256), TLS encryption in transit, namespace isolation at the database level, Row-Level Security policies on all tables, and append-only audit logs that cannot be modified or deleted. See our Security page for full details.

8. Your Rights

Under GDPR, you have the right to:

  • Access — request a copy of all personal data we hold about you.
  • Rectification — correct inaccurate personal data.
  • Erasure — request deletion of your data ("right to be forgotten").
  • Portability — receive your data in a machine-readable format.
  • Restriction — ask us to restrict processing of your data.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, see our GDPR page or contact legal@takizen.xyz. We respond within 30 days.

9. Cookies

The takizen web interface uses only functional, strictly necessary storage: a localStorage key for your UI theme preference (light/dark). No tracking cookies, no analytics pixels, no third-party cookies are used.

10. Changes to This Policy

We may update this policy as our service evolves. Material changes will be communicated by email to registered users and posted on this page with an updated date. Continued use of the service after changes constitutes acceptance of the revised policy.

11. Contact

For privacy-related questions or to submit a data subject request: legal@takizen.xyz

🚀 Launch in seconds

Ready to give your AI
a persistent memory?

Join thousands of developers building smarter agents with takizen.

Get started free Read docs
10k+ Agents connected
2M+ Memories stored
<10ms Avg. latency