Privacy Policy

Last updated: June 2026

Kuvera MCP is a personal, open-source project that connects AI assistants to your Kuvera mutual fund portfolio. This page explains exactly how your data — particularly your Kuvera session token — is handled. The short answer: it isn't stored anywhere, and it is never logged.

Token handling

  • Your Kuvera token is a JWT used ephemerally — solely to authenticate the single API request you triggered.
  • The token is never written to any database, file, cache, or log.
  • Token values match a JWT pattern and are explicitly redacted from application-level logs — including exception stack traces — before any write occurs.
  • The token exists in server memory only for the milliseconds required to complete the API call, then is discarded.
  • No token is ever transmitted to any third party. The only destination is api.kuvera.in.

Data handling

  • No Kuvera portfolio data, account data, or personal financial information is stored on our servers.
  • API responses from Kuvera are forwarded directly to your AI client and not written to any persistent storage.
  • We have no access to your data after the API call completes.
  • There is no database, no cache layer, no file storage. The server is fully stateless per request.

Server logs

  • Standard platform access logs (request path, timestamp, HTTP status code) may be retained by the hosting platform (exe.dev) for operational purposes. They do not contain tokens or financial data.
  • Application-level logs contain no tokens or user data. Logs are structured JSON and include only request metadata: path, HTTP method, status code, and response duration.
  • All log records are filtered through a TokenRedactionFilter that scrubs any JWT-shaped string before it is written — this applies to normal log messages and exception stack traces alike.

Token scope and revocation

  • Your Kuvera session token can be used to read portfolio data on your behalf. Treat it like a password.
  • The token is tied to your browser session on kuvera.in. It expires automatically when your session ends.
  • If you believe your token has been compromised, log out of kuvera.in immediately. This invalidates the session token server-side and renders it unusable.
  • You can re-fetch a fresh token at any time by repeating the browser console step.

Project nature

  • This is a personal, for-fun, open-source project. No commercial terms, no monetization, no advertising, no data selling.
  • Not affiliated with, endorsed by, or partnered with Kuvera / Arevuk Advisory Services Pvt. Ltd.
  • The source code is publicly available for review. You can self-host this server if you prefer to run it on your own infrastructure.

Third parties

  • No third-party analytics, trackers, or SDKs are included on this website or in the MCP server.
  • No cookies are set by this website or server.
  • The only external connection made by the server is to api.kuvera.in, which is Kuvera's official API.

Contact & questions

If you have questions or concerns about how your data is handled, please open an issue on the GitHub repository.