Privacy Policy

Last updated: 2026-05-22

This Privacy Policy explains what waybill.ge collects when you use the service, why we collect it, where it is stored, and how you can have it deleted. waybill.ge is operated as a hosted multi-tenant service that connects to Georgia's Revenue Service (rs.ge) on your behalf so that AI agents (such as Claude or Codex) can read, draft, and manage your waybills through the Model Context Protocol (MCP).

If anything below is unclear, email hello@waybill.ge.

1. Data we store

  • Account: your email address, an Argon2 hash of your password (never the password itself), the date you signed up, and timestamps for email verification.
  • RS.GE credentials: your rs.ge service-user username and password, plus your RS.GE payer id and service-user id. The service-user password is encrypted at rest using Fernet (AES-128-CBC with HMAC-SHA256) before it touches the database. The encryption key is held only by the waybill.ge application process; the database operator cannot read it.
  • API keys: only the hashed prefix of each API key is stored. The plaintext is shown to you exactly once on creation and cannot be recovered afterwards.
  • Usage events: one row per MCP tool call, recording the tool name, success/failure flag, latency, mapped error code (when applicable), and timestamp. The request and response payloads of tool calls are not stored. Waybill contents stay in rs.ge.
  • Billing: subscription state mirrored from our payment processor, plus an append-only log of payment-callback events. No card details ever reach our database - those are handled exclusively by our payment processor.
  • Audit events: security-relevant actions (sign-in, credential verification, credential disconnect, API-key create/revoke). Each audit row may carry the request IP and a short user-agent string.

2. What we do not store

  • The plaintext of your rs.ge service-user password.
  • The plaintext of your waybill.ge account password.
  • The plaintext of issued API keys after the moment of creation.
  • Waybill bodies, goods rows, buyer details, or invoice contents.
  • Any payment-card information.

3. Where data is stored

Application servers and the PostgreSQL database run on Railway's EU-Frankfurt region. Backups remain inside the EU. We do not transfer data to non-EU jurisdictions for storage.

4. Who we share data with

  • rs.ge (Georgian Revenue Service). When you ask waybill.ge to read or write a waybill, we make the request on your behalf using the service-user credentials you provided.
  • Our payment processor. They receive only what is needed to process a transaction (order id, amount, currency, success URL). They issue you a separate receipt and have their own privacy policy that governs that relationship.
  • AI clients you connect. When you authorize an MCP client (Claude, Codex, or another) to access waybill.ge, that client sees the responses of MCP tools you invoke. We do not proactively push data to AI clients - they only see what they explicitly request via an authorized session.
  • Email delivery. Verification emails are sent through a transactional email provider; that provider sees the destination address and subject line.
  • Cloudflare Web Analytics. Customer-visible pages load a small first-party-script-style beacon from static.cloudflareinsights.com. Cloudflare records the page URL, referrer, screen size, approximate country (derived from IP - the IP itself is not retained), and a coarse user-agent summary. No cookies are set, no cross-site identifier is assigned, and no client-side state persists between visits. We use this data only to count page views and understand which pages are reached.
  • Self-hosted Chatwoot live chat instance. Customer-visible pages carry a small inline bootstrap snippet that fetches the Chatwoot SDK (/packs/js/sdk.js) from our self-hosted Chatwoot deployment on Railway. If you open the chat panel and send a message, our Chatwoot instance stores: your conversation messages, your name and email if you provide them in the pre-chat form, your visitor IP address, user-agent / browser metadata, the page URL and referrer at the time of the chat, and a chat session identifier. Railway is the infrastructure provider hosting the Chatwoot application and database underneath. We use this data only to provide and audit customer support conversations.

We do not sell personal data. We do not run advertising or behavioural analytics on this dashboard. The Cloudflare Web Analytics integration above is cookieless and aggregate-only; it cannot identify a visitor across sessions.

5. Retention

  • Account and credentials: kept while your account exists. Deleted on request (see Section 7).
  • Usage events: kept for at least the current and previous billing period for quota and dispute resolution. Older rows may be aggregated or pruned for capacity.
  • Audit events: kept for at least 12 months. They may survive account deletion for legal hold, redacted of personal identifiers where possible.
  • Payment callbacks: kept for at least the duration required by Georgian tax law (currently 6 years).

6. Security

  • Database connections are over TLS.
  • The web surface is HTTPS only.
  • RS.GE credentials are Fernet-encrypted at rest.
  • Account passwords are stored as Argon2 hashes, salted per row.
  • Sensitive state-changing actions (disconnect RS.GE, generate or revoke API key) require a signed CSRF token bound to your authenticated session.
  • We do not claim a SOC 2 audit; we are an early-stage product and will update this section when our compliance posture changes.

7. Your rights and how to exercise them

You can request data export, correction, or deletion at any time by emailing hello@waybill.ge. We will respond within 30 days. Deletion removes your account, credentials, API keys, usage events, subscription records, and audit rows where legal retention does not require preservation.

You can disconnect your rs.ge credentials yourself at any time on the Connect RS.GE page. That clears all five rs.ge fields from your tenant record and stops every MCP tool that needs rs.ge until you reconnect.

8. Cookies

waybill.ge itself sets a single first-party cookie: a signed session cookie (HttpOnly, SameSite=Lax, Secure on HTTPS) that carries only your tenant id. We do not set advertising cookies. The Cloudflare Web Analytics beacon described in Section 4 is cookieless by design - it does not write any browser storage and cannot persist a visitor identifier.

The self-hosted Chatwoot live-chat widget (Section 4) writes its own first-party cw_conversation cookie so an open chat session persists when you navigate between pages or return later. The widget also writes to localStorage on your browser to keep the chat panel state in sync. Both are scoped to waybill.ge and are cleared when you clear your site data.

9. Changes to this policy

Material changes will be announced on this page with a new "Last updated" date. Continued use after a change constitutes acceptance.

10. Contact

Privacy questions: hello@waybill.ge.