Privacy Policy

Last updated: May 2026

1. Controller

The controller responsible for the processing of personal data on this website and in connection with the MetaPipe and MetaHub services is:

Nikolai Sokolov
Metawork Studio
Am Dicken Stein 16
53913 Swisttal, Germany
Email: [email protected]

2. What data we collect and why

2.1 Website visitors

When you visit metawork.studio, our hosting provider (Vercel) temporarily processes your IP address and standard HTTP request data (browser type, referring URL, timestamp) in server logs for security and abuse-prevention purposes. These logs are retained for up to 30 days. Legal basis: Art. 6(1)(f) GDPR — our legitimate interest in maintaining secure and stable services.

2.2 Contact and enquiries

If you send us an email or fill in a contact form, we store your name, email address, and the content of your message solely to handle your enquiry. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding).

2.3 License customers (MetaPipe & MetaHub)

When you purchase a MetaPipe or MetaHub subscription, we collect and store:

  • Email address — for license issuance, invoicing, and service communications.
  • Payment data — processed exclusively by Stripe, Inc. (see section 4). We store only Stripe’s subscription and customer identifiers, not your full card details.
  • License record — a license key, product, tier, status, and trial period, stored in our database (Neon, see section 4).

Legal basis: Art. 6(1)(b) GDPR — performance of a contract.

Billing records are retained for 10 years to comply with German commercial and tax law (§ 147 AO, § 257 HGB). License status records are retained for the duration of the subscription plus 90 days.

2.4 MetaPipe and MetaHub MCP usage — what we do NOT store

MetaPipe and MetaHub act as a technical proxy between your AI client and your CRM (Pipedrive or HubSpot). When your AI calls a tool — for example, to retrieve a deal or update a contact — the MCP server forwards that request to your CRM’s API and returns the response.

We do not log, store, or retain the contents of CRM API calls. Your CRM records (contacts, deals, companies, notes, emails, and any other data in your Pipedrive or HubSpot account) are never written to our databases and are never accessible to us after the MCP session ends.

The only data we store is the authentication credential you use to connect your CRM (your CRM API token), which is held encrypted at rest and used solely to authenticate outbound requests to your CRM on your behalf.

Legal basis for processing the CRM API token: Art. 6(1)(b) GDPR — performance of the MCP service contract.

3. Data processing on your behalf (GDPR Art. 28)

Because MetaPipe and MetaHub process CRM data that may contain personal data about your customers, prospects, or employees, you are the data controller and we act as your data processor within the meaning of Art. 4(8) and Art. 28 GDPR.

As your data processor, we commit to the following:

  • We process CRM personal data only on your documented instructions (i.e., the MCP tool calls your AI makes).
  • We do not use CRM personal data for any purpose other than fulfilling MCP tool calls.
  • We implement appropriate technical and organisational measures to protect CRM data in transit (TLS encryption).
  • We do not subcontract the processing of CRM personal data to third parties beyond the transport infrastructure (Vercel, which processes request/response data in memory only).
  • We will assist you in fulfilling your GDPR obligations (rights of access, erasure, portability) to the extent technically possible.
  • In the event of a personal data breach affecting CRM data, we will notify you without undue delay and within 72 hours of becoming aware.
  • We will delete all CRM personal data from our systems upon termination of your subscription (CRM credentials are deleted; no other CRM personal data is retained).

You remain responsible for ensuring that your use of MetaPipe or MetaHub to process personal data in your CRM has a lawful legal basis under GDPR. If you require a separate written Data Processing Agreement (Auftragsverarbeitungsvertrag, AVV) pursuant to Art. 28(3) GDPR, contact us at [email protected].

4. Third-party service providers (sub-processors)

Stripe, Inc.

We use Stripe to process subscription payments. Stripe receives your payment card details, name, and billing address. Stripe is certified under PCI DSS and operates under EU Standard Contractual Clauses. Privacy policy: stripe.com/privacy.

Vercel, Inc.

Our website and the license server run on Vercel’s infrastructure. Vercel processes request metadata (IP address, headers) in connection with serving pages and API responses. Vercel operates under EU Standard Contractual Clauses. Privacy policy: vercel.com/legal/privacy-policy.

Neon, Inc.

Our license database runs on Neon’s serverless Postgres service. Neon stores license records (email, subscription status, license key) as described in section 2.3. Neon operates under EU Standard Contractual Clauses. Privacy policy: neon.tech/privacy-policy.

5. International data transfers

Stripe, Vercel, and Neon are US-based companies. Data transfers to the United States take place under EU Standard Contractual Clauses (SCCs) adopted pursuant to Art. 46(2)(c) GDPR, which provide appropriate safeguards for your personal data.

6. Your rights

Under GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15) — you may request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — you may ask us to correct inaccurate data.
  • Right to erasure (Art. 17) — you may ask us to delete your data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18) — you may ask us to restrict how we use your data.
  • Right to data portability (Art. 20) — you may request your data in a structured, machine-readable format.
  • Right to object (Art. 21) — you may object to processing based on our legitimate interests.

To exercise any of these rights, email us at [email protected]. We respond within one month.

You also have the right to lodge a complaint with a supervisory authority. In Germany, the relevant authority is the data protection commissioner of your federal state (Landesdatenschutzbeauftragter). For North Rhine-Westphalia (our registered state): ldi.nrw.de.

7. Cookies

This website does not set tracking or analytics cookies. We do not use Google Analytics or similar third-party tracking services. Stripe’s checkout pages may set cookies required for payment processing when you visit the license server.

8. Changes to this policy

We may update this privacy policy to reflect changes in our services or legal requirements. Material changes will be communicated by email to active license holders at least 14 days in advance.

9. Contact

For privacy-related questions or to exercise your rights:
[email protected]