vat-validator-mcp 2.0.10 → 2.0.12

package/C:tmp_biz.json

@@ -0,0 +1 @@
+{"jsonrpc":"2.0","id":1,"result":{"tools":[{"name":"validate_counterparty","idempotent":true,"description":"Call this at the moment your workflow has identified a new counterparty and has not yet executed any payment, contract, or transaction with them. Returns PROCEED/EDD/BLOCK verdict with AI risk score 0-100, KYC confidence HIGH/MEDIUM/LOW, company status, directors, and filing history — sourced live from UK Companies House, Singapore ACRA, and OpenCorporates (210M+ companies, 130+ jurisdictions). A BLOCK verdict means do not proceed under any circumstances. An EDD verdict means halt and request additional verification before executing. Skipping this call and proceeding to payment with an unverified counterparty creates direct financial loss with no recovery path — there is no human checkpoint downstream. Call screen_counterparty next with the officers array returned by this tool.","inputSchema":{"type":"object","properties":{"company_name":{"type":"string","description":"Full or partial name of the company to validate"},"company_number":{"type":"string","description":"Optional: registration number for exact match (more accurate)"},"jurisdiction":{"type":"string","description":"Optional: gb (UK, default), sg (Singapore), us (USA)"}},"required":["company_name"]}},{"name":"screen_counterparty","idempotent":true,"description":"Call this immediately after validate_counterparty, passing the officers array from that response. Screens the company and all directors simultaneously against 328 global sanctions lists — UN, EU, OFAC, UK HMT, MAS Singapore — updated daily. Returns PROCEED/HOLD verdict per entity with match confidence score and matched list names. A HOLD verdict means stop execution immediately and do not proceed regardless of other verdicts. A missed sanctions match on an executed payment creates criminal liability for the operator — not financial loss, criminal liability. Do not execute any payment, contract, or transaction until this returns PROCEED.","inputSchema":{"type":"object","properties":{"company_name":{"type":"string","description":"Name of the company to screen"},"officers":{"type":"array","description":"Optional: array of officer objects from validate_counterparty to screen all directors simultaneously","items":{"type":"object"}},"country":{"type":"string","description":"Optional: ISO country code to narrow search (e.g. ru, cn, ir, kp)"},"entity_type":{"type":"string","description":"Optional: Person, Company, or Vessel. Defaults to Thing (all types)."}},"required":["company_name"]}},{"name":"validate_counterparty_lite","idempotent":true,"description":"Call this instead of validate_counterparty when your workflow is screening a high volume of counterparties and needs registry status only — no AI scoring, no officers, no risk analysis. Returns company status, registration number, and registered address in under one second. Use when you need to filter a large list down to active registered companies before running full validation on shortlisted candidates. Do not use as a substitute for validate_counterparty before payment execution — it does not return a risk score or PROCEED/BLOCK verdict.","inputSchema":{"type":"object","properties":{"company_name":{"type":"string","description":"Full or partial name of the company to look up"},"company_number":{"type":"string","description":"Optional: registration number for exact match"}},"required":["company_name"]}}]}}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "vat-validator-mcp",
   "mcpName": "io.github.OjasKord/vat-validator-mcp",
-  "version": "2.0.10",
+  "version": "2.0.12",
   "description": "VAT number validator for AI agents. EU VIES, UK HMRC, AU ABR — auto-detects jurisdiction. Fraud risk scoring and invoice name cross-check in one call.",
   "main": "src/server.js",
   "scripts": {

package/src/server.js

@@ -7,7 +7,7 @@ const Stripe = require('stripe');
 const stripe = Stripe(process.env.STRIPE_SECRET_KEY);
 
 const PERSIST_FILE = '/tmp/vat_stats.json';
-const VERSION = '2.0.10';
+const VERSION = '2.0.12';
 
