AFD Knowledge MCP — Privacy Notice
| Field | Value |
|---|---|
| Document | Privacy Notice — AFD Knowledge MCP service |
| Controller | WLKNSN bv, trading as AFD Institute (Belgium) |
| Contact | hello@afdinstitute.com |
| Version | 0.1.0 |
| Last updated | 2026-06-28 |
| Effective date | TBD — set on counsel sign-off |
| Review status | DRAFT — not yet reviewed by counsel; not legally binding |
Draft notice. Internal draft for legal review. This is a service-specific supplement to the AFD Institute site-wide Privacy Policy; where this notice is silent, the site-wide policy applies. The processing described here must also be recorded in
docs/GDPR/data-processing-record.mdanddocs/GDPR/data-retention-policy.mdbefore go-live. Clauses marked [⚖ counsel] need confirmation.
1. Who is responsible for your data
The data controller for the AFD Knowledge MCP (the "Service") is WLKNSN bv, a company incorporated in Belgium, trading as AFD Institute. Contact: hello@afdinstitute.com.
This notice explains what personal data we process when you sign in with your AFD Institute account and use the Service, why, on what lawful basis, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR).
2. You sign in with your AFD Institute account
To use the Service you sign in with a free AFD Institute account, via OAuth. The Service does not create a separate identity for you: your access is tied to that one account. Signing in to use the Service is separate from:
- enrolling in a course or certification, and
- a newsletter subscription.
We do not subscribe you to anything merely because you sign in to use the Service. Your AFD Institute account remains governed by the AFD Institute site-wide Privacy Policy; this notice covers the additional processing specific to the Service.
3. What we collect and why
| Data | Purpose | Lawful basis (GDPR Art. 6) |
|---|---|---|
| Account identity (via your AFD Institute account — e.g. your account identifier and email) | Authenticate your sign-in and your requests; identify your use of the Service; contact you about the Service (e.g. security or material changes) | Performance of your request for the Service / steps prior to a contract — Art. 6(1)(b); legitimate interest in administering the Service — Art. 6(1)(f) |
| Usage logs — timestamp, the tool called and its arguments (e.g. which methodology term, phase, or gate was requested), the AI-client name/version reported by the connection | Operate and secure the Service; enforce rate limits; understand which parts of the methodology are most queried, in aggregate, to improve the methodology and our content | Legitimate interest — Art. 6(1)(f) |
| IP address (transient, used for rate-limiting and abuse prevention) | Protect our infrastructure from overload and abuse | Legitimate interest — Art. 6(1)(f) |
| Newsletter opt-in (optional, only if you tick the box) | Send you the AFD Dispatch / methodology changelog | Consent — Art. 6(1)(a) |
| Consent & acceptance records — the Terms/Privacy version you accepted and when | Demonstrate lawful basis and acceptance | Legal obligation / accountability — Art. 5(2), Art. 7 |
Contributed cases & Project Records — only if you use the afd_submit_use_case or afd_submit_record tools — the case study, outcome, and metrics you choose to submit | Build the AFD case library and the anonymised benchmark dataset; reviewed before any publication | Consent + the AFD Contribution Licence — Art. 6(1)(a); performance of the contribution you initiate — Art. 6(1)(b) |
We do not ask for, or intend to process, special-category data. The tool arguments we log are methodology terms (e.g. "analysis dividend", "design-to-build gate"), not personal information about you — please do not submit personal or sensitive data in your queries.
Contributing a case is optional and is written against the AFD Institute account you sign
in with. When you contribute through the afd_submit_use_case or afd_submit_record
tools, the AFD Institute site-wide Privacy Policy and the
Contribution Licence also apply. Submissions go to a moderation
queue and are never auto-published; they stay private and anonymised by default. Please do
not submit personal data about identifiable individuals, or client information you are not
authorised to share — the submission flow asks you to confirm this.
4. Where the data goes (recipients / processors)
| Processor | Role | Location |
|---|---|---|
| Supabase (self-hosted by us) | Stores your AFD Institute account, usage logs, and any contributed cases | EU — our own infrastructure on the Hetzner VM |
| Hetzner Online GmbH | Hosts the Service, the TLS reverse proxy, and the database | EU (Germany — Falkenstein) |
| Resend | Delivers Service emails (e.g. security or material changes) | Provider region to confirm — [⚖ counsel] |
| Brevo | Delivers the newsletter (only if you opt in) | EU (France) |
Requests to mcp.afdinstitute.com are served directly by our reverse proxy on the Hetzner
VM (TLS terminated there) — there is no third-party CDN in the path, so MCP traffic is not
routed through a non-EU processor.
We do not sell, rent, or trade your personal data. We do not share it for third-party advertising.
5. Newsletter opt-in is independent
The newsletter checkbox is separate from accepting the Terms and Privacy Notice, and is off by default. The Service works whether or not you subscribe. If you opt in, your email is added to the AFD Dispatch via Brevo with double opt-in confirmation, and you can unsubscribe at any time from any newsletter email or by contacting us. Unsubscribing from the newsletter does not affect your access to the Service, and ending your use of the Service does not unsubscribe you from the newsletter — they are independent.
6. How long we keep it
| Data | Retention |
|---|---|
| Service access record (your AFD Institute account identity, as used for the Service) | Retained while your AFD Institute account exists; Service-specific data is deleted on request, or after a prolonged period of inactivity (proposed: 24 months with no use) [⚖ counsel — confirm period] |
| Usage logs | Proposed: 24 months, then deleted or anonymised [⚖ counsel — confirm period] |
| IP address (rate-limiting) | Transient — retained only for the short rate-limit window, not stored long-term |
| Consent / acceptance records | Retained for the duration of your use of the Service plus a period after deletion to evidence lawful basis (aligns with the retention policy) |
| Newsletter subscription | Until you unsubscribe (held in Brevo) |
7. Your rights
Under the GDPR you have the right to: access your data (Art. 15), rectify it (Art. 16), erase it (Art. 17), restrict or object to processing (Arts. 18, 21), port it (Art. 20), and withdraw consent at any time (Art. 7) without affecting prior lawful processing.
In practice for this Service:
- Delete my MCP data — you can delete your Service usage logs and any Service-specific data at any time, via the in-product manage page or by emailing hello@afdinstitute.com. This is a hard delete of your Service usage data; deleting your AFD Institute account is handled under the site-wide policy.
- Access / export — request a copy of the data we hold about your use of the Service.
We respond within 30 days and may ask you to verify your identity first.
8. Security
We protect your data with: TLS in transit; OAuth sign-in with resource/audience-bound, hashed tokens (no long-lived secrets in plaintext); row-level security on the database; rate-limiting and abuse protection; and access restricted to authorised administrators. No system is perfectly secure, but we take appropriate technical and organisational measures under GDPR Art. 32.
9. Children
The Service is not directed at, or intended for, anyone under 18. We do not knowingly process data from minors.
10. Changes to this notice
We may update this notice. The Version and Last updated fields above indicate the current
revision; material changes will be notified to registered users by email or a prominent notice.
11. Complaints
If you believe we have processed your data unlawfully you may lodge a complaint with the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données), Rue de la Presse 35, 1000 Brussels — https://www.dataprotectionauthority.be — without prejudice to any other remedy.
12. Contact
WLKNSN bv (AFD Institute) — hello@afdinstitute.com — https://afdinstitute.com