VaultGraph
Early Access

Privacy Policy

Last updated: May 30, 2026

1. Introduction

VaultGraph ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our managed MCP gateway for e-commerce ("Service"), which lets merchants expose their catalog, cart, checkout, and orders to AI assistants.

Please read this Privacy Policy carefully. By using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Merchant-Provided Information

When a merchant signs up for and operates the Service, we collect information that the merchant provides directly:

  • Workspace and account information (business name, contact name, email address, billing details)
  • Authentication and authorization data, including API keys and OAuth tokens used to connect commerce backends
  • Catalog content, pricing, inventory, and other commerce data routed through the Service
  • Configuration of AI surfaces, tools, and access policies
  • Support communications and feedback

2.2 Shopper Interaction Data

When shoppers interact with an AI assistant routed through our managed MCP gateway, the Service processes information needed to fulfil the request:

  • Conversation content shared with the AI assistant in order to search the catalog, build a cart, or complete checkout
  • Cart and order details required to complete a transaction against the merchant's commerce stack
  • Shopper identifiers and shipping or contact details when voluntarily provided to complete an order

We do not process or store full payment-card numbers. Payments are handled directly by the merchant's payment processor.

2.3 Automatically Collected Information

When you use the Service, we automatically collect:

  • Usage data (features accessed, tools called, timestamps)
  • Device information (IP address, browser type, operating system)
  • Cookies and similar technologies (see Section 8)
  • Log data (API calls, error logs, latency and performance metrics)

3. How We Use Information

We use the collected information to:

  • Provide, maintain, secure, and improve the Service
  • Route AI assistant requests to the appropriate commerce backend and return results
  • Produce signed, tamper-evident logs of AI assistant actions so merchants can audit agent activity
  • Authenticate users and prevent fraud and abuse
  • Send important notifications about accounts, billing, or security
  • Respond to support requests and feedback
  • Analyze usage patterns to improve performance and reliability
  • Comply with legal obligations and enforce our Terms of Service

4. Information Sharing and Disclosure

4.1 Merchant Isolation

Each merchant workspace is isolated. One merchant cannot access another merchant's catalog, configuration, or shopper interactions through the Service.

4.2 External AI Assistants and Commerce Backends

When a merchant exposes their workspace through the public MCP gateway or connects an external AI assistant, the information required to satisfy each request (such as relevant catalog data, cart state, or order status) is shared with that assistant. When the Service routes commerce actions to a merchant's connected backend (such as a headless commerce platform or a payment processor), the relevant request data is shared with that backend.

Those third parties operate under their own privacy practices. We do not control how external AI assistants or commerce platforms further process data once it has been transmitted to them at the merchant's direction.

4.3 Service Providers and Legal Disclosures

We share information only as needed:

  • With your explicit consent
  • With service providers who help operate the Service (such as hosting, observability, and analytics), under appropriate confidentiality and processing terms
  • To comply with legal requirements or respond to lawful requests
  • To protect our rights, privacy, safety, or property
  • In connection with a merger, acquisition, or sale of assets (with notice to you)

5. Data Security

We implement technical and organizational measures designed to protect information processed through the Service, including:

  • Encryption of data in transit and at rest
  • Strict access controls and authentication mechanisms
  • Per-tenant authorization at the API and data-layer boundaries
  • Cryptographic signing of audit records of AI assistant actions
  • Regular security review of infrastructure and dependencies

No system is perfectly secure. While we work to protect information, we cannot guarantee absolute security.

6. Data Retention

We retain information for as long as necessary to provide the Service and fulfil the purposes described in this Privacy Policy. Audit records of AI assistant actions are retained for a period reasonable to support merchant audit and dispute workflows.

Merchants may request deletion of workspace data, and shoppers may exercise the rights described in Section 7, subject to applicable legal obligations and legitimate business needs.

7. Your Privacy Rights

Depending on your location, you may have rights to:

  • Access your personal information
  • Correct inaccurate information
  • Request deletion of your information (subject to limitations)
  • Object to or restrict certain processing activities
  • Data portability
  • Withdraw consent (where processing is based on consent)

Shoppers should generally exercise these rights through the merchant whose store they interacted with. To exercise rights directly against VaultGraph, contact us at legal@vaultgraph.com.

8. Cookies and Tracking Technologies

We use cookies and similar technologies on our marketing and product surfaces to keep you signed in, remember preferences, and understand usage. You can instruct your browser to refuse cookies, but some functionality may be limited.

We may use privacy-conscious analytics tools to understand how visitors interact with the Service. Where required, we provide controls to opt in or out of non-essential tracking.

9. Third-Party Services

The Service integrates with third-party platforms — including commerce backends, payment processors, and external AI assistants — that you choose to connect. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.

10. Children's Privacy

The Service is not intended for children under 13. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, please contact us, and we will take steps to delete it.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your own, where data-protection laws may differ. By using the Service, you consent to such transfers under appropriate safeguards.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and revising the "Last updated" date.

13. Contact Us

If you have any questions about this Privacy Policy, please contact us at legal@vaultgraph.com.