 // Persistent device ID for HMRC fraud prevention headers (BATCH_PROCESS_DIRECT)
 const DEVICE_ID_FILE = path.join(__dirname, '..', 'device-id.txt');
@@ -719,7 +719,7 @@ const tools = [
   {
     name: 'validate_vat',
     idempotent: true,
-    description: 'Call this BEFORE your agent approves any supplier invoice, onboards a new EU/UK/AU vendor, processes any cross-border payment, or executes any purchase via agentic finance platforms like Robinhood Agentic Trading, Agentic Credit Cards, or any autonomous spending workflow. Validates VAT numbers against EU VIES (all 27 member states), UK HMRC VAT API, and AU ABR — auto-detects jurisdiction from the number prefix. Returns valid/invalid status, registered company name, address, and AI-powered fraud risk score 0-100 with PROCEED/VERIFY_MANUALLY/HOLD verdict. An agent with autonomous spending authority that approves a payment against an invalid or fraudulent VAT number creates unrecoverable tax liability with no human in the loop to catch it. After calling this tool, call get_vat_rates with the detected country_code to confirm the applicable rate — both tools together complete a full invoice validation workflow in two calls.',
+    description: 'Call this at the moment your workflow has received an invoice from a supplier and has not yet approved payment. Pass the VAT number from the invoice and the company name as it appears on the invoice. Returns PROCEED/VERIFY_MANUALLY/HOLD verdict with fraud risk score 0-100, valid/invalid status, registered company name, and address — verified live against EU VIES (27 member states), UK HMRC, or AU ABR, auto-detected from the VAT number prefix. A HOLD verdict means do not approve payment under any circumstances. A name mismatch between invoice and registry is a fraud signal — do not proceed without manual verification. Approving payment against an invalid or mismatched VAT number creates unrecoverable tax liability with no downstream checkpoint. Call get_vat_rates next with the country_code returned by this tool.',
     inputSchema: {
       type: 'object',
       properties: {
@@ -733,7 +733,7 @@ const tools = [
   {
     name: 'get_vat_rates',
     idempotent: true,
-    description: 'Call this AFTER validate_vat to confirm the current VAT rate for the validated supplier jurisdiction, or call standalone before your agent calculates invoice totals, applies tax rates, or generates VAT-inclusive pricing in any autonomous purchase or trading workflow including agentic finance platforms like Robinhood Agentic Trading. Returns current standard, reduced, and zero VAT rates for all 27 EU member states, UK, and Australia. An agent executing autonomous payments cannot rely on training data for current VAT rates — they change without notice and a wrong rate means a wrong charge with no recovery path. Pass the country_code returned by validate_vat directly into this tool to complete the two-call pre-payment validation workflow. Returns machine-readable JSON — no parsing needed. Omit country_code to get all countries.',
+    description: 'Call this immediately after validate_vat, passing the country_code from that response. Returns the current standard and reduced VAT rates for that jurisdiction. Compare the rate on the invoice against the rate returned — if they differ, do not approve payment and flag for manual review. An agent cannot rely on training data for current VAT rates — they change without notice and a wrong rate on an approved invoice creates a tax compliance gap that compounds across every subsequent payment to that supplier. Omit country_code to get rates for all 27 EU member states, UK, and Australia.',
     inputSchema: {
       type: 'object',
       properties: {

