Sub-processor disclosure
When you connect an AI assistant to hejGuide via MCP, parts of your hejGuide data — filtered to what the AI asks for — leave hejGuide and reach whichever AI provider your client uses. This page lists who that can be and under whose terms your data is then processed.
How the data flow works
The MCP server sits at mcp.hejguide.com. It exposes data via 40 tools. When your AI client (Claude Desktop, ChatGPT, Cursor, etc.) calls one of these tools, the response goes back through your AI client and into your AI provider's LLM context. From there it's subject to that provider's privacy terms.
hejGuide does not directly send your data to Anthropic, OpenAI, or any other AI provider. Your AI client does, after it received the data from us under your OAuth grant.
Likely sub-processors
The actual sub-processor depends on which AI client you use:
| AI client | AI provider receiving the data | Their privacy / data terms |
|---|---|---|
| Claude Desktop, claude.ai | Anthropic, PBC (United States) | anthropic.com/legal/privacy |
| ChatGPT | OpenAI, L.L.C. (United States) | openai.com/policies/privacy-policy |
| Cursor | Anysphere, Inc. / their model provider (often Anthropic or OpenAI) | cursor.com/privacy |
| Other MCP clients | Whichever AI provider that client routes to | See the client's own documentation |
What data may be exposed
- Booking metadata (dates, listing, status, source, amounts) — masked guest names by default
- Guest contact details (email, phone, full name) — only when you explicitly grant the PII scope AND the AI client passes
include_pii: truewith a reason - Reviews (content, score, host replies) — masked guest names
- Messages (subjects, bodies) — your own conversations, returned as-is
- Tasks, listings, rates, occupancy aggregates
You control all of this with per-scope toggles at the consent screen.
What stays inside hejGuide
- Authentication credentials (password, 2FA secrets)
- Payment / billing details (Stripe / Mollie tokens)
- Channel-manager credentials (Channex, iCal URLs)
- Audit logs and internal admin notes
- Other hosts' data — every query is strictly scoped to your account
Revoking access
Revoke any active MCP connection from your account settings. Revocation invalidates all tokens immediately; no further data flows through that grant.
Questions
GDPR or data-protection questions? Email privacy@hejguide.com.