Privacy Policy
Effective Date: April 1, 2026 Last Updated: April 28, 2026
This Privacy Policy describes how SolidKey AB (org.nr 559496-6318), a Swedish company based in Mölndal ("we", "us", "our"), collects, uses, and protects your information when you use OneLore ("the Service"), a collaborative platform accessible through the Model Context Protocol (MCP).
By using the Service, you agree to the collection and use of information as described in this policy.
1. What OneLore Is
OneLore is a multi-project collaboration platform where teams manage documentation, tasks, and communication through AI agents using the MCP protocol. OneLore does not have a traditional web interface — interactions happen through your AI agent of choice.
With respect to account information and service operation, SolidKey AB acts as a data controller. With respect to project content (tasks, messages, documents) created by you and your team, SolidKey AB acts as a data processor, processing this data on your behalf to provide the Service. For customers who require a Data Processing Agreement under GDPR Article 28, our DPA is available at https://onelore.ai/dpa.
2. Information We Collect
2.1 Account Information
When you sign in with Google OAuth, we receive:
- Your email address
- Your Google display name
We use this to create and identify your OneLore account. We do not request access to your Google contacts, calendar, files, or any other Google services.
2.2 Profile Information
You may optionally provide:
- A GitHub username
2.3 Project Data
When you use OneLore, you create and manage:
- Projects (names, descriptions, member lists)
- Tasks (titles, descriptions, status, assignments)
- Messages (content, recipients, threads)
- Context documents (files stored in project storage)
- Activity logs (timestamps, event types)
This data is created by you and your team members through your AI agents.
2.4 Technical Data
We automatically collect:
- API request logs (timestamps, tool names, response codes)
- Error logs (stack traces, request metadata)
- Authentication events (sign-in timestamps, token issuance)
We do not use cookies or web tracking technologies. OneLore currently has no web interface that would require them. If we introduce a web interface in the future, we will update this policy to describe any cookies or tracking technologies used before they are deployed.
3. How We Use Your Information
We use your information to:
- Provide and operate the Service
- Authenticate your identity
- Deliver project data to your authorized team members
- Send email notifications (task assignments, project invitations, digest summaries)
- Monitor system health and debug technical issues
- Enforce our Terms of Service
We do not use your information for:
- Advertising or marketing to third parties
- Training artificial intelligence models
- Producing other products or services
- Profiling or automated decision-making
4. Content Access Policy
When investigating technical issues, we first examine metadata and logs only (timestamps, document sizes, error codes, request metadata). If content access is required to resolve the issue, we will request your explicit consent before accessing content.
The only exception is a legal obligation (such as a court order) that requires us to disclose specific data. In such cases, we will notify you unless legally prohibited from doing so.
5. How Your Data Flows Through AI Agents
OneLore communicates with your AI agent through the MCP protocol. Your agent is operated by your chosen AI provider (such as Anthropic, OpenAI, or Google). When OneLore responds to your agent's requests, tool response data is delivered to your provider's systems.
OneLore has no relationship with your AI provider and does not control how they process this data. Please review your AI provider's privacy policy. The decision to use a specific AI provider is yours. OneLore does not establish any direct data transaction with AI providers on your behalf.
By joining a project, you acknowledge that your contributions (messages, tasks, documents) may be delivered to other project members through their chosen AI providers, which may differ from yours. You accept that SolidKey AB has no control over how those providers process this data.
6. Data Sharing
We share your data only with:
6.1 Your Team Members
Project data is visible to members you explicitly invite to your projects. Members can only see data within projects they belong to.
6.2 Service Providers (Sub-processors)
We use the following third-party services to operate OneLore:
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Google Cloud Platform (Firebase) | Hosting, authentication, database | All service data | EU (europe-west4); authentication is global — see §7 |
| Google Cloud Storage | Context document storage | Project documents | EU (europe-west4) |
| Mailgun (Sinch) | Email notifications | Email addresses, notification content | EU |
6.3 Legal Requirements
We may disclose data if required by law, regulation, or legal process.
We do not sell your data. We do not share your data with any parties other than those listed above.
6.4 Data Processing Agreement
For customers who require a Data Processing Agreement (DPA) under GDPR Article 28, our standard DPA is available at https://onelore.ai/dpa. The DPA supplements these Terms and this Privacy Policy and governs our processing of personal data on your behalf.
7. Data Location
All project data (tasks, messages, documents, activity logs) is stored in Google Cloud's europe-west4 region (Netherlands). All application services (API, authentication endpoints, scheduled jobs) and database backups are stored in europe-west4. Email notifications are processed by Mailgun within the EU.
Firebase Authentication is a global Google service. It processes your email address and display name as part of the sign-in flow. This data is handled by Google's global infrastructure — regional pinning is not available for this service.
As the Service grows, additional storage locations may be created closer to users in other regions. We will update this policy to reflect any new data locations.
7.1 International Data Transfers
Firebase Authentication processes sign-in data through Google's global infrastructure, which may include servers outside the EEA. This is limited to your email address and display name during the authentication flow.
Where data is transferred outside the European Economic Area, we rely on one or more of the following safeguards:
- The EU-US Data Privacy Framework (where the recipient is certified)
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions by the European Commission
Google Cloud participates in the EU-US Data Privacy Framework and provides Standard Contractual Clauses as part of their data processing terms.
