Skip to main content

Privacy Policy

Last updated: June 1, 2026

1. Data Controller

The data controller for personal data processed in connection with Odoo Semantic MCP is Viindoo Technology Joint Stock Company (Vietnam; business registration no. 0201994665; registered office Room 820-823, Floor 8, Thanh Dat 3 Building, No. 4 Le Thanh Tong Street, Ngo Quyen Ward, Hai Phong City, Vietnam). Privacy contact: privacy [at] viindoo [dot] com , or open a support ticket.

2. Personal Data We Collect

We collect and process the following categories of personal data:

  • Account data: email address, username, hashed password (bcrypt);
  • OAuth identifiers: provider name (Google/GitHub) and provider-issued user ID, if you sign up via OAuth;
  • Usage data: MCP tool call counts per API key (aggregated monthly quota counter; individual call content is not logged);
  • Technical/security data: IP address (for rate-limiting and audit logs), browser user-agent string;
  • Consent record: timestamp at which you accepted these Terms and Privacy Policy at signup;
  • Repository metadata: derived from code you index — including, where present in the source, authorship and copyright-owner metadata (e.g. author names/emails in manifests or VCS history) — see Section 5;
  • Billing data: subscription status, plan tier, billing interval — handled by Polar (see Section 6); we do not store payment card data.

3. Code Indexing

When you connect a repository, our indexer processes your codebase to extract metadata only (model names, field names, inheritance chains, method signatures, view XML IDs). Individual source-code lines are not stored on our cloud infrastructure under standard plans. Metadata is stored in our graph database and vector store to power MCP tool responses.

4. Legal Basis for Processing

We process personal data on the following legal bases:

  • Contract performance (GDPR Art. 6(1)(b); and as permitted under applicable Vietnamese data protection law, Decree 13/2023/ND-CP and the Personal Data Protection Law): account data and usage data are necessary to provide the Service under our Terms;
  • Legitimate interests (GDPR Art. 6(1)(f); and as permitted under applicable Vietnamese data protection law, Decree 13/2023/ND-CP and the Personal Data Protection Law): IP address and audit logs for security, fraud prevention, and service integrity; and processing of third-party authorship/copyright metadata contained in indexed repositories (Section 5);
  • Consent (GDPR Art. 6(1)(a); and as permitted under applicable Vietnamese data protection law, Decree 13/2023/ND-CP and the Personal Data Protection Law): where we rely on your explicit consent, recorded at signup.

5. Authorship Metadata in Indexed Repositories

Code you submit may contain personal data of third parties — for example, contributor names and email addresses in module manifests, file headers, or version-control history (the copyright_owner and authorship fields we derive). When you index such a repository, that personal data may be processed and stored as repository metadata.

We process this metadata on the basis of our and your legitimate interest in operating a code-knowledge service (GDPR Art. 6(1)(f)), and we rely on your representation (in the Terms, Section 5) that you are authorized to submit the repository. If you are an author whose personal data appears in indexed metadata and you object to its processing or want it removed, you may use our notice-and-takedown path (Section 8) and we will review and, where appropriate, remove or de-index it.

6. Recipients: Processors and Independent Controllers

Processors (act on our instructions to provide the Service):

  • Hosting provider: Viindoo self-hosted infrastructure (Vietnam) — hosts the Service and its databases in Vietnam;
  • Email delivery provider: Viindoo-operated mail (@viindoo.com) — sends account-verification and notification emails (recipient email address shared);
  • hCaptcha (Intuition Machines, Inc., United States): bot/abuse prevention on signup and auth forms; processes IP address and interaction signals;
  • OAuth providers (sign-in only): Google and GitHub — when you choose social sign-in, they authenticate you and return a provider user ID and verified email. Each acts as an independent controller for its own platform; for our sign-in flow they process the minimum identifiers needed to log you in.

Independent controller (not our processor):

  • Polar Software Inc. (polar.sh): as Merchant of Record / seller of record for paid subscriptions, Polar is an independent data controller for billing. It collects and processes your payment card data and billing address under its own privacy policy; we do not control or receive that payment data. We receive only subscription status, plan, and billing interval.

We do not sell your personal data.

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside Vietnam (and outside the EEA), which may not provide an equivalent level of data protection. Where such transfers occur we apply appropriate safeguards — Standard Contractual Clauses for EU/EEA data subjects, or mechanisms recognised under applicable Vietnamese data protection law.

For data subject to Vietnamese law, cross-border transfer is carried out under the mechanism required by applicable Vietnamese data protection law (Decree 13/2023/ND-CP and the Personal Data Protection Law). We treat a Transfer Impact Assessment, where applicable as a parallel obligation, as a concurrent compliance step that does not block your use of the Service.

8. Data Retention

We retain personal data for as long as your account is active or as needed to provide the Service:

  • Account data: retained until you delete your account or request deletion;
  • Repository metadata (incl. authorship metadata): retained until you remove the repository or delete your account, then de-indexed within a reasonable period;
  • Usage counters: retained for billing reconciliation for up to 13 months;
  • Audit logs: retained for 12 months for security purposes;
  • IP / rate-limit data: retained for up to 30 days;
  • Billing records: retained as required by applicable tax and accounting law (typically 5-7 years).

9. Your Rights

Subject to applicable law, you have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you;
  • Rectification: request correction of inaccurate data;
  • Erasure: request deletion of your data (subject to legal retention obligations);
  • Restriction: request that we restrict processing in certain circumstances;
  • Portability: receive your data in a machine-readable format;
  • Objection: object to processing based on legitimate interests, including the authorship-metadata processing in Section 5;
  • Withdrawal of consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

Withdrawing consent is not the same as deleting your account. Withdrawing consent stops only the processing that relied on consent; we may continue processing that rests on another legal basis (e.g. contract performance to keep your account running, or legal retention of billing records). If you also want your account closed and data erased, make a separate erasure request — we will action it subject to the retention rules in Section 8.

To exercise any right, email privacy [at] viindoo [dot] com or open a support ticket. We respond within 30 days. You may also lodge a complaint with the data-protection authority in your country; for Vietnam this is the competent supervisory authority designated under applicable Vietnamese data protection law (Department of Cyber Security and Hi-Tech Crime Prevention (A05), Ministry of Public Security of Vietnam).

10. Cookies and Session Data

We use a single session cookie to maintain your login state. This cookie is:

  • HTTP-only and Secure (on HTTPS) — not accessible via JavaScript;
  • SameSite=Lax to mitigate CSRF;
  • Expires after 8 hours of inactivity.

We do not use advertising cookies or third-party tracking cookies. hCaptcha may set its own cookies for abuse prevention when the captcha is shown.

11. Security

We implement appropriate technical and organizational measures to protect your personal data, including bcrypt password hashing (cost factor 12), encrypted session cookies, TLS in transit, and Fernet encryption for sensitive secrets. We conduct regular security reviews.

12. Changes to This Policy

We may update this Privacy Policy. We will notify registered users by email at least 14 days before material changes take effect. The updated policy will be posted at this URL with a revised "Last updated" date.

13. Contact, DPO, and Supervisory Authority

For privacy questions or to exercise your rights, email privacy [at] viindoo [dot] com or contact us via our support helpdesk. Response time: within 30 days.

Data Protection Officer / privacy point of contact: privacy [at] viindoo [dot] com . Lead supervisory authority: Department of Cyber Security and Hi-Tech Crime Prevention (A05), Ministry of Public Security of Vietnam.

Terms of Service · Refund & Cancellation · Home