Privacy Policy

Last updated: March 2026 · Version 1.0

Require ApS operates conexor.io and is committed to protecting your personal data. This policy explains what we collect, why, and your rights under GDPR.

1. Who We Are

Require ApS (CVR: DK46342070) ("we", "us", "our") is a Danish private limited company that operates conexor.io — a SaaS platform that connects databases to AI models via the Model Context Protocol (MCP).

For the purposes of GDPR, Require ApS acts:

As data controller for personal data we collect about our customers, users, and platform visitors.
As data processor for personal data that exists within our customers' own databases. In this capacity, our customers are the data controllers, and we process their data solely on their instructions.

This Privacy Policy covers our role as data controller. For information about how we process data in our role as data processor, see our Data Processing Agreement.

2. What Data We Collect and Why

2.1 Account Registration and User Management

Data collected: Email address, name, organisation/company name, hashed password, TOTP MFA secret, user ID, role within organisation.

Why: To create and manage your account, authenticate you, and allow your organisation to administer users.

Legal basis: Article 6(1)(b) — performance of a contract with you (the Terms of Service).

Retention: For the duration of your active subscription, plus 90 days after termination.

2.2 Billing and Payment

Data collected: Name, email address, company name, invoice address, VAT number, subscription plan, invoice history, payment status.

Not collected: We never see or store your card details. Payment processing is handled entirely by Stripe, Inc.

Why: To process payments, issue invoices, and fulfil our legal bookkeeping obligations.

Legal basis: Article 6(1)(b) — contract performance; Article 6(1)(c) — legal obligation (Danish Bookkeeping Act).

Retention: 5 years from invoice date (required by Danish bookkeeping law).

2.3 Platform Usage and Audit Logs

Data collected: User ID, IP address, action performed, resource ID, timestamp.

Not collected: We do not store query results or the content of data retrieved from your databases.

Why: Security monitoring, incident investigation, debugging, and compliance.

Legal basis: Article 6(1)(f) — legitimate interests (platform security and integrity).

Retention: 12 months.

2.4 Database Connection Strings

Data collected: Encrypted connection strings for databases you connect to the platform.

Why: To enable the platform to relay AI queries to your database. Connection strings are encrypted at rest using AES-256.

Legal basis: Article 6(1)(b) — contract performance.

Retention: Deleted upon disconnection or account termination (within 90 days).

2.5 Customer Support

Data collected: Your name, email address, and the content of your support inquiry.

Why: To respond to and resolve your support requests.

Legal basis: Article 6(1)(b) — contract performance; Article 6(1)(f) — legitimate interests.

Retention: 2 years from closure of the support ticket.

2.6 Marketing Communications

Data collected: Email address, name, company, subscription status.

Why: To send product updates, feature announcements, and relevant service information to customers.

Legal basis: Article 6(1)(f) — legitimate interests for existing customers; Article 6(1)(a) — consent for others.

Retention: Until you unsubscribe, or 3 years after last interaction, whichever is earlier.

3. Your Database Data — We Are a Processor, Not a Controller

When you connect your database to conexor.io, you remain the data controller for any personal data within that database. We act as your data processor.

We relay AI-generated SQL/MCP queries to your database and return results to you or the AI model session.
We do not store, index, or analyse the content of query results.
We do not use your database data for our own purposes.
Anthropic (Claude) may receive query text as part of the relay-chat feature — this is covered in our Data Processing Agreement and Sub-Processor List.

4. Who We Share Data With

Recipient	Purpose	Location	Safeguard
Microsoft Azure	Platform hosting, database, email notifications	EU (Netherlands)	Within EU — no transfer
Stripe, Inc.	Payment processing	USA	Standard Contractual Clauses
Anthropic, Inc.	AI models (Claude) for relay-chat	USA	Standard Contractual Clauses
OpenAI, LLC	Embedding models for platform-internal use	USA	Standard Contractual Clauses

We do not sell personal data. We do not share personal data with third parties for their own marketing purposes. See the full Sub-Processor List.

5. International Transfers

Our platform runs on Microsoft Azure in the EU (West Europe / Netherlands). Your personal data remains in the EU for core platform storage.

For sub-processors located in the USA (Stripe, Anthropic, OpenAI), we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914/EU). Copies are available upon request at [email protected].

6. Security

TLS 1.2+ encryption for all data in transit
AES-256 encryption for connection strings at rest
Role-based access control (RBAC)
MFA for platform access
Immutable audit logging
Infrastructure on Azure with SOC 2 and ISO 27001 certifications

7. Your Rights

Right	What it means
Access (Art. 15)	Request a copy of the personal data we hold about you
Rectification (Art. 16)	Request correction of inaccurate data
Erasure (Art. 17)	Request deletion of your data (subject to legal retention obligations)
Restriction (Art. 18)	Request that we restrict processing in certain circumstances
Portability (Art. 20)	Receive your data in a machine-readable format
Objection (Art. 21)	Object to processing based on legitimate interests
Withdraw consent (Art. 7(3))	Where processing is based on consent, withdraw it at any time

To exercise your rights, contact us at [email protected]. We will respond within 30 days.

8. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

9. Cookies and Tracking

Our platform (app.conexor.io) uses only strictly necessary cookies for authentication and session management. We do not use tracking cookies or third-party analytics cookies without your consent.

Our marketing website (conexor.io) may use analytics tools. Where we do, we will obtain your consent and provide a cookie notice.

10. Children

Our Services are not intended for children under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact [email protected] and we will delete it.

11. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. In Denmark, this is:

Datatilsynet (Danish Data Protection Agency)

Carl Jacobsens Vej 35, 2500 Valby, Denmark

[email protected] — www.datatilsynet.dk

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email (to the address on your account) or by prominent notice on our website, at least 30 days before the changes take effect. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

13. Contact

For any privacy-related queries, data subject requests, or complaints:

Require ApS — Attn: Privacy/Legal

[email protected]