Skip to content
MCP Gateway

Privacy Policy

Last updated: 2026-05-21

This Privacy Policy explains how codebar Solutions AG ("we", "us") collects, uses, and protects personal data when you use the MCP Gateway service and this website. We process personal data in accordance with the Swiss Federal Act on Data Protection (revFADP / revDSG, in force since 1 September 2023) and, where applicable, the EU General Data Protection Regulation (GDPR).

1. Controller

codebar Solutions AG, Hauptstrasse 91, CH-4455 Zunzgen, Switzerland, is the controller responsible for the processing described here. We are not legally required to appoint a data protection officer / advisor and have not done so; data-protection enquiries can be directed to helpdesk@codebar.ch.

2. Scope

This policy covers personal data for which we are the controller — namely the operation of the MCP Gateway service and this website. Where we process personal data on behalf of a customer who connects their own DocuWare environment through the gateway, the customer is the controller and that processing is governed by our Data Processing Agreement.

3. Personal data we process

  • Account data: your name, email address, and a hashed password. Accounts are provisioned by an operator or via magic link; there is no public self-registration. Where an operator creates your account, we receive your account data from that operator.
  • Authentication & session data: sessions, magic-link tokens (stored hashed, valid for 15 minutes), OAuth and API tokens. For security we record the IP address and browser user-agent associated with sessions and magic-link requests.
  • DocuWare connection configuration: instance URLs and OAuth credentials/tokens used to connect your DocuWare environment, stored encrypted at rest.
  • Audit & log data: metadata about actions and requests (actor, event, token issuance, request method/path/status/duration). We do not log document content or request/response bodies.
  • Communications: the content of messages you send us, e.g. by email.

4. Purposes and legal bases

  • Providing and operating the service — performance of a contract (GDPR Art. 6(1)(b); revDSG: contract performance).
  • Authentication, security, abuse prevention, and audit logging — our legitimate interests (GDPR Art. 6(1)(f); revDSG: overriding legitimate interest).
  • Sending magic-link and service emails — performance of a contract / at your request.
  • Complying with legal obligations — GDPR Art. 6(1)(c) and applicable Swiss law.

We do not carry out automated individual decision-making or profiling that produces legal or similarly significant effects.

5. Cookies and local storage

We use only essential cookies required to operate the service — a session cookie and a CSRF-protection token. Because these are strictly necessary, no consent banner is required under Swiss law. We do not use analytics, advertising, or third-party tracking technologies.

6. Recipients and sub-processors

We rely on carefully selected service providers who process data on our behalf:

  • Application hosting — Laravel Cloud (EU region)
  • Database — Neon (PostgreSQL, EU region)
  • Cache, sessions, and OAuth state — managed Redis key-value store (EU)
  • Transactional email — Postmark (USA)
  • Object storage — DigitalOcean Spaces (S3-compatible, EU region)

Your connected DocuWare environment is your own system, not our sub-processor. The full sub-processor list with locations and transfer safeguards is set out in our Data Processing Agreement.

7. International transfers

Processing takes place primarily within the EU/EEA; Switzerland is recognised by the EU as providing an adequate level of data protection. Where data is transferred to a country without an adequacy decision (e.g. the USA for email delivery via Postmark), we rely on appropriate safeguards — either the recipient's certification under the Swiss–U.S. Data Privacy Framework, or, failing that, the EU Standard Contractual Clauses together with the Swiss addendum.

8. Retention

  • Account data — for as long as your account is active, and deleted on request thereafter.
  • Audit logs — by default 365 days, then automatically pruned.
  • Magic-link tokens — 15 minutes.
  • Sessions — for the duration of the session lifetime.
  • OAuth and API tokens — until they expire or are revoked.
  • Communications — for as long as needed to handle your enquiry and any related follow-up.

9. Your rights

Subject to applicable law, you have the right to access, rectification, erasure, restriction of processing, objection, and data portability, and to withdraw consent at any time. To exercise these rights, contact helpdesk@codebar.ch. You may also lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) or, where the GDPR applies, with an EU supervisory authority.

10. Security

We apply appropriate technical and organisational measures, including AES-256 encryption at rest for credentials, tokens, and signing keys, TLS encryption in transit, hashing of passwords and tokens, and role- and tenant-scoped access controls. Further detail is set out in our Data Processing Agreement.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date above reflects the current version.

12. Contact

Questions about this policy: helpdesk@codebar.ch. See also our Imprint.