Privacy Policy

This Privacy Policy explains how Connecting Tech People SL (“Company,” “we,” “us,” or “our”) collects, uses, stores, and protects personal data when you use Opsphere (“Opsphere” or the “Service”), including our website at https://opsphere.io, the Cursor Marketplace plugin, remote MCP gateway, APIs, and related infrastructure.

Connecting Tech People SL is the data controller for personal data described in this policy. Registered address: Paseo de la Castellana, 91, Madrid, Spain.

By using the Service, you acknowledge this Privacy Policy. If you do not agree, do not use the Service. Our Terms of Service govern your use of the Service and are incorporated by reference.

1. Scope

This policy applies to:

• Visitors to the Opsphere website;
• Users who register for or authenticate to Opsphere;
• Users who install the Opsphere Cursor plugin and connect integrations; and
• Administrators or team members authorized to manage an Opsphere account.

This policy does not govern third-party services you connect to Opsphere (such as AWS, Datadog, Vercel, or Cursor itself). Those providers process data under their own privacy policies.

2. Data We Collect

2.1 Account and identity data

When you register or authenticate, we may collect:

• Name, email address, and organization name;
• Account identifiers and profile settings;
• Billing contact details if you purchase a paid plan; and
• Communications you send to us, including support requests.

2.2 Authentication and session data

The Service uses API authentication, JWT sessions, refresh tokens, OAuth tokens, and related session metadata to keep you signed in and authorize tool requests. We process:

• Access tokens, refresh tokens, and token expiry information;
• Session identifiers, IP address, user agent, and connection timestamps;
• Authentication events, including sign-in, sign-out, token refresh, and failed login attempts; and
• MCP connection status between Cursor and our remote gateway.

2.3 Integration credentials

If you configure third-party integrations, you may provide API keys, OAuth tokens, or similar credentials for providers such as AWS, Kubernetes, Datadog, Vercel, Cloudflare, Azure, GitHub, Bitbucket, Jira, or Sentry.

Third-party API tokens remain your property. Opsphere does not claim ownership of your credentials or of infrastructure data retrieved through those credentials. We store integration secrets encrypted at rest, isolated per account, and use them only to perform operations you request through the Service.

2.4 Operational and usage data

When you invoke Opsphere tools, we may process:

• Tool names, parameters, timestamps, and execution results metadata;
• Integration provider responses needed to fulfill the request;
• Usage counts for plan limits, billing, and abuse prevention;
• Performance metrics such as latency, error codes, and retry counts; and
• Operational metadata required for debugging, reliability, and security monitoring.

Opsphere does not receive your Cursor workspace source code unless you paste it into chat or include it in a tool parameter yourself.

2.5 Telemetry, logs, and security records

We maintain application logs, audit logs, and security logs that may include account identifiers, request metadata, integration identifiers, error traces, and administrative actions. Operational metadata may be logged for debugging, incident response, fraud prevention, and service improvement.

2.6 Website and device data

When you visit our website, we may automatically collect:

• Browser type, device type, operating system, and language preferences;
• Referring URLs, pages viewed, and approximate geographic region derived from IP address; and
• Cookie or local storage identifiers where applicable, as described below.

3. How We Use Data

We use personal and operational data to:

• Provide, operate, maintain, and improve the Service;
• Authenticate users and authorize MCP tool requests;
• Store and use encrypted integration credentials on your behalf;
• Enforce free trial limits, future paid plan quotas, and acceptable use rules;
• Monitor performance, diagnose errors, and protect against abuse or unauthorized access;
• Communicate with you about the Service, security notices, and product updates;
• Comply with legal obligations and respond to lawful requests; and
• Develop new features, integrations, and reliability improvements.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with similar requirements, we process personal data on the following legal bases:

• Contract: to provide the Service you request, manage your account, and perform tool operations;
• Legitimate interests: to secure the Service, prevent abuse, improve reliability, and understand aggregated usage, balanced against your rights;
• Consent: where required for optional cookies, marketing communications, or specific integrations you choose to enable; and
• Legal obligation: where processing is necessary to comply with applicable law, tax, or regulatory requirements.

You may withdraw consent at any time where processing is consent-based, without affecting prior lawful processing.

5. Cookies and Local Storage

Our website and authenticated experiences may use cookies, local storage, or similar technologies to remember preferences, maintain sessions, and measure basic site performance.

Examples include:

• Strictly necessary cookies or storage for authentication and security;
• Preference storage for UI settings where applicable; and
• Analytics or diagnostic identifiers limited to understanding site usage and errors.

You can control cookies through your browser settings. Disabling necessary cookies or storage may prevent parts of the Service from functioning.

6. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy, unless a longer period is required by law.

• Account data is retained while your account is active and for a reasonable period afterward to resolve disputes or enforce agreements;
• Encrypted integration credentials are retained until you remove the integration or delete your account;
• Session and authentication logs are retained for a limited period aligned with security and troubleshooting needs;
• Usage and billing records may be retained as required for accounting and tax compliance; and
• Backup copies may persist for a limited time before being overwritten according to our backup schedule.

When data is no longer needed, we delete or anonymize it using commercially reasonable methods, subject to technical constraints of backup systems.

7. Sharing and Third-Party Processors

We do not sell your personal data. We may share data with:

• Infrastructure providers that host our application, databases, logging, and networking services;
• Authentication and payment providers if you use paid plans or third-party login flows;
• Integration providers when you instruct Opsphere to call their APIs using credentials you supplied;
• Professional advisers such as lawyers or accountants under confidentiality obligations; and
• Authorities when required by law or to protect rights, safety, and security.

Processors are bound by contractual data protection terms appropriate to the nature of the processing. A current list of major subprocessors is available on request at contact@opsphere.io.

8. International Transfers

We may process and store data in Spain, the European Union, and other countries where we or our service providers operate. When personal data is transferred outside the European Economic Area or the United Kingdom, we implement appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms, unless an adequacy decision applies.

9. Security Measures

We implement administrative, technical, and organizational measures designed to protect personal data, including:

• Encryption in transit using HTTPS/TLS;
• Encryption at rest for stored integration credentials and sensitive configuration;
• Access controls, least-privilege internal access, and authentication for administrative systems;
• Monitoring, audit logging, and security event review; and
• Regular review of infrastructure configuration and dependency updates.

No method of transmission or storage is completely secure. You are responsible for safeguarding your account credentials, rotating integration tokens, and revoking access when no longer needed.

10. Your Rights

Depending on your location, you may have the right to access, rectify, erase, restrict, or object to certain processing of your personal data, and to receive a portable copy of data you provided.

You may also have the right to:

• Withdraw consent where processing is based on consent;
• Lodge a complaint with your local supervisory authority; and
• Opt out of non-essential marketing communications.

To exercise these rights, contact us using the details below. We may need to verify your identity before responding. We will answer within the timeframe required by applicable law.

11. Deletion Requests and Revoking Access

You can limit or delete data in several ways:

• Remove individual integrations through Opsphere management tools or by request in chat where available;
• Disconnect the Opsphere MCP server in Cursor settings;
• Revoke OAuth or API tokens at the upstream provider; and
• Request account deletion by emailing contact@opsphere.io.

Account deletion requests will remove or anonymize personal account data and encrypted credentials within a reasonable period, subject to legal retention requirements and backup cycles. Removing the Cursor plugin alone does not delete your Opsphere account or server-side integrations.

12. Children

The Service is not directed to individuals under 18 years of age, and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will take appropriate steps to delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy on this page and revise the effective date. Continued use of the Service after changes become effective constitutes acknowledgment of the updated policy.