Privacy Policy

Effective May 22, 2026 · Last updated May 22, 2026

1. Who we are

KeyVex is a Model Context Protocol (MCP) server that publishes US public-record financial and government disclosures. The service is operated by KeyVex LLC. For privacy questions, contact contact@keyvex.com.

This Privacy Policy applies to:

• The marketing website at keyvex.com (and www.keyvex.com)
• The MCP API endpoint at mcp.keyvex.com

2. Information we collect

2.1 Information you give us

KeyVex's MCP endpoint at mcp.keyvex.com is openly accessible — there is no signup form, no account, and no API key. The only personal information we receive from you is what you voluntarily send by email:

• Contact information when you email contact@keyvex.com (typically your email address and whatever else you include in the message).

We do not currently operate any self-serve signup flow, marketing-site form, account creation page, or newsletter signup.

2.2 Automatic information from API usage

When you call the MCP endpoint, Google Cloud Functions (Gen 2) automatically logs:

• Your IP address
• The request method, path, and standard HTTP headers
• Response status code and approximate timing
• The tool name invoked, if any

These logs live in Google Cloud Logging under the project capitaledge-api and are retained per Google's default retention (currently 30 days for standard logs). We use them to debug failures and monitor for abuse.

Your IP is also held briefly in server memory as part of the per-IP rate-limit window (60 requests per 60 seconds). That in-memory state is per-container and is dropped when the container restarts — typically within minutes of the last request from that IP.

2.3 Automatic information from the marketing site

The marketing site at keyvex.com is static HTML served by Firebase Hosting. We do not embed Google Analytics, Facebook Pixel, or any other third-party tracking. We do not set any cookies on the marketing site. Firebase Hosting's edge CDN (Fastly) logs basic request data (IP, user-agent, URL) for delivery and abuse protection, but we do not access or combine these with any other data.

2.4 What we do NOT collect

• We do not require you to register for an account.
• We do not issue API keys (the public endpoint is unauthenticated).
• We do not collect any browsing history, search history, or behavioral profiles.
• We do not collect financial information (we are not a payment processor; paid tiers, when they launch, will live on a separate authenticated URL and use a third-party billing provider).
• We do not collect demographic information.
• We do not collect any data from minors and we do not intentionally serve users under 13.

3. How we use information

We use the information described above only to:

• Operate the MCP endpoint and enforce per-IP rate limits
• Debug failures and monitor for abuse
• Respond to email you send to contact@keyvex.com
• Communicate with you about service changes, outages, or security issues if you've corresponded with us (transactional only; no marketing email at this time)

We do not use your information for any other purpose. We do not run advertising. We do not train AI models on your usage data.

4. The data the API serves

KeyVex's MCP tools return normalized public-record financial and government disclosures sourced from official US government repositories: SEC EDGAR, USAspending.gov, Senate eFD, House Clerk, Senate LDA, the unitedstates/congress-legislators public catalog, api.congress.gov, api.open.fec.gov, US Treasury OFAC, federalregister.gov, SEC + DOJ + CFTC + OCC + FDIC + FTC press release feeds, FDA openFDA, CPSC SaferProducts, CFPB Consumer Complaint Database, HHS-OIG LEIE, DOJ FARA, US Trade Consolidated Screening List, US Treasury Direct, CFTC Commitments of Traders, BLS, FRED, EIA, and GovInfo.

This data is already public by federal mandate. We do not derive personal-information profiles, scoring models, or predictive analytics from it. We do not enrich the public-record data with anything sourced from our users. Records returned by the API carry attribution back to the originating government source via filing_url / report_url / primary_document_url fields.

5. Sharing

We do not sell your personal information. We do not share your personal information with third parties for advertising or marketing purposes. We share information only with:

• Google Cloud (our hosting infrastructure provider). Cloud Functions, Firestore, Cloud Logging, Secret Manager, and Firebase Hosting all process data on our behalf under Google Cloud's Data Processing Addendum.
• Law enforcement if we receive a valid legal demand (subpoena, court order). We will notify you to the extent permitted by law.

6. Security

The MCP endpoint at mcp.keyvex.com serves traffic over TLS 1.2+ exclusively (auto-managed certificates via Let's Encrypt). The endpoint runs under a dedicated Google Cloud service account with read-only Firestore permissions — by design, a request to the MCP endpoint physically cannot modify our database. Per-IP rate limits and Cloud Run instance caps bound worst-case load.

Email correspondence with contact@keyvex.com is handled by our inbox provider's standard security controls (TLS in transit, provider-default at-rest encryption).

No system is perfectly secure. If we discover a breach affecting your information, we will notify you within the timeframe required by applicable law.

7. Data retention

• Cloud Functions request logs (including IP): retained 30 days (Google Cloud default).
• Per-IP rate-limit state in server memory: dropped at container restart or after the 60-second sliding window expires, whichever comes first. Not persisted to disk or any database.
• Email correspondence: retained per the inbox-hosting provider's default policy. Earlier deletion on request.

8. Your rights

Wherever applicable law gives you these rights (including residents of the EEA, UK, Switzerland, California, and other states with privacy laws), you have the right to:

• Access the personal information we hold about you
• Correct inaccurate information
• Request deletion of your information (subject to legal retention obligations)
• Object to or restrict certain processing
• Receive a portable copy of your information
• Withdraw consent (where processing is based on consent)
• Lodge a complaint with your local data protection authority

To exercise any of these rights, email contact@keyvex.com. We respond within 30 days. In practice, because we collect so little about you, most rights requests resolve to "no records found beyond your email correspondence."

California residents (CCPA / CPRA): You have the right to know what personal information we collect, the right to delete it, the right to correct inaccurate information, and the right not to be discriminated against for exercising these rights. We do not sell or share personal information for cross-context behavioral advertising.

9. International data transfers

KeyVex's infrastructure is hosted in Google Cloud's us-central1 region (Iowa, USA). If you access KeyVex from outside the United States, your information will be transferred to and processed in the United States. We rely on Google Cloud's contractual safeguards (including Standard Contractual Clauses where applicable) for any cross-border transfer of personal information.

10. Children

KeyVex is a developer-focused API service intended for adults building software professionally. We do not intentionally collect personal information from children under 13. If we learn we have collected information from a child under 13, we will delete it promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective" and "Last updated" dates at the top of this page. Continued use of the service after a change indicates acceptance.

12. Contact

For privacy questions or to exercise any rights described above:

contact@keyvex.com

KeyVex is a data publisher. Nothing on this site or in API responses is investment advice. The disclosure records served by the API originate from official US government sources and are public by federal mandate.