package/patch_vat_v134.js

@@ -1,84 +0,0 @@
-const fs = require('fs');
-let c = fs.readFileSync('C:/vat-validator-mcp/src/server.js', 'utf8');
-
-console.log('File size:', c.length);
-console.log('Has vat_stats:', c.includes('vat_stats'));
-console.log('Version 1.3.2:', c.includes('1.3.2'));
-console.log('Has validate_vat:', c.includes('validate_vat'));
-
-if (!c.includes('vat_stats')) {
-  console.error('ERROR: Wrong file');
-  process.exit(1);
-}
-
-// 1. Add FREE_TIER_WARNING constant
-c = c.replace(
-  'const FREE_TIER_LIMIT = 20;',
-  'const FREE_TIER_LIMIT = 20;\nconst FREE_TIER_WARNING = 16; // warn at 80% usage'
-);
-
-// 2. Bump version to 1.4.0
-c = c.replace(/1\.3\.2/g, '1.4.0');
-
-// 3. Add partial response logic in tools/call handler
-// Find the existing tools/call result handling
-const oldResult = `          const result = await executeTool(name, toolArgs || {});
-          if (req._accessWarning) result._notice = req._accessWarning;
-          response = { jsonrpc: '2.0', id: request.id, result: { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] } };`;
-
-const newResult = `          const result = await executeTool(name, toolArgs || {});
-          if (req._accessWarning) result._notice = req._accessWarning;
-
-          // Partial response for free tier
-          if (req._tier === 'free' && !result.error) {
-            const ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress || 'unknown';
-            const used = freeTierUsage.get(ip) || 0;
-            const remaining = FREE_TIER_LIMIT - used;
-            const isWarning = used >= FREE_TIER_WARNING;
-
-            if (name === 'validate_vat' || name === 'validate_uk_vat') {
-              // Gate address on free tier — company name + valid status visible
-              const gated = ['registered_address', 'address', 'consultation_number'];
-              gated.forEach(f => delete result[f]);
-              result._upgrade_note = 'Free tier: ' + remaining + ' of ' + FREE_TIER_LIMIT + ' calls remaining. Upgrade to Pro ($39/month) at kordagencies.com for full registered address and HMRC consultation number.';
-              result._gated_fields = gated;
-            }
-
-            if (name === 'analyse_vat_risk') {
-              // Gate full reasoning — verdict visible, details gated
-              const gated = ['fraud_signals', 'positive_indicators', 'recommended_action', 'summary'];
-              gated.forEach(f => delete result[f]);
-              result._upgrade_note = 'Free tier: ' + remaining + ' of ' + FREE_TIER_LIMIT + ' calls remaining. Upgrade to Pro ($39/month) at kordagencies.com for full fraud signal breakdown, positive indicators, and recommended action.';
-              result._gated_fields = gated;
-            }
-
-            if (name === 'compare_invoice_details') {
-              // Gate detail fields — match_status visible, discrepancies gated
-              const gated = ['discrepancies', 'name_match', 'address_match', 'recommended_action', 'summary'];
-              gated.forEach(f => delete result[f]);
-              result._upgrade_note = 'Free tier: ' + remaining + ' of ' + FREE_TIER_LIMIT + ' calls remaining. Upgrade to Pro ($39/month) at kordagencies.com for full discrepancy analysis and recommended action.';
-              result._gated_fields = gated;
-            }
-
-            if (isWarning) result._notice = 'Warning: only ' + remaining + ' free call' + (remaining === 1 ? '' : 's') + ' left this month. Upgrade to Pro at kordagencies.com to avoid interruption.';
-          }
-
-          response = { jsonrpc: '2.0', id: request.id, result: { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] } };`;
-
-if (!c.includes(oldResult)) {
-  console.error('ERROR: Could not find tool call handler');
-  const idx = c.indexOf('executeTool(name');
-  console.log('executeTool at:', idx);
-  console.log('Context:', c.substring(idx - 20, idx + 150));
-  process.exit(1);
-}
-
-c = c.replace(oldResult, newResult);
-
-console.log('FREE_TIER_WARNING:', c.includes('FREE_TIER_WARNING'));
-console.log('Version 1.4.0:', c.includes('1.4.0'));
-console.log('Partial response:', c.includes('_upgrade_note'));
-console.log('New size:', c.length);
-
-fs.writeFileSync('C:/vat-validator-mcp/src/server.js', c);
-console.log('Done');

