Privacy Policy — MCP Bridge — AI for Bitrix24
Effective date: 2026-06-05
Version: 1.2
1. Introduction
This Privacy Policy describes how HUB DESPACHOS Y PYMES S.L. (“HUB Consultores”, “we”, “us”) collects, uses, stores, and protects personal data when you (the “User”) install and use the MCP Bridge for Bitrix24 application (the “Software”) on a Bitrix24 portal.
This Policy is governed by the European Union General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and the Spanish Organic Law on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD — Ley Orgánica 3/2018).
By installing the Software, the User accepts the practices described in this Policy. If the User does not agree, they must not install or use the Software.
2. Data Controller and Data Protection Officer
Data Controller:
- HUB DESPACHOS Y PYMES S.L.
- Tax ID (CIF): B76816875
- Address: Avenida Benito Pérez Armas, 2 - PTL 2,6 B, Santa Cruz de Tenerife, Spain
- Email: [email protected]
- Phone: +34 822 684 008
Data Protection Officer (DPO): HUB Consultores has not formally designated a DPO because its processing operations do not meet the mandatory criteria of GDPR Article 37. For privacy-related requests, please contact us directly at [email protected] with the subject line “MCP Bridge — Privacy Request”.
3. Our Role: Controller vs Processor
The Software involves two distinct processing scenarios:
3.1 We act as Data Controller for:
- Authentication credentials and routing data (OAuth tokens,
mcp_token,member_id,user_id) - Records of authorized client applications (Connected Apps)
- Operational telemetry (request logs, metric counters, error reports)
These are processed to operate the Software and constitute our own business records. The provisions in this Policy fully apply to them.
3.2 We act as Data Processor for:
- CRM data (leads, deals, contacts, companies, tasks, comments, files) that the User’s organization stores in Bitrix24 and that transits through the Software in real time when the User issues a request via an AI assistant.
In this scenario, the User’s organization is the Data Controller of that CRM data, and HUB Consultores acts as Data Processor on their behalf under GDPR Article 28. The terms governing this processor relationship are set out in our Data Processing Agreement (DPA) available at https://mcp.hubtool.net/legal/dpa-en, which forms part of the EULA accepted at installation.
We do not store the CRM data: we forward it directly from Bitrix24 to the AI assistant the User has authorized. No copy or cache of CRM content is retained in our infrastructure beyond the duration of the specific HTTP request.
4. Information We Collect (as Data Controller)
We process the minimum amount of data strictly necessary to operate the Software. Categories collected:
4.1 Authentication and routing data
- OAuth access and refresh tokens issued by Bitrix24 when the User installs the Software. Used to make API requests to the User’s Bitrix24 portal on the User’s behalf.
- MCP token (
mcp_token) generated by us when the Software is installed. Used by AI assistants to authenticate against the Software on each request. - Bitrix24 portal identifier (
member_id), user identifier (user_id), and portal domain (e.g.,example.bitrix24.com). Used for multi-tenant routing. Note:member_idanduser_idare pseudonymous identifiers under GDPR Recital 26, meaning they can be linked back to a natural person and are therefore considered personal data.
4.2 Authorized client applications
- Records of third-party MCP clients (such as Claude.ai, ChatGPT) that the User has authorized to use the Software via OAuth 2.1. Each record contains the client name, client ID, and the timestamp of authorization.
4.3 Operational telemetry
- Request logs with a correlation ID. These logs contain HTTP
metadata (method, status code, duration), the name of the tool called,
the
member_id, and theuser_id. They do not contain the content of the request payloads or the User’s CRM data. - Aggregate metric counters (number of tool calls per type, error
rates, response times) used for service monitoring. Each event is
linked to a
member_idanduser_id— pseudonymous personal data. - Error reports sent to Sentry, our error-monitoring provider, when
the Software encounters unexpected exceptions. Error reports may
include stack traces and HTTP metadata but do not include the
User’s CRM data, request bodies, authentication tokens, cookies, or
session identifiers. This is enforced by two layers in the Sentry
SDK initialisation: (i)
send_default_pii=False, which suppresses the SDK’s automatic capture of cookies, headers and user context; and (ii) a custombefore_sendfilter that replaces any stack-trace local variable whose name matches a CRM-shaped pattern (e.g.,tasks,items,leads,contacts,email,phone) with a redaction placeholder before the event leaves the application process.
