Legal
Privacy Policy
Last updated: 2026-05-23
1. Who we are
Carrier is operated by Lifecycle Innovations Limited (“Carrier”, “we”, “us”), a company registered in England & Wales. Our registered address and company number are available upon request at privacy@carrier.llc.
This policy covers data collected when you use carrier.llc, the Carrier MCP server, and related services (collectively, the “Services”).
2. Data we collect
Account data
Email address, when you create an account or contact us. We do not collect your name unless you voluntarily provide it.
eSIMVault API tokens
When you authenticate with the Carrier MCP server, your eSIMVault API token is stored encrypted at rest in Cloudflare KV (AES-GCM encryption). Carrier never stores your token in plaintext. Carrier staff cannot read your token.
Tool invocation logs
Each MCP tool call generates a structured audit log entry written to Cloudflare Workers Analytics Engine (dataset: carrier_mcp_audit). Logs include: tool name, timestamp, HTTP status, latency, and anonymized user ID (hashed — not raw email). Logs are retained for 31 days, then automatically purged.
Usage metadata
Aggregate API call counts, error rates, and latency distributions. These are statistical — not linked to your identity.
3. How we use your data
- Authenticate you and route your API requests.
- Enforce usage limits per plan tier.
- Debug errors and improve service reliability.
- Send transactional emails (account events, billing notices) via Resend.
- Comply with legal obligations.
We do not sell your data. We do not use your data to train machine-learning models without your explicit consent.
4. Third-party processors
| Processor | Purpose | Data shared |
|---|---|---|
| Cloudflare | Hosting, KV, WAF, Analytics Engine | IP (proxied), request metadata |
| Sentry | Error tracking | Anonymized stack traces, error context |
| Resend | Transactional email | Email address, message content |
| Stripe (v1.1) | Billing | Email, payment method (tokenized) |
5. International data transfers
Cloudflare operates a global edge network; your data may be processed in the United States or other jurisdictions. Carrier relies on Cloudflare's Standard Contractual Clauses (SCCs) and GDPR-compliant data processing addendum for cross-border transfers. See cloudflare.com/privacypolicy.
6. Your rights
Under GDPR (if you are in the EEA/UK) and CCPA (if you are in California), you have the right to:
- Access — request a copy of data we hold about you.
- Deletion — request erasure of your account and associated data.
- Portability — receive your data in a machine-readable format.
- Correction — rectify inaccurate data.
- Opt-out (CCPA) — opt out of any sale of personal information (we do not sell data, but the right stands).
To exercise any right, email privacy@carrier.llc. We will respond within 30 days.
7. Cookies
Carrier's marketing site (carrier.llc) uses Google Analytics 4 (GA4), a third-party analytics service operated by Google, for aggregate traffic and site performance. GA4 may use cookies or similar technologies; see Google's Privacy Policy for how Google processes data. We also use Cloudflare Web Analytics (privacy-preserving, no cross-site tracking from that product). The MCP server sets an HTTP-only session cookie for OAuth 2.1 state; this cookie is strictly necessary and expires after the auth flow completes.
8. Data retention
- Tool invocation logs: 31 days (Workers Analytics Engine auto-purge).
- Account data: retained while your account is active. Deleted within 30 days of account closure on request.
- Error traces (Sentry): 90-day default retention.
9. Changes to this policy
We will notify account holders by email for material changes. Minor updates (e.g. typo fixes, link corrections) will be made without notice. The “Last updated” date at the top of this page reflects the most recent revision.
10. Contact
Privacy questions: privacy@carrier.llc
For disputes unresolved through direct contact, you have the right to lodge a complaint with your local data protection authority (UK: ICO at ico.org.uk).