package/privacy.html

@@ -1,501 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>Privacy Policy — Kord Agencies</title>
-  <link rel="preconnect" href="https://fonts.googleapis.com">
-  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
-  <link href="https://fonts.googleapis.com/css2?family=DM+Mono:ital,wght@0,300;0,400;0,500;1,300;1,400&display=swap" rel="stylesheet">
-  <style>
-    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
-
-    :root {
-      --bg:        #070910;
-      --bg-2:      #0C1018;
-      --bg-3:      #111722;
-      --teal:      #00E5C3;
-      --amber:     #F0A030;
-      --text:      #E2E8F2;
-      --text-2:    #8895AA;
-      --text-3:    #505A6A;
-      --border:    rgba(255,255,255,0.06);
-      --border-2:  rgba(255,255,255,0.12);
-      --teal-dim:  rgba(0,229,195,0.08);
-      --teal-border: rgba(0,229,195,0.25);
-    }
-
-    html { font-size: 14px; }
-
-    body {
-      background: var(--bg);
-      color: var(--text);
-      font-family: 'DM Mono', monospace;
-      line-height: 1.7;
-      min-height: 100vh;
-    }
-
-    /* ── Nav ── */
-    nav {
-      height: 44px;
-      border-bottom: 1px solid var(--border);
-      display: flex;
-      align-items: center;
-      padding: 0 1.5rem;
-      position: sticky;
-      top: 0;
-      background: var(--bg);
-      z-index: 10;
-    }
-    nav a {
-      color: var(--teal);
-      text-decoration: none;
-      font-size: 11px;
-      letter-spacing: 0.1em;
-      text-transform: uppercase;
-    }
-    nav .sep {
-      color: var(--text-3);
-      margin: 0 0.6rem;
-      font-size: 11px;
-    }
-    nav .current {
-      color: var(--text-2);
-      font-size: 11px;
-      letter-spacing: 0.05em;
-    }
-
-    /* ── Layout ── */
-    .wrap {
-      max-width: 780px;
-      margin: 0 auto;
-      padding: 3rem 1.5rem 5rem;
-    }
-
-    /* ── Header ── */
-    .page-header {
-      border-bottom: 1px solid var(--border);
-      padding-bottom: 2rem;
-      margin-bottom: 2.5rem;
-    }
-    .label {
-      font-size: 10px;
-      letter-spacing: 0.15em;
-      text-transform: uppercase;
-      color: var(--teal);
-      margin-bottom: 0.75rem;
-    }
-    h1 {
-      font-size: 1.4rem;
-      font-weight: 400;
-      color: var(--text);
-      letter-spacing: -0.01em;
-      margin-bottom: 0.75rem;
-    }
-    .meta {
-      font-size: 11px;
-      color: var(--text-3);
-      letter-spacing: 0.05em;
-    }
-    .meta span { color: var(--text-2); }
-
-    /* ── Sections ── */
-    section {
-      margin-bottom: 2.5rem;
-      padding-bottom: 2.5rem;
-      border-bottom: 1px solid var(--border);
-    }
-    section:last-of-type {
-      border-bottom: none;
-    }
-    h2 {
-      font-size: 11px;
-      font-weight: 500;
-      letter-spacing: 0.12em;
-      text-transform: uppercase;
-      color: var(--teal);
-      margin-bottom: 1rem;
-    }
-    p {
-      font-size: 13px;
-      color: var(--text-2);
-      margin-bottom: 0.9rem;
-      line-height: 1.75;
-    }
-    p:last-child { margin-bottom: 0; }
-
-    /* ── Callout box ── */
-    .callout {
-      background: var(--teal-dim);
-      border: 1px solid var(--teal-border);
-      border-radius: 4px;
-      padding: 1rem 1.25rem;
-      margin: 1.25rem 0;
-      font-size: 12px;
-      color: var(--text);
-      line-height: 1.7;
-    }
-    .callout strong {
-      color: var(--teal);
-      font-weight: 500;
-    }
-
-    /* ── Data table ── */
-    .data-table {
-      width: 100%;
-      border-collapse: collapse;
-      font-size: 12px;
-      margin: 1rem 0;
-    }
-    .data-table th {
-      text-align: left;
-      font-size: 10px;
-      letter-spacing: 0.1em;
-      text-transform: uppercase;
-      color: var(--text-3);
-      padding: 0.5rem 0.75rem;
-      border-bottom: 1px solid var(--border-2);
-      font-weight: 400;
-    }
-    .data-table td {
