Who we are
Vaultdesk is a software product that connects AI assistants to Zendesk via a self-hosted MCP server. It is operated by Kate Ives ("Vaultdesk," "we," "us," "our").
This policy covers how we handle personal data in two distinct contexts: visitors to this website, and organisations that license and deploy our software. Questions can be directed to privacy@vaultdesk.cloud.
Two contexts, two data relationships
Vaultdesk is a bring-your-own-cloud product. When a customer deploys Vaultdesk, the software runs entirely inside their own cloud infrastructure — their AWS account, their encryption keys, their credentials. We do not operate servers on their behalf and we do not have access to their environment.
Our privacy obligations split cleanly into two separate contexts:
- This website — we collect information from visitors through our early access form and chat widget. Covered in sections 3 and 5.
- The licensed software — the deployed software makes minimal calls to our license validation service. What we receive is narrow and described precisely in section 4.
Data we collect — marketing site
Early access form
When you request early access we collect your name, work email address, company name, role, industry, and your answers to questions about your Zendesk and Claude setup. We use this to evaluate whether Vaultdesk is a good fit for your team and to follow up with you.
Chat widget
This website includes a chat widget powered by Claude (Anthropic). When you use the chat widget, the messages you type are transmitted to Anthropic's API to generate responses. Anthropic processes this data under their own privacy policy and API terms. We do not store chat transcripts on our own infrastructure, but your messages do leave this website and are processed by Anthropic.
The chat widget is intended for questions about Vaultdesk. We recommend not sharing confidential or sensitive business information through it.
Email correspondence
If you contact us by email we retain that correspondence for as long as it is relevant to the relationship.
Cookies and analytics
We do not use analytics cookies or third-party tracking. We do not run advertising. A session cookie may be set to maintain the chat widget conversation state within a single browser session.
Data we collect — licensed software
When a licensed customer deploys Vaultdesk, the running software makes two types of outbound calls to Vaultdesk infrastructure. Here is exactly what each call sends.
License validation on startup
Every time a Vaultdesk instance starts, it sends a validation request to license.vaultdesk.cloud. This request contains the customer's license key and the product identifier (zendesk-mcp). Nothing else — no user data, no Zendesk data, no conversation content.
Software update checks
When a customer runs the update script, it calls the same license service to obtain a download URL for the new version. This request contains the license key and the requested version string.
What we hold in our license database
| Field | What it is | Why we hold it |
|---|---|---|
| License key | A generated identifier | Validate entitlement on startup |
| Tenant name | Organisation name | Identify the customer account |
| Product | Which Vaultdesk product | Support multiple products per customer |
| Status | Active / suspended / cancelled | Enable licence revocation |
| Expiry date | ISO 8601 date | Enforce annual licence term |
| Startup log entries | Timestamp + licence key | Audit trail, support troubleshooting |
What we explicitly do not receive
- Zendesk ticket data, customer records, or support history
- Conversation content sent to or received from Claude
- Zendesk OAuth tokens or credentials
- OIDC tokens, Okta credentials, or identity provider data
- AWS credentials, KMS keys, or encryption material
- End-user names, emails, or any personal data from your Zendesk instance
How we use data
Marketing site data
- To evaluate early access requests and follow up with prospective customers
- To respond to enquiries sent by email or through the chat widget
- To operate the chat widget — messages are processed by Anthropic's API in real time to generate responses
License and software data
- To validate that a deployment is authorised under an active licence
- To prevent use of revoked or expired licence keys
- To provide software updates to licensed customers
- To support troubleshooting and account management
We do not sell personal data. We do not use it for advertising. We do not share it with third parties except as described in section 6.
Subprocessors and third parties
We use a small number of third-party services to operate Vaultdesk's own infrastructure. This list does not include services running within the customer's own deployment — those are entirely within the customer's control.
| Subprocessor | What we use it for | Data involved |
|---|---|---|
| Amazon Web Services | License server hosting (App Runner, DynamoDB, S3, CloudWatch) | License records, startup logs |
| Netlify | Marketing website hosting and form submission handling | Early access form submissions |
| Anthropic | Powers the chat widget on this website | Messages sent by visitors through the chat widget. Anthropic's privacy policy applies. |
Data retention
| Data | Retention period |
|---|---|
| Early access form submissions | Until the prospect relationship concludes, or upon request |
| Email correspondence | 3 years from last contact |
| Chat widget messages | Not retained by Vaultdesk. Anthropic's retention policy applies. |
| License records | Duration of licence plus 90 days post-expiry |
| License server logs (CloudWatch) | 90 days |
You can request deletion of your personal data at any time by contacting us at the address in section 11. We will respond within 30 days.
Security
Our infrastructure
Vaultdesk's license server is hosted on AWS. License records in DynamoDB are encrypted at rest using AWS KMS. Logs are retained in CloudWatch with a 90-day retention policy. Access to production infrastructure is restricted to authorised personnel.
Customer deployments
Because Vaultdesk runs in the customer's own AWS account, the security of the customer's deployment is the customer's responsibility. This includes their AWS account security, IAM roles and policies, KMS key management, and network configuration. Vaultdesk provides Terraform modules that implement security best practices by default, but the customer controls and owns their environment entirely.
We have no access to customer deployments and cannot be held responsible for the security of infrastructure we do not operate.
Your rights
Depending on your jurisdiction you may have rights including:
- Access — request a copy of the personal data we hold about you
- Correction — ask us to correct inaccurate data
- Deletion — ask us to delete your personal data
- Portability — receive your data in a machine-readable format
- Objection — object to certain processing
Given how little data we hold, we expect most requests to be straightforward to honour. Contact us using the details in section 11 and we will respond within 30 days.
If you are in the EU or UK and believe we have not handled your data correctly, you have the right to lodge a complaint with your local supervisory authority.
Updates to this policy
We will update this policy as the product evolves. For material changes — changes that affect what data we collect or how we use it — we will notify active licence holders by email to the address on their account before the change takes effect.
The date at the top of this page reflects when the policy was last updated.
Contact
For privacy questions, data requests, or to request a Data Processing Agreement:
Vaultdesk
privacy@vaultdesk.cloudWe aim to respond to all privacy enquiries within 30 days.