Privacy Policy
Last updated: 01.07.2026
BRONTIR OÜ ("BRONTIR", "we", "us", "our") operates BRONTIR Web Data, an MCP (Model Context Protocol) server available at webdata.brontir.com that connects AI assistants to the live web and supported platforms and returns structured, sourced results (the "Service"), together with the website at brontir.com.
This Policy explains what personal data we process, why, and the rights you have. We are subject to the EU General Data Protection Regulation (GDPR).
Controller: BRONTIR OÜ, a private limited company registered in Estonia under registry code 16804491, with registered office at Tartu mnt 67/1-13b, Kesklinna linnaosa, 10115 Tallinn, Harju maakond, Estonia. Contact: privacy@brontir.com.
1. Summary
- We process the minimum data needed to run the Service.
- We do not sell your personal data and do not use it for third-party advertising.
- The Service retrieves publicly accessible third-party content at your instruction — you are responsible for lawful use of that content.
2. Data we process
- Account & authentication — your email address and, depending on how you sign up, a password you set or the basic profile data shared by a third-party sign-in provider you choose (such as Google — typically your email and name), together with authentication/session tokens and any API credentials used to connect your AI assistant to the Service.
- Instructions & queries — the prompts, search terms, URLs, and parameters you (or your AI assistant acting for you) submit through the Service's tools (e.g.
Search,Fetch,Read,Ask). - Retrieved content & results — public web and platform content the Service fetches at your request and the structured, cited results returned to you. Retrieved content is processed transiently to fulfil your request and returned to you (or your AI assistant); we do not retain it as part of a stored library on your behalf.
- Code execution — code you run via
ExecuteCode, with its inputs and outputs, executed in an isolated sandbox. - Usage & technical data — request logs (timestamp, tool, status), IP address, client/user-agent, and diagnostic data, used for security, abuse prevention, and reliability.
- Billing data (paid plans) — processed by our payment provider; we receive limited billing metadata, not full card numbers.
- Communications — messages you send us (e.g. support).
We do not intentionally collect special-category data; please do not submit it unless necessary and lawful.
3. Third-party content and the personal data of others
The Service retrieves publicly accessible content from the web and supported platforms at your instruction, and such content may contain personal data about third parties.
- We retrieve only content accessible without logging into private accounts, unless you explicitly provide authorisation to do so.
- You are the controller for how you use retrieved content. You are responsible for having a lawful basis to process any personal data it contains, and for complying with applicable law and the terms of the source platforms.
- With respect to data you direct us to retrieve on your behalf, we act as your processor. For business customers, a Data Processing Addendum (DPA) is available on request.
4. Why we process data (purposes and legal bases)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide and operate the Service | Performance of a contract |
| Security, abuse/fraud prevention, rate-limiting | Legitimate interests / legal obligation |
| Maintain and improve reliability | Legitimate interests |
| Billing and accounting | Performance of contract / legal obligation |
| Support and communications | Performance of contract / legitimate interests |
| Comply with the law | Legal obligation |
5. Retention
- Operational logs: kept for up to 12 months, then deleted or anonymised.
- Billing records: source accounting documents (e.g. invoices) are retained for 7 years, as required by Estonian accounting and tax law; other payment-related metadata is kept for up to 1 year.
6. Sharing and sub-processors
We do not sell your personal data and do not share it for advertising.
Running the Service relies on a small number of providers. Where a provider processes personal data on our behalf — in particular the infrastructure that hosts the Service — it acts as our sub-processor, under contract and only on our instructions.
Some features connect you directly to independent third parties that you choose to use. In these cases you provide your details to that party directly and we receive only limited data back:
- a third-party sign-in provider (e.g. Google), if you choose that sign-in option — you authenticate with them directly and they share basic profile data (typically your email and name) with us;
- our payment provider (paid plans) — you submit your payment details to the provider directly, and we receive only limited billing metadata (such as subscription status and partial card details), never full card numbers.
These independent providers process your data under their own privacy policies.
We maintain a current, named list of our sub-processors, available on request (and provided to business customers under a DPA). We may disclose data where required by law.
7. Security
We apply technical and organisational measures appropriate to the risk, including encryption in transit, access controls, secure storage of credentials, and isolation of the code-execution sandbox. No method of transmission or storage is perfectly secure.
8. Your rights
Under the GDPR you have the rights of access, rectification, erasure, restriction, data portability, objection, and withdrawal of consent (where processing is based on consent). To exercise them, contact privacy@brontir.com. You may also lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority.
9. Children
The Service is not directed to children under 16, and we do not knowingly process their personal data.
10. Changes to this Policy
We may update this Policy. We will post the updated version with a new "Last updated" date and, for material changes, take reasonable steps to notify you.
11. Contact
BRONTIR OÜ — privacy@brontir.com — registry code 16804491.