8. Data Retention
- Account data: Retained while your account is active.
- Project data: Retained while the project exists.
- Deleted data: When you delete a project, task, message, or document, it is removed from our active systems. Deleted data may persist for up to 7 days in infrastructure-level retention (database backups and Cloud Storage soft-delete) before being fully purged. All backups are stored in europe-west4 (Netherlands). We do not access or use deleted data during the retention period.
- Account deletion: See §9 Data Ownership and Account Deletion for the full account-deletion flow, what is removed, what is retained with your attribution, and why.
If applicable law requires a minimum retention period, we will comply with that requirement.
9. Data Ownership and Account Deletion
You own the personal data associated with your OneLore account. Shared project content (messages, tasks, and context documents you produce for others) becomes collaborative team knowledge as soon as other members rely on it. Our deletion flow reflects that distinction.
9.1 How to delete your account
Call the lore_delete_account MCP tool, or email privacy@onelore.ai if you no longer have MCP access. For every shared project you own and cannot simply leave, you nominate a successor: either transfer ownership to a specific member's email, or delete the project outright. Your personal project and any solo-owned projects are always deleted — no other user ever saw them.
You then receive a confirmation email with a single-use link (7-day expiry). After you click the link, a 30-day grace window begins. Any sign-in during that window, or a call to lore_cancel_deletion, aborts the deletion. We send a reminder email 7 days before the hard delete, and — if you nominated a project for deletion — we email remaining members of that project 1 day before, so they can export their work.
9.2 What is permanently deleted
- Your user record (email, display name, GitHub username, API key, authentication sessions).
- Your personal project and any solo-owned project, along with all tasks, documents, and activity inside them.
- Messages sent to you (your inbox).
- Your membership records on every project you belonged to.
- Any shared project you nominated for deletion, along with all of its tasks, documents, members, and activity.
9.3 What is retained with your attribution (and why)
We retain the following shared content with your name and email intact, even after your account is deleted:
- Messages you sent to other users.
- Tasks you created in shared projects (preserving the
createdByfield). - Context documents you authored in shared projects (preserving the frontmatter
created_by). - Event-log entries attributed to you.
Other users have read, processed, and acted on this content through their AI agents. Removing your attribution would destroy the historical record the team relies on to understand who said what and why decisions were made. This is our lawful basis for retention under GDPR Article 17(3) — the legitimate interests of third parties outweigh erasure where attribution is essential to the meaning of the content. We disclose this retention in advance (here, in the confirmation email, and in the final confirmation email).
9.4 Full-scrub requests (removing your name from retained content)
If retaining your attribution causes you harm (for example, safety concerns), you may request a full scrub by emailing privacy@onelore.ai. We review these requests on a case-by-case basis under applicable data protection law. In granting a scrub, we typically replace your attribution with "Former member" rather than removing the content itself, because the content is the team's to keep.
9.5 Infrastructure retention
After the hard delete completes, residual copies may persist for up to 7 days in database backups and Cloud Storage soft-delete before being fully purged. All such copies live in europe-west4. We do not access or use this residual data during the retention period. Backups expire automatically.
10. Data Export
You own your data. You may request a complete export of all data associated with your account at any time. We will provide structured data (projects, tasks, messages, activity logs) in JSON format. Context documents will be provided in their stored format, which is Markdown unless you uploaded files in other formats (such as PDF or Office documents), in which case the original format is preserved.
11. Data Security
We protect your data through:
- Encrypted connections (HTTPS/TLS) for all data in transit
- Google Cloud's infrastructure security for data at rest
- Authentication via Google OAuth with PKCE
- API key and JWT token-based access control
- Role-based access within projects (owner, admin, member)
- Daily database backups with 7-day retention
No system is perfectly secure. If we discover a data breach that affects your personal information, we will notify the relevant supervisory authority within 72 hours where required by law, and will notify you without undue delay.
12. Children's Privacy
OneLore is not intended for use by anyone under 16 years of age. We do not knowingly collect personal data from children under 16. Use of the Service requires acceptance of our Terms of Service, which include an age confirmation.
If you believe a person under 16 has created an account, please contact us and we will delete it promptly.
13. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access your personal data
- Correct inaccurate data
- Delete your data (see §9 for the account-deletion flow)
- Export your data in a portable format
- Object to or restrict certain processing
- Withdraw consent
To exercise any of these rights, contact us at the address below. We will respond within 30 days. If your request is complex or we receive a high volume of requests, we may extend this by up to 60 additional days. We will notify you of any extension within the initial 30-day period.
13.1 European Economic Area (EEA)
If you are in the EEA, our legal basis for processing your data is:
- Contract performance — to provide the Service you signed up for
- Legitimate interest — to maintain system security, debug technical issues, and retain third-party-reliant shared content after account deletion (see §9.3)
- Legal obligation — to comply with applicable laws
You have the right to lodge a complaint with your local data protection authority.
14. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes via email or through the Service before they take effect. Continued use of the Service after changes constitutes acceptance.
15. Contact
SolidKey AB (org.nr 559496-6318) Mölndal, Sweden Email: hello@onelore.ai Privacy inquiries: privacy@onelore.ai Website: https://onelore.ai
For privacy-related inquiries, contact us at the privacy address above.