Viomba MCP Server — Privacy Policy
Version date: May 5, 2026. This Privacy Policy describes how Viomba Oy, c/o Kuubi Oy, Kaikukatu 2 C, 00530 Helsinki, Finland, business ID 2613800-8 ("Viomba", "we", "us" or "our") collects, uses, stores and protects personal data in connection with the Viomba MCP Server, the Viomba MCP Dashboard, the Viomba MCP marketing portal and related support, onboarding, billing and communications.
This policy is intended for Main Users, authorised Users, developers, evaluators, customer administrators, prospects and other individuals who interact with the Viomba MCP Service. It should be read together with the Viomba MCP Server Terms & Conditions. If the Terms and this Privacy Policy describe the same operational area, this Privacy Policy explains the personal-data handling and the Terms explain the service, commercial and usage conditions.
1. Overview and controller details
Viomba acts as the data controller for account administration, portal analytics, direct communications, billing administration and platform security records that we determine for our own business purposes. Where a Customer submits advertising creatives, campaign materials, URLs, prompts, images, video assets or other content for processing through the MCP Service, the Customer remains responsible for ensuring it has the rights, notices, permissions and lawful basis needed to provide that material to Viomba and to use the resulting attention predictions, heatmaps, benchmarks and reports.
Viomba MCP is designed for developer and operator workflows. We process the information needed to authenticate users, run MCP tools, account for Attention Credit usage, secure OAuth credentials, render or analyse submitted creative materials, and support customers using the Service.
2. Personal data and operational records we collect
The specific data collected depends on how you use the Service. Free evaluator onboarding may require verified email, OAuth, usage, security and diagnostic records so that Viomba can provide included-credit access, prevent abuse, enforce tier limits and support account recovery. Pro package purchase flows may require a Stripe-validated credit card, while verified developer onboarding may also require business email and workflow-context records.
| Category | Examples | Primary purpose |
|---|---|---|
| Account, OAuth and onboarding data | Name, business email, company, role, account identifiers, OAuth client metadata, invite redemption status and tier eligibility. | Account creation, authentication, customer administration, service access control and fraud prevention. |
| Attention Credit and commercial records | AC balance, free-credit allocations, credit purchases, consumption records, invoices, billing contacts and tax-related details where applicable. | Credit administration, pricing enforcement, invoicing, accounting, support and auditability. |
| MCP usage and API logs | Tool calls, endpoint activity, timestamps, IP-derived technical metadata, client identifiers, rate-limit events, errors and diagnostic traces. | Delivering the MCP Service, maintaining reliability, applying usage controls, diagnosing issues and protecting the platform. |
| Creative inputs and Service outputs | Submitted URLs, HTML snippets, ad previews, images, videos, generated frames, prompts, attention scores, heatmaps, benchmarks and reports. | Rendering, slicing, prediction, heatmap generation, reporting, benchmarking, quality assurance and support requested by the customer. |
| Website and communications data | Newsletter form submissions, support messages, analytics events, cookie identifiers, page views and campaign-source parameters. | Responding to enquiries, measuring site performance, improving documentation and communicating relevant product updates. |
Viomba does not require Customers to submit personal data inside advertising creatives or prompts. If a Customer or User includes personal data in creative material, raw HTML, URLs, prompt text, video frames, images or other Service inputs, that information may be processed as part of rendering, slicing, prediction, heatmap generation, reporting, support or troubleshooting.
3. How and why we use data
We use personal data and operational records to provide the MCP Service, authenticate accounts and OAuth clients, allocate and consume Attention Credits, maintain free evaluation paths, generate or return requested outputs, prevent fraud or misuse, improve documentation, communicate with Users and comply with legal or accounting obligations. We do not sell personal data.
| Processing activity | Legal basis or operating rationale |
|---|---|
| Providing Viomba MCP accounts, tools, dashboards and usage controls | Performance of a contract or steps taken before entering into a contract. |
| Securing the platform, preventing abuse, keeping audit logs and protecting credentials | Legitimate interests in operating a safe developer API product and protecting Viomba, customers and users. |
| Handling invoicing, accounting, tax and statutory recordkeeping | Compliance with legal obligations and legitimate interests in commercial administration. |
| Sending requested updates or responding to support enquiries | Consent where required, contract performance, or legitimate interests in customer communication. |
AI, attention prediction and creative processing
The MCP Service may render submitted web pages, slice animated, social or video creatives into frames, generate or analyse creative variants, predict attention outcomes, produce heatmaps and create reports. These operations may involve automated processing of Customer-provided content and technical metadata. Viomba uses these processes to deliver the requested Service outputs; prediction outputs are operational analytics and are not intended to make legal, employment, credit, insurance, health or similarly significant decisions about individuals.
Cookies, analytics and communications
The Viomba MCP portal may use cookies or similar technologies to keep the site secure, remember interface preferences, measure page performance, attribute campaigns and understand which documentation or pricing pages are useful. Newsletter or update communications are sent when requested or where otherwise permitted by applicable law. You can opt out of non-essential marketing communications by using the unsubscribe method provided in the message or by contacting us.
4. Sharing, subprocessors and third-party integrations
We share personal data only where needed to operate Viomba MCP, support the Customer relationship, comply with law or protect the Service. Recipients may include hosting providers, cloud storage providers, analytics providers, email and support tools, payment or invoicing providers, professional advisers and authorities where legally required. These parties are expected to handle personal data under appropriate confidentiality, security and data-processing obligations.
Customers may connect MCP-compatible AI clients, agent frameworks, advertising platforms, identity providers or other third-party services to the MCP Service. Those third parties are not controlled by Viomba, and their own privacy notices and terms may apply. Customers are responsible for deciding which third-party systems they connect, which credentials they issue, which materials they submit and which outputs they export from the Service.
Personal data may be processed in Finland, the European Economic Area and other countries where Viomba or its service providers operate. Where required, Viomba uses appropriate safeguards for international transfers, such as contractual commitments or other transfer mechanisms available under applicable data-protection law.
5. Retention, deletion and security
We retain personal data and operational records for as long as needed to provide the Service, administer accounts and Attention Credits, maintain security, resolve disputes, comply with accounting or legal obligations and support legitimate business records. Retention periods may differ by category. For example, OAuth and security logs may be retained for platform protection, billing records may be retained for statutory accounting periods, and submitted creative materials may be retained for the period needed to return outputs, support the Customer and preserve account history unless earlier deletion is available and requested.
Viomba uses technical and organisational security measures designed to protect the confidentiality, integrity and availability of personal data and Service records. These measures may include transport encryption, access controls, credential handling controls, monitoring, logging, backup practices and internal restrictions on access to customer information. No internet-based system can be guaranteed to be completely secure, and Customers must also protect their own accounts, OAuth client_secret values, access tokens, refresh tokens and connected AI clients.
6. Your privacy rights and choices
Depending on your location and relationship with Viomba, you may have rights to request access to personal data, correction, deletion, restriction of processing, portability, objection to certain processing, withdrawal of consent where processing is based on consent, and the right to lodge a complaint with a data-protection authority. These rights may be limited where Viomba must retain information for security, legal, accounting, dispute-resolution or contractual reasons.
If you are using Viomba MCP through a Customer account, Viomba may need to coordinate some requests with the Customer that administers the account. This is especially relevant for records tied to company accounts, subaccounts, OAuth clients, AC balances, tool-call history, creative inputs and generated outputs.
Viomba MCP is intended for business and developer use and is not directed to children. Users must meet the age and authority requirements stated in the Viomba MCP Server Terms & Conditions.
7. Policy updates
We may update this Privacy Policy when the Service, MCP tools, onboarding model, Attention Credit handling, integrations, legal requirements or security practices change. The updated version will be posted on this page with a revised version date. Continued use of the Service after an update means the updated policy applies from the date it is posted, subject to any additional notice required by applicable law.
8. Contact
For privacy questions, data-subject requests or concerns about how Viomba MCP handles personal data, contact Viomba at [email protected]. Please include enough context for us to identify the relevant account, email address, OAuth client, Customer organisation or support conversation.
Company details: Viomba Oy, c/o Kuubi Oy, Kaikukatu 2 C, 00530 Helsinki, Finland, business ID 2613800-8.