4.4 Data we DO NOT store
We explicitly do not store, cache, or copy any of the following:
- The User’s CRM data beyond the duration of an individual API request (see Section 3.2).
- The content of messages or prompts exchanged between the User and the AI assistant.
- Any business documents, files, or attachments stored in the Bitrix24 portal.
5. Purposes and Legal Basis (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Provide the core functionality of the Software (process User requests against Bitrix24 on their behalf) | Performance of a contract (Art. 6(1)(b)) — the EULA accepted at installation |
| Authenticate API requests via the MCP token and OAuth | Performance of a contract (Art. 6(1)(b)) |
| Monitor service availability, detect errors, prevent abuse | Legitimate interest (Art. 6(1)(f)) — service reliability and security. Balancing test: the impact on data subjects is minimal (pseudonymous identifiers only, no behavioral profiling), while the interest in maintaining a reliable and secure service is substantial |
| Comply with legal obligations (security incident notifications, lawful requests from authorities) | Legal obligation (Art. 6(1)(c)) |
6. Automated Decision-Making and Profiling (GDPR Art. 13(2)(f))
The Software does not carry out automated decision-making, including profiling, that produces legal effects or similarly significant effects on the User or any natural person. The Software acts as a transparent bridge between the User’s AI assistant and Bitrix24: any “decision” or “recommendation” is generated by the third-party AI assistant chosen by the User (e.g., Claude.ai, ChatGPT), not by us.
7. Children’s Data (GDPR Art. 8)
The Software is not directed at minors. It is a B2B tool for organizations operating a Bitrix24 portal. We do not knowingly collect personal data from any person under the age of 18. If we become aware that we have inadvertently collected data from a minor, we will delete it promptly.
8. Data Retention
| Data category | Retention period |
|---|---|
OAuth tokens (access + refresh) and mcp_token |
While the Software is installed on the Bitrix24 portal. Deleted within 24 hours of the User uninstalling the Software or rotating their token. |
| Connected Apps records (Claude.ai, ChatGPT authorizations) | While the User keeps the authorization active. Deleted within 24 hours of the User revoking it from the Software’s widget or rotating their token. |
| Revoked tokens blacklist (SHA-256 hashes only) | 90 days after revocation, then permanently deleted. Used to prevent reuse of revoked tokens. |
| Request logs (Sentry breadcrumbs) | 90 days, then automatically deleted by Sentry. |
| Aggregate metric counters | Up to 10,000 most recent events per portal; older events are pruned automatically. |
| CRM data (when acting as Processor) | None — never stored at rest, only forwarded in transit during each request |
When the User uninstalls the Software from their Bitrix24 portal, all
associated OAuth tokens, mcp_token, and Connected Apps records are
deleted from our database within 24 hours, in line with the equivalent
clause of the Data Processing Agreement (DPA Section 11).
9. Data Sharing and Third Parties (Sub-Processors)
We share data only with the following categories of recipients, all selected for their security posture and GDPR-compliance commitments:
| Recipient | Role | Location | Purpose | Safeguards |
|---|---|---|---|---|
| Bitrix24 (the portal selected by the User) | Recipient | Determined by the User’s Bitrix24 SaaS plan | Execute the User’s CRM and Tasks operations | Direct authorized API access; governed by Bitrix24’s own terms accepted by the User |
| AI assistant chosen by the User (Claude.ai, ChatGPT, etc.) | Recipient (acts as separate controller for the assistant’s own processing of the response) | Determined by the assistant the User authorises (typically United States) | Generate the response the User requested | The User explicitly authorises a specific assistant via the Software’s OAuth flow. For Anthropic (Claude) and OpenAI (ChatGPT), the transfer mechanism publicly documented by the provider for EU personal data is, as of the effective date of this Policy, the Standard Contractual Clauses (Decision 2021/914). Where the provider additionally self-certifies under the EU-US Data Privacy Framework, that certification may also be relied upon — the User should verify the provider’s current status on the official DPF list (dataprivacyframework.gov) before relying on it. We do not rely on Art. 49(1)(a) “explicit consent” as a routine safeguard, in line with EDPB Guidelines 2/2018. |
| Functional Software GmbH (Sentry) | Sub-processor — error monitoring | Sentry EU region — Frankfurt, Germany (ingest.de.sentry.io) |
Receive sanitised error reports and aggregate performance traces (no CRM data, no auth headers, no request bodies — see Section 4.3) | Sentry DPA accepted via Sentry’s Legal & Compliance dashboard. Parent company access (Functional Software, Inc., USA) governed by the EU-US Data Privacy Framework certification and SCCs (2021). |
| Hetzner Online GmbH (cloud hosting) | Sub-processor — infrastructure | Nuremberg, Germany (EU) | Operate the virtual servers, block storage and network for the Software | Sub-processor under Hetzner’s standard Auftragsverarbeitungsvertrag (AVV) framework; data centres used by the Software are located within the European Union — no transfer outside the EEA |
| Competent authorities | Legal recipient | Spain / EU | Comply with lawful legal requests | The minimum necessary to satisfy the request |
A complete and up-to-date list of sub-processors is maintained as part of the Data Processing Agreement (DPA) and can be requested at [email protected].
