Privacy Policy

1. Information We Collect

We collect information you provide directly to us, such as when you create an account, use our services, or contact us for support. This includes your name, email address, company information, and financial data necessary to provide our accounting services.

We also automatically collect certain information about your device and usage patterns when you access our service, including IP address, browser type, operating system, and interaction data to improve our service.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our accounting software services
• Process transactions and send related information
• Provide customer support and respond to your requests
• Send technical notices and security alerts
• Analyze usage patterns to enhance user experience
• Comply with legal obligations and protect against fraud

3. Information Sharing and Disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties except in the following circumstances:

• With your explicit consent
• To trusted service providers who assist in operating our service
• When required by law or to protect our rights and safety
• In connection with a business transaction (merger, acquisition, etc.)

4. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. This includes encryption of data in transit and at rest, regular security assessments, and strict access controls.

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

5. Data Retention

We retain your personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. When you delete your account, we will delete your personal information within 30 days, except where retention is required by law.

6. Your Rights and Choices

You have the right to:

• Access and receive a copy of your personal information
• Correct inaccurate or incomplete personal information
• Delete your personal information
• Restrict or object to certain processing of your information
• Data portability for information you provided to us

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information when you use our service. These help us remember your preferences, understand how you use our service, and improve your experience.

8. International Data Transfers

Your information may be processed and stored in countries other than your own. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy and applicable laws.

9. MCP Server and API Access

Esve offers a Model Context Protocol (MCP) server that allows AI assistants (such as Claude) and other MCP-compatible clients to read from and write to your Esve workspace. This section describes how data flows when you use the MCP server or our REST API.

What an authorized client can access

When you authorize a client via OAuth or issue it an API key, that client receives scoped access to the workspace you authorize. Access is limited to that single workspace; clients cannot enumerate or reach other workspaces you belong to. The client can read and modify the same records that the API tools expose, including:

• Invoices, bills, credit notes, and payment records
• Accounts, transactions, and journal entries
• Contacts (customers and vendors), including names, emails, addresses, tax IDs, and any bank details you’ve stored
• Documents and their OCR-extracted content
• Folders, tags, and workflow configuration
• Workspace settings and connected-integration status

Write-enabled tools are clearly marked in each tool’s annotations, and destructive operations (such as voiding an invoice or deleting a transaction) are flagged so that well-behaved clients can prompt you before executing them.

Authentication and credentials

The MCP server supports two authentication methods:

• OAuth 2.1 with PKCE — you approve each client via the standard authorization flow at esve.co. Access tokens are short-lived; refresh tokens are stored only by the client.
• API keys — you generate keys from Settings → Developer → MCP Keys. Keys are hashed with SHA-256 before being stored; the plaintext is only shown once at creation. You can revoke a key at any time from the same page, which takes effect immediately.

Every request is tied to the workspace the credential was issued for. We do not use OAuth tokens or API keys for any purpose other than serving MCP and API requests from the client that holds them.

Logging and AI provider handling

We log request metadata (timestamp, workspace ID, tool name, truncated parameters, and outcome) for operational monitoring, abuse detection, and troubleshooting. We do not log full tool payloads or returned records by default. Logs are retained for up to 90 days.

When you use a third-party MCP client such as Claude, the data Esve returns in response to a tool call is transmitted directly to that client, which then forwards it to its AI provider (e.g. Anthropic) according to their privacy policy. Esve is not a party to that transmission and does not control how the third-party AI provider uses, retains, or processes the data. Review the privacy policy of any MCP client you connect.

Revoking access

You can revoke an OAuth authorization or an API key at any time from Settings → Developer. Revocation is immediate: in-flight requests complete, and any subsequent call with the revoked credential is rejected.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the “Last updated” date. We encourage you to review this Privacy Policy periodically.

11. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us at:

Email: privacy@esve.co
Address: Mah Technologies Inc., Floor 19, 700 2 St SW, Calgary, AB, Canada