LastSaaS Privacy Policy

Last Updated: February 26, 2026

This Privacy Policy describes how Metavert LLC ("we," "us," or "our") collects, uses, and protects information in connection with LastSaaS and the LastSaaS MCP (Model Context Protocol) server (collectively, the "Service").

1. Overview

LastSaaS is an open-source, self-hosted SaaS platform foundation. It provides multi-tenant account management, authentication, Stripe billing, API keys, webhooks, admin tools, and system health monitoring. It can be extended with the LastSaaS MCP server, which enables AI assistants (such as Claude Code, Claude Desktop, or other MCP-compatible clients) to query admin data programmatically using read-only tools.

2. Information Collected by the Platform

2.1 User Account Data

When end users register on a LastSaaS-powered application, the platform stores:

• Email addresses and display names
• Passwords (bcrypt-hashed; plaintext passwords are never stored)
• OAuth provider identifiers (Google, GitHub, Microsoft) if social login is used
• MFA/TOTP secrets (encrypted) and recovery codes (hashed)
• JWT refresh tokens and session metadata
• Email verification and password reset tokens (temporary)

2.2 Tenant and Team Data

• Tenant names, slugs, and settings
• Team membership records with roles (owner, admin, user)
• Team invitation records
• Per-tenant activity logs

2.3 Billing Data

• Stripe Customer IDs, Subscription IDs, and Invoice references
• Plan assignments, credit balances, and transaction history
• Promotion code usage records

Note: Payment card numbers, bank details, and sensitive financial information are handled entirely by Stripe and are never stored in the LastSaaS database. LastSaaS stores only Stripe reference identifiers.

2.4 System and Operational Data

• System health metrics (CPU, memory, disk usage, HTTP stats, MongoDB stats)
• System logs with severity levels
• API key metadata (SHA-256 hashed; raw keys shown only at creation)
• Webhook configurations and delivery attempt records
• Runtime configuration variables

2.5 MCP Server Data

The LastSaaS MCP server is strictly read-only. When used via the MCP protocol, it:

• Reads admin data via the LastSaaS HTTP API (dashboards, users, tenants, financials, logs, health metrics)
• Does not modify any data — all 26 tools are read-only with no write operations
• Does not log or store MCP interactions beyond standard HTTP access logs
• Does not transmit data to Metavert LLC or any third party — all data flows directly between the MCP client and your LastSaaS instance

2.6 Information We Do NOT Collect

LastSaaS does not collect:

• Usage telemetry, analytics, or crash reports sent to Metavert
• Conversation data from AI assistants (the MCP server only sees the specific tool calls directed to it)
• IP addresses or geolocation data beyond what your web server logs
• Tracking cookies or advertising identifiers

3. How Information Is Used

All data stored by LastSaaS is used solely to:

• Authenticate users and manage sessions
• Enforce tenant isolation and role-based access control
• Process billing through Stripe (subscriptions, credits, invoices)
• Deliver outgoing webhooks to configured endpoints
• Monitor system health and display admin dashboards
• Generate system logs for debugging and audit purposes

We do not use any data for advertising, profiling, model training, or any purpose other than operating the SaaS platform.

4. Data Storage and Security

4.1 Self-Hosted Architecture

LastSaaS is self-hosted software:

• Database: All data is stored in a MongoDB instance that you provision and control. You choose the provider, region, and access policies.
• Application: The LastSaaS server runs on infrastructure you deploy (e.g., Fly.io, AWS, your own servers). Metavert LLC does not host or have access to your running instances.
• MCP Server: Runs locally on your machine as a stdio process. It connects only to your LastSaaS instance via HTTP — no other network connections are made.

4.2 Security Measures

• Passwords hashed with bcrypt
• JWT tokens with refresh token rotation and family-based revocation
• API keys stored as SHA-256 hashes
• Webhook secrets encrypted with AES-256-GCM at rest
• Rate limiting on authentication endpoints
• Security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
• NoSQL injection protection and XSS sanitization
• HMAC-SHA256 webhook payload signing
• Idempotent webhook processing via unique event ID index
• System log injection detection with automatic critical alerts

5. Third-Party Services

5.1 Stripe

Billing is processed through Stripe, which handles payment card data, tax calculation, and invoice generation according to Stripe's Privacy Policy. LastSaaS transmits only the minimum information needed to create Stripe customers and process payments.

5.2 MongoDB Atlas

If you use MongoDB Atlas for hosting, your data is subject to MongoDB's Privacy Policy. You configure and control your own Atlas account.

5.3 Resend

Transactional emails (verification, password reset, invitations) are sent via Resend, subject to Resend's Privacy Policy. Only recipient email addresses and email content are transmitted.

5.4 OAuth Providers

If you enable Google, GitHub, or Microsoft OAuth, those providers process authentication data according to their respective privacy policies. LastSaaS stores only the provider user ID for account linking.

5.5 MCP Client Providers

When using LastSaaS through an MCP client (e.g., Claude Code by Anthropic), the MCP client may process tool call data according to its own privacy policy. LastSaaS has no control over how MCP clients handle data. Please review the privacy policy of your MCP client provider:

• Anthropic Privacy Policy (for Claude Code, Claude Desktop)

Note: Anthropic collects tool call parameters and responses as telemetry when you use Claude with MCP servers. Refer to Anthropic's privacy policy for details on their data handling practices.

5.6 Hosting Providers

If you deploy LastSaaS on a cloud platform (Fly.io, AWS, etc.), that provider's privacy policy governs their handling of your server infrastructure. LastSaaS itself does not transmit data to any hosting provider beyond normal server operation.

6. Data Retention

• User data: Retained until deleted by the user (self-service account deletion) or by an admin. Users can export their data via the data export feature.
• Tenant data: Retained until the tenant is deleted by an admin.
• Billing records: Retained for the lifetime of the platform for accounting and audit purposes. Stripe maintains its own records per their retention policies.
• System logs: Retained according to operator configuration. Default log retention is indefinite in MongoDB.
• Health metrics: Automatically purged after 30 days via MongoDB TTL indexes.
• Sessions: Refresh tokens expire after 7 days. Tokens are revoked on password change or explicit logout.

Since you control the database, you have full authority over data retention and deletion.

7. Data Sharing

We do not:

• Sell your data or your users' data to third parties
• Share data with advertisers
• Use data for AI model training
• Access your database or deployed instances

Data is shared only as the platform operator directs — through configured webhooks, API key access, or Stripe billing interactions.

8. Your Rights and Controls

Because LastSaaS is self-hosted, operators have direct control over all data:

• Access: Query your MongoDB database directly at any time
• Export: Use MongoDB tools (mongodump, mongoexport), the admin CSV export feature, or the user data export feature
• Delete: Remove users, tenants, and data through the admin interface or direct database operations
• Portability: Your MongoDB database is yours; migrate it at any time
• User self-service: End users can view, export, and delete their own data through the settings interface

9. Children's Privacy

LastSaaS is a SaaS platform tool intended for use by businesses and adults. We do not knowingly collect information from children under 13 years of age.

10. International Data

Since you choose your MongoDB hosting region and application deployment location, you control where data is stored geographically. LastSaaS itself does not transfer data across borders beyond what is required by your configured third-party services (Stripe, Resend, OAuth providers).

11. Open Source

LastSaaS is open-source software licensed under the MIT License. You can review the complete source code at github.com/jonradoff/lastsaas to verify data handling practices.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or LastSaaS's data practices, please contact us:

• Email: privacy@metavert.io
• GitHub: github.com/jonradoff/lastsaas/issues

---

Metavert LLC
This policy applies to LastSaaS software and the LastSaaS MCP server.