We never sell personal data. We do not share data with marketing, advertising, or analytics third parties.
9.1 Right to object to new sub-processors
Where we engage a new sub-processor that processes personal data on behalf of a controller (Section 3.2), we will notify affected Users at least 30 days in advance. Users may object to the change in writing within that period; if objections cannot be resolved, the User may terminate the relevant processing arrangement.
10. International Data Transfers
The Software’s own infrastructure (application servers, database, error monitoring) is hosted within the European Economic Area (EEA): application servers and database at Hetzner (Nuremberg, Germany) and error monitoring at Sentry’s EU region (Frankfurt, Germany). We do not store CRM data at rest at any location.
The principal transfer of personal data outside the EEA that may occur in connection with the Software is the onward transfer of CRM data to the AI assistant the User has authorized (e.g., Claude.ai, ChatGPT), which may be located in the United States or elsewhere. This transfer takes place on the User’s documented instruction — materialised when the User authorizes a specific assistant through the Software’s OAuth flow. As set out in the DPA, the User’s organisation acts as data exporter for this onward transfer and is responsible, under GDPR Chapter V, for ensuring an appropriate transfer mechanism with the chosen assistant.
For this onward transfer, the following safeguards apply, in order of applicability:
- European Commission Standard Contractual Clauses (Decision 2021/914) concluded between the data exporter and the assistant’s provider. As of the effective date of this Policy, this is the mechanism publicly documented by both Anthropic (Claude) and OpenAI (ChatGPT) for EU personal data.
- EU-US Data Privacy Framework certification of the receiving party, where — and only where — the provider has self-certified and remains on the active DPF list (verify current status at dataprivacyframework.gov).
We do not rely on the derogations of GDPR Art. 49 (including Art. 49(1)(a) “explicit consent”) as a routine safeguard for these transfers. Following EDPB Guidelines 2/2018, those derogations are exceptional and not appropriate for transfers that are repetitive or systematic, which the Software’s transfers are in normal use.
By authorising a non-EEA assistant, the User accepts that their requests and the corresponding CRM data will be processed by that assistant in its jurisdiction. We have no control over how the assistant processes or retains that information; we recommend the User consults each assistant’s own privacy policy.
11. Your Rights (GDPR)
As a data subject, you have the following rights:
- Right of access (Art. 15) — request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17) — request deletion of your data, subject to legal retention obligations.
- Right to restriction of processing (Art. 18).
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format.
- Right to object (Art. 21) — object to processing based on legitimate interest.
- Right to withdraw consent — where processing is based on consent (Art. 7(3)). Withdrawal does not affect the lawfulness of processing before withdrawal.
Whether providing data is mandatory: The data described in Section 4 is strictly necessary to operate the Software. If the User does not wish their data to be processed, they should not install the Software. There is no obligation under contract or law to provide this data; the only consequence of refusal is that the Software cannot function.
To exercise any right, send a request to [email protected] with the subject line “MCP Bridge — Privacy Request” and a reasonable description of your request. We respond within 30 calendar days.
You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) at https://www.aepd.es, or with the supervisory authority of your EU country of residence.
12. Security Measures
We implement technical and organizational measures appropriate to the risk, including:
- Encryption in transit (HTTPS / TLS 1.2+, with TLS 1.3 preferred) for all communications between the User, the Software, and Bitrix24.
