Privacy Policy

Last updated: 2026-04-19

OpenRegistry is a free remote MCP server operated by Sophymarine (contact: contact@sophymarine.com). This policy explains what we process, why, and how long we keep it.

1. Who we are (Controller)

For UK GDPR and EU GDPR purposes, the data controller is Sophymarine. You can reach us at contact@sophymarine.com.

2. What we process and why

• Your IP address - used solely for per-IP rate limiting of the anonymous tier (20 requests/min). Held in an in-memory token bucket on Cloudflare Workers' edge; not written to durable storage.
• Your MCP request content - the tool name and arguments you send (e.g. jurisdiction + company identifier). Forwarded in real time to the relevant government registry. Not persisted beyond short-lived deduplication caches (typically <60s).
• Registry responses - the data returned from the upstream government registry. Returned to your client unmodified. Some responses are cached for a short performance window (configurable per tool, typically <10 minutes). Pass fresh=true on any tool call to bypass the cache.
• Session identifiers - short-lived UUIDs tied to your MCP session. Discarded when the session ends.
• Authenticated-tier account data (only if you sign in) - email address, tier level, OAuth refresh tokens, Stripe customer ID. Used to enforce per-user rate limits and manage billing. Stored encrypted in Cloudflare D1. Never sold, never shared with third parties except Stripe (billing only).

3. What we do NOT collect

• We do not use cookies on the anonymous API surface.
• We do not use analytics or advertising trackers.
• We do not track users across sessions on the anonymous tier.
• We do not sell, rent, or share your data with third parties (except Stripe for billing on paid tiers).
• We do not log the plain content of your queries into persistent storage; the tool name and company_id surface in short-term request metrics (Cloudflare Analytics Engine, 14-day retention) for per-jurisdiction error monitoring only.

4. Data returned from upstream government registries

Tool calls are proxied to the relevant national government registry of record at the moment you ask. The registry's response is returned to you unmodified - we do not add, rename, reformat, or enrich upstream fields. Those registries are the authoritative data controllers for their own records. Representative list:

• UK Companies House
• Norway Brønnøysundregistrene
• France RNE (Direction Interministérielle du Numérique)
• Germany Handelsregister (gemeinsames Registerportal der Länder)
• Italy InfoCamere / EU BRIS
• Spain BORME / AEBOE
• Poland KRS (Ministry of Justice)
• Czechia ARES (Ministry of Finance)
• Finland PRH
• Ireland CRO
• Belgium KBO/CBE
• Netherlands KVK Handelsregister
• Canada Corporations Canada (ISED)
• South Korea OpenDART (FSS)
• Australia ABR
• Mexico PSM (Secretaría de Economía)
• Plus 11 other jurisdictions across 27 national registries - full list available on our site.

Each upstream registry publishes its own privacy notice on its official domain. Consult the registry's own site for their data-handling practices.

5. Retention

• In-memory rate-limit buckets: seconds (automatically reset).
• Per-jurisdiction performance cache: up to ~10 minutes (configurable).
• Cloudflare Analytics Engine per-call metrics: 14 days.
• Authenticated-tier account + billing data: lifetime of the account + 7 years post-cancellation for UK statutory accounting obligations.
• Audit/security logs (if triggered by abuse): up to 90 days.

6. Legal basis (UK GDPR / EU GDPR)

• Anonymous tier: legitimate interest in providing a free, abuse-resistant public service, with processing limited to technical necessity.
• Authenticated paid tier: contractual necessity (to deliver the paid service) + legitimate interest (fraud / abuse prevention).
• Stripe billing: contractual necessity.

7. International data transfers

OpenRegistry runs on Cloudflare Workers' global edge network. Requests are routed to the nearest point-of-presence; authenticated-tier data is stored in Cloudflare's EU datacenters where available. Upstream government registries are hosted in their respective jurisdictions.

8. Your rights

Under UK GDPR and EU GDPR you have the right to: access your data, correct inaccuracies, request deletion, object to processing, request data portability, and lodge a complaint with a supervisory authority (UK: ICO; EU: your national DPA).

For the anonymous tier we hold no personally identifiable information beyond ephemeral rate-limit state, so most rights are trivially satisfied. For authenticated tiers, email contact@sophymarine.com to exercise any right. We respond within 30 days.

9. Children

OpenRegistry is not directed at children under 16. We do not knowingly collect data from children.

10. Changes to this policy

We will update the "Last updated" date at the top when changes are made. Material changes will be announced on the project GitHub repository before taking effect.

11. Contact

Questions, rights requests, or complaints: contact@sophymarine.com