Privacy Policy

On Belay (“we”, “us”, or “our”) operates the On Belay platform at app.onbelay.ai (the “Service”). This Privacy Policy describes how we collect, use, store, and disclose information when you use the Service.

On Belay is a B2B SaaS platform. By using the Service, you agree to the collection and use of information in accordance with this policy.

Account and identity information

When you sign in, we collect your name, email address, and profile photo from your Google account via Google OAuth. This information is used solely to create and identify your account within On Belay.

Organization and group configuration

We store the organizational structure you configure in On Belay: organization name, functional group names and descriptions, Claude role definitions (system prompts), people guidelines, and group membership assignments. This configuration data is the core of what On Belay delivers to Claude via MCP.

OAuth tokens and API credentials

When you connect third-party integrations (e.g., HubSpot, Shopify, Google Analytics, Slack), we store the OAuth tokens or API keys required to authenticate against those services on your behalf. All credentials are encrypted at rest using libsodium secretbox symmetric encryption before being written to our database. Credential decryption only occurs at the moment a permitted user requests the credential via the MCP API.

MCP access tokens

On Belay issues OAuth 2.0 Bearer tokens to Claude Desktop, claude.ai, and Claude Code when users complete the OAuth PKCE flow. These tokens are stored as SHA-256 hashes in our database — we never store the plaintext token. Tokens are used to authenticate MCP API requests.

Usage and log data

We may collect standard server log data including IP addresses, browser user agents, request timestamps, and error information. This data is used for security monitoring, debugging, and service reliability. It is not used for behavioral advertising.

We use the information we collect to:

• Provide, operate, and improve the Service
• Authenticate you and your team members to the platform
• Deliver organizational context to Claude via MCP when requested
• Send transactional emails (e.g., team invitations) using Resend
• Monitor and maintain the security and reliability of the Service
• Comply with legal obligations

We do not sell your data to third parties. We do not use your data or your organization’s configuration to train AI models.

All third-party OAuth tokens and API keys stored by On Belay are encrypted at rest using libsodium secretbox (XSalsa20-Poly1305) before being written to our PostgreSQL database hosted on Railway. The encryption key is a 32-byte secret stored as a Railway environment variable, separate from the database.

Integration credentials are never logged, never transmitted in plaintext beyond the TLS-secured API response, and are only decrypted when a user with valid group-level permission calls the get_integration_credential MCP tool with a valid Bearer token.

We retain data for as long as your account is active or as needed to provide the Service:

• Integration credentials — deleted immediately when you remove an integration from your organization.
• MCP Bearer tokens — expire automatically after 90 days of inactivity. You may revoke tokens at any time from Dashboard → Settings.
• Organization and group data — retained for the lifetime of the organization account. Deleted within 30 days of account deletion upon request.
• User account data — deleted upon request. Removing a user from all organizations will remove their account data from active records.

On Belay uses the following sub-processors and infrastructure providers. Each processes data subject to their own privacy policies:

We implement industry-standard technical and organizational measures to protect your data, including TLS encryption in transit, encrypted credentials at rest, hashed authentication tokens, and role-based access controls within the platform.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately at [email protected].

You may request access to, correction of, or deletion of your personal data at any time by contacting us. For organizations, admins may delete integrations, remove members, and delete the organization directly from the dashboard. Account deletion requests will be processed within 30 days.

If you are located in the European Economic Area (EEA) or the United Kingdom, you have rights under GDPR/UK GDPR including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object.

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page with a revised effective date. Continued use of the Service after changes constitutes acceptance of the updated policy.

For privacy-related inquiries, data deletion requests, or security concerns, contact us at: