Last updated: June 11, 2026
1. Who we are
kb0 is operated by Vitor Christoval ("kb0", "we"). This policy covers the website at kb0.dev, the kb0 cloud service (the dashboard and hosted vaults), and — for completeness — the open-source kb0-mcp package. Contact: vitor.christoval@gmail.com.
2. The open-source package collects nothing
The kb0-mcp engine runs entirely on your hardware. It makes no network calls to us and sends us no data — unless you explicitly set a KB0_API_KEY, which enables audit forwarding to your own kb0 cloud account (described below).
3. What we collect on kb0 cloud
- Account data — email, name, and (if you sign in with GitHub) the basic profile GitHub shares. Passwords are hashed; we never see GitHub credentials.
- Hosted vault content — the markdown notes your agents and you store in a hosted vault. We store and process them solely to provide the service; we don't read, mine, or train on them.
- Audit events — content-free by design — tool name, agent name, note paths, search queries, result counts, timestamps, and success/error codes. Note bodies are never included in audit events, including events forwarded from local vaults.
- API keys — stored as SHA-256 hashes; the plaintext is shown once and never persisted.
- Billing — handled by Stripe. Card numbers never touch our servers; we keep your Stripe customer id, plan, and subscription status.
- Support — whatever you send us by email.
4. Cookies
The dashboard sets functional cookies only: an httpOnly session cookie (sign-in) and a small preference cookie (e.g. whether you dismissed onboarding). The website uses Vercel Web Analytics, which is cookie-free and doesn't identify visitors. We run no advertising or cross-site tracking.
5. Service providers
We use a small set of subprocessors to run the service:
- Railway — application hosting and database (cloud + dashboard)
- Vercel — website hosting and cookie-free analytics
- Stripe — payments and subscription management
- GitHub — optional OAuth sign-in
- Google Fonts — font delivery on the website
We don't sell or share your data with anyone else, and we only disclose it if legally required.
6. Legal bases and international transfers
We process your data to perform our contract with you (running your account, vaults, and audit trail), on our legitimate interest in securing and improving the service, and to meet legal obligations (billing records) — the bases set out in the LGPD (art. 7) and GDPR (art. 6). Our providers' servers may be located outside Brazil or the EEA (typically the United States); those transfers are covered by the providers' standard contractual safeguards.
7. Retention
- Audit events — kept per your plan's retention window (14 days on Free, 90 days on Pro), then deleted automatically.
- Vault content and account data — kept until you delete them or your account.
- Billing records — kept as long as legally required.
8. Security
All traffic is encrypted in transit (TLS). API keys are stored hashed, audit trails are hash-chained (tamper-evident), and the dashboard never exposes server-side secrets to the browser. No system is perfect — if we learn of a breach affecting your data, we'll notify you without undue delay.
9. Your rights
You can access, export (portability), correct, or delete your data, and object to or ask about how it is processed. Exporting a hosted vault is built into the product — it's a plain git repository of markdown files. For account deletion or any other request (including rights under the GDPR or LGPD), email vitor.christoval@gmail.com and we'll respond within 30 days. You can also complain to your data-protection authority (in Brazil, the ANPD).
10. Children
kb0 is not directed at children under 16 (or a higher age where local law sets one), and we don't knowingly collect their data.
11. Changes
We may update this policy as the product evolves. Material changes will be announced on this page with a new "last updated" date; continued use after that means you accept the updated policy.