ContextLayer

Dotnova

Privacy Policy

Context Layer — Dotnova

Last updated: May 5, 2026 • Version 1.0

1. Introduction

This Privacy Policy describes how Dotnova Tecnologia e Desenvolvimento de Software LTDA., a Brazilian limited liability company registered under CNPJ No. 54.543.885/0001-02, with headquarters at Avenida Dona Cherubina Viana, 129, Vila Santo Antônio, Cotia – SP, ZIP 06708-360, Brazil (hereinafter "Dotnova", "we", "us", or "our"), collects, uses, stores, shares, and protects personal data of users of Context Layer (the "Service"), a Model Context Protocol (MCP) server developed and maintained by Dotnova and integrable with compatible clients such as Anthropic's Claude.

By connecting Context Layer to an MCP client and authenticating your account, you acknowledge that you have read, understood, and agreed to the terms of this Policy. This Policy complies with the Brazilian General Data Protection Law (Law No. 13,709/2018 — LGPD), the EU General Data Protection Regulation (Regulation (EU) 2016/679 — GDPR), where applicable, and the Anthropic Software Directory Policy.

2. Definitions

  • Personal data: any information relating to an identified or identifiable natural person.
  • Data subject: the natural person to whom the personal data relates.
  • Controller: the party responsible for decisions regarding the processing of personal data. Dotnova acts as controller of Service registration data and as processor of the data that the user or their organization inputs into Context Layer.
  • MCP client: an application that connects to Context Layer through the MCP protocol (e.g., Claude.ai, Claude Desktop, Claude Code).
  • Anthropic: Anthropic, PBC, provider of Claude and maintainer of the official MCP server directory.

3. Data we collect

3.1. Data you provide

  • Account data: name, email, organization, position, role, and preferences.
  • Authentication data: OAuth credentials, API keys, or other tokens necessary to authorize the MCP client's access to the Service. Passwords, where applicable, are stored using cryptographic hashing.
  • User-generated content: projects, tasks, sprints, teams, work sessions, knowledge base documents, notes, activities, agent traces, and other information voluntarily entered by you or members of your organization into the Service.

3.2. Data collected automatically

  • Operational usage data: logs of MCP tool calls executed (tool name, minimum required parameters, success/error status, timestamp), used solely to ensure the Service's operation, debugging, and security.
  • Technical data: IP address, session identifiers, MCP client user agent, and error logs.

3.3. Data we do NOT collect

In compliance with the Anthropic Software Directory Policy and the LGPD principle of necessity:

  • We do not collect chat history, conversation summaries, Claude memory, or files uploaded by the user in other contexts of the MCP client.
  • We do not collect conversational data that is not strictly necessary to execute the tools the user invoked.
  • We do not collect sensitive personal data (racial origin, religious belief, political opinion, health data, biometrics, sexual life, etc.). If a user voluntarily inputs such data into open fields (e.g., task description), we recommend avoiding it.

4. Purposes and legal bases for processing (LGPD, art. 7)

PurposeLegal basis
Create and maintain your account and organizational profileContract performance (art. 7, V)
Authenticate and authorize MCP callsContract performance (art. 7, V)
Operate the requested features (create task, list project, etc.)Contract performance (art. 7, V)
Maintain security and audit logsLegitimate interest (art. 7, IX) and legal obligation (art. 7, II)
Detect fraud, abuse, and security violationsLegitimate interest (art. 7, IX)
Respond to data subject requests and authoritiesLegal obligation (art. 7, II)
Service-related communications (support, security updates, changes to this Policy)Contract performance (art. 7, V)
Marketing communicationsConsent (art. 7, I) — revocable at any time

For users in the European Union, the corresponding GDPR legal bases (Art. 6) apply: contract performance (Art. 6(1)(b)), legitimate interest (Art. 6(1)(f)), legal obligation (Art. 6(1)(c)), and consent (Art. 6(1)(a)).