- Application-level encryption at rest for OAuth tokens and the
mcp_token: stored as Fernet ciphertext (cryptographylibrary) using aTOKEN_ENCRYPTION_KEYheld outside the database, with key rotation support. A leak of the database alone, without the key, is cryptographically insufficient to recover any token. - SHA-256 hashing of the
mcp_tokenfor the unique lookup index, so that the primary identifier used for authentication is never stored in clear text. The revoked-tokens blacklist also stores SHA-256 hashes only, never the original tokens. - Disk-level encryption for the database volume, provided by the cloud hosting provider at the infrastructure layer (complementary to the application-level encryption above).
- Rate limiting and intrusion detection to mitigate brute-force or enumeration attacks.
- Audit logs for security-relevant events (installation, OAuth authorization, token rotation, manual revocation).
- Principle of least privilege in OAuth scopes — we request only the
minimum scopes strictly required for the Software’s functionality
(
crm,user_brief,task,im,imopenlines,bizproc). - Regular security reviews and dependency updates.
13. Personal Data Breach Notification
In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will:
- Notify the AEPD within 72 hours of becoming aware of the breach (GDPR Art. 33).
- Notify affected Users without undue delay when the breach is likely to result in a high risk to their rights and freedoms, describing the nature of the breach, the likely consequences, and the measures taken to address it (GDPR Art. 34).
- Maintain an internal record of all breaches, irrespective of whether they require notification, as required by GDPR Art. 33(5).
User notifications will be sent through the Software’s “What’s new” panel and via email to the contact registered in the Bitrix24 portal, where available.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the Software, legal requirements, or our practices. Material changes will be announced through the Software’s “What’s new” notification panel and via email to the contact address registered in the Bitrix24 portal, where available. The effective date and version at the top of this Policy will be updated accordingly.
Continued use of the Software after a Policy update constitutes acceptance of the updated Policy.
15. Contact
For any privacy-related question, request, or concern, contact us at:
- Email: [email protected] (subject line: “MCP Bridge — Privacy Request”)
- Address: HUB DESPACHOS Y PYMES S.L., Avenida Benito Pérez Armas, 2 - PTL 2,6 B, Santa Cruz de Tenerife, Spain
- Phone: +34 822 684 008
Last updated: 2026-06-05 Version: 1.2
Changelog
v1.2 (2026-06-05) — GDPR hardening review (alignment with DPA v1.1):
- §4.3 — Tightened the Sentry claim: explicit reference to the
send_default_pii=Falsesetting and the custombefore_sendfilter applied to stack-trace local variables matching CRM-shaped patterns. - §8 — Deletion timing for OAuth tokens,
mcp_token, and Connected Apps records unified to “within 24 hours” across all rows of the retention table, aligning with DPA §11. - §9 — Sub-processor table updated: explicit Sentry EU region
(Frankfurt —
ingest.de.sentry.io); Hetzner data centre specified (Nuremberg, Germany); per-row safeguards for any non-EEA transfer; clarification that the AI assistant acts as a separate controller for the assistant’s own processing of the response. For Anthropic (Claude) and OpenAI (ChatGPT) the primary transfer mechanism is identified as Standard Contractual Clauses (2021); the EU-US Data Privacy Framework is treated as a conditional safeguard subject to the User verifying the provider’s current certification status at dataprivacyframework.gov. - §10 — International transfers section rewritten following EDPB Guidelines 2/2018, with SCCs (2021) identified as the primary safeguard for the onward transfer to the AI assistant and the EU-US Data Privacy Framework as a conditional safeguard requiring User verification on the official DPF list. Art. 49(1)(a) “explicit consent” removed as a routine safeguard.
- §12 — Security measures expanded to surface application-level
Fernet encryption of OAuth tokens and
mcp_token, SHA-256 hashing for lookup indices and the revoked-tokens blacklist, with the disk-level encryption clarified as a complementary measure.
v1.1 (2026-05-21) — Added Controller/Processor distinction, DPA reference, Art. 13(2)(f) automated decision-making, Art. 8 children’s data, DPO declaration, Art. 34 user breach notification, clarification of pseudonymous personal identifiers, sub-processor opt-out rights.