5. Data sharing

We share personal data only in the following cases:

5.1. With the MCP client (e.g., Claude/Anthropic)

When you connect Context Layer to an MCP client, the content returned by the tools you invoke (e.g., task list, project details) is sent to that client following the natural flow of the MCP protocol. The processing of such data by the client is governed by the privacy policy of the respective provider:

5.2. With infrastructure providers (processors)

We use the following infrastructure providers to host and operate the Service:

  • Hetzner Online GmbH (Germany) — virtual private server (VPS) provider where the Service runs. Privacy policy: https://www.hetzner.com/legal/privacy-policy.
  • PostgreSQL — open-source database management system, running on Hetzner infrastructure under our direct control. No additional third party acts as database processor.

All such processors are contractually bound to process data solely under our instructions and to maintain adequate security standards.

5.3. By legal obligation

We may share data when required by law, court order, or request from a competent authority.

5.4. What we do not do

  • We do not sell personal data.
  • We do not share personal data for third-party behavioral advertising purposes.
  • We do not use user data to train AI models.

6. International data transfers

Data is processed and stored on servers located in Germany (European Union), provided by Hetzner Online GmbH. The European Union is considered a jurisdiction with an adequate level of data protection under art. 33, I of the LGPD, due to the application of the GDPR. Should data be transferred to other jurisdictions in the future, such transfers will observe the safeguards provided in art. 33 of the LGPD and Chapter V of the GDPR, including standard contractual clauses and recognized certifications.

7. Retention and deletion

  • Account data: retained while the account remains active.
  • User content: retained according to the organization's preferences and until deleted by the data subject or administrator.
  • Security and audit logs: retained for up to 12 months.
  • Upon account deletion: personal data is erased or anonymized within 30 days, except where retention is required by legal obligation.

8. Security

We adopt reasonable technical and organizational measures to protect personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest where applicable.
  • Role-based access control (RBAC).
  • OAuth 2.0 authentication and password storage with cryptographic hashing.
  • Audit logs.
  • Periodic security reviews.

Despite our efforts, no system is 100% immune. In the event of a security incident that may pose risk or relevant harm to data subjects, we will notify affected individuals and the competent authority (ANPD in Brazil; the relevant Data Protection Authority in the EU) within the legal timeframes.

9. Data subject rights (LGPD art. 18 / GDPR Chapter III)

You may, at any time, request:

  1. Confirmation of the existence of processing;
  2. Access to your data;
  3. Correction of incomplete, inaccurate, or outdated data;
  4. Anonymization, blocking, or deletion of unnecessary or non-compliant data;
  5. Portability to another provider;
  6. Deletion of data processed based on consent;
  7. Information about public and private entities with which we share your data;
  8. Withdrawal of consent.

EU users additionally have the right to object to processing and to lodge a complaint with their national supervisory authority.

To exercise any of these rights, write to contato@dotnova.io. We will respond within 15 days.

10. Data Protection Officer

  • Email: contato@dotnova.io
  • Mailing address: Avenida Dona Cherubina Viana, 129, Vila Santo Antônio, Cotia – SP, ZIP 06708-360, Brazil

11. Children and minors

The Service is intended for users 18 years of age or older, in a corporate environment. We do not knowingly collect data from minors. If we identify that a minor's data has been collected, we will proceed to delete it.

12. Cookies and similar technologies

The MCP server itself does not use cookies, as it operates through authenticated API calls. Any associated web dashboards may use strictly necessary cookies for authentication and preferences, governed by a specific policy made available within the respective interface.

13. Changes to this Policy

We may update this Policy periodically. The current version will always be available at https://app.dotnova.io/privacy, with the date of the last update. Material changes will be communicated by email or notice in the Service with reasonable advance notice.

14. Governing law and jurisdiction

This Policy is governed by the laws of the Federative Republic of Brazil. The courts of Cotia, State of São Paulo, are elected to resolve any disputes, except where a different jurisdiction is mandated by law.

15. Contact

For questions about this Policy or the processing of your data:

  • Legal name: Dotnova Tecnologia e Desenvolvimento de Software LTDA.
  • CNPJ (Brazilian Tax ID): 54.543.885/0001-02
  • Email: contato@dotnova.io
  • Address: Avenida Dona Cherubina Viana, 129, Vila Santo Antônio, Cotia – SP, ZIP 06708-360, Brazil
  • Website: https://www.dotnova.io
  • LinkedIn: https://linkedin.com/company/dotnova