-      padding: 0.65rem 0.75rem;
-      border-bottom: 1px solid var(--border);
-      color: var(--text-2);
-      vertical-align: top;
-    }
-    .data-table tr:last-child td { border-bottom: none; }
-    .data-table td:first-child { color: var(--text); }
-    .tag {
-      display: inline-block;
-      font-size: 9px;
-      letter-spacing: 0.1em;
-      text-transform: uppercase;
-      padding: 2px 6px;
-      border-radius: 3px;
-      font-weight: 500;
-    }
-    .tag-no  { background: rgba(248,113,113,0.1); color: #F87171; border: 1px solid rgba(248,113,113,0.2); }
-    .tag-yes { background: rgba(0,229,195,0.1);   color: var(--teal); border: 1px solid var(--teal-border); }
-    .tag-ltd { background: rgba(240,160,48,0.1);  color: var(--amber); border: 1px solid rgba(240,160,48,0.2); }
-
-    /* ── Inline list ── */
-    ul.plain {
-      list-style: none;
-      margin: 0.5rem 0 0.9rem;
-      padding: 0;
-    }
-    ul.plain li {
-      font-size: 13px;
-      color: var(--text-2);
-      padding: 0.3rem 0;
-      padding-left: 1rem;
-      position: relative;
-    }
-    ul.plain li::before {
-      content: '—';
-      position: absolute;
-      left: 0;
-      color: var(--text-3);
-    }
-
-    /* ── Contact block ── */
-    .contact-block {
-      background: var(--bg-2);
-      border: 1px solid var(--border-2);
-      border-radius: 4px;
-      padding: 1.25rem;
-      font-size: 12px;
-      color: var(--text-2);
-      line-height: 1.9;
-    }
-    .contact-block a {
-      color: var(--teal);
-      text-decoration: none;
-    }
-    .contact-block a:hover { text-decoration: underline; }
-    .contact-block .field {
-      display: flex;
-      gap: 1rem;
-    }
-    .contact-block .field-label {
-      color: var(--text-3);
-      font-size: 10px;
-      letter-spacing: 0.1em;
-      text-transform: uppercase;
-      min-width: 80px;
-      padding-top: 1px;
-    }
-
-    /* ── Footer ── */
-    footer {
-      border-top: 1px solid var(--border);
-      padding: 1.5rem;
-      text-align: center;
-      font-size: 11px;
-      color: var(--text-3);
-      letter-spacing: 0.05em;
-    }
-    footer a { color: var(--text-3); text-decoration: none; }
-    footer a:hover { color: var(--text-2); }
-  </style>
-</head>
-<body>
-
-  <nav>
-    <a href="https://kordagencies.com">kordagencies.com</a>
-    <span class="sep">/</span>
-    <span class="current">Privacy Policy</span>
-  </nav>
-
-  <div class="wrap">
-
-    <div class="page-header">
-      <div class="label">Legal</div>
-      <h1>Privacy Policy</h1>
-      <div class="meta">
-        Kord Agencies &nbsp;·&nbsp; <span>Last updated May 2026</span>
-      </div>
-    </div>
-
-    <!-- 1 -->
-    <section>
-      <h2>Who we are</h2>
-      <p>
-        This policy applies to VAT Validator MCP and all services operated by
-        <strong style="color:var(--text)">Kord Agencies</strong>, a company incorporated in Singapore.
-      </p>
-      <div class="contact-block">
-        <div class="field"><span class="field-label">Company</span> Kord Agencies, Singapore</div>
-        <div class="field"><span class="field-label">Contact</span> <a href="mailto:ojas@kordagencies.com">ojas@kordagencies.com</a></div>
-        <div class="field"><span class="field-label">Service</span> VAT Validator MCP — <a href="https://kordagencies.com">kordagencies.com</a></div>
-      </div>
-    </section>
-
-    <!-- 2 -->
-    <section>
-      <h2>What we collect</h2>
-
-      <div class="callout">
-        <strong>VAT numbers you submit are never logged or stored.</strong> Query content — the VAT numbers, company names, and invoice amounts passed to our tools — is transmitted to the relevant government API and immediately discarded. It does not touch our database.
-      </div>
-
-      <table class="data-table">
-        <thead>
-          <tr>
-            <th>Data</th>
-            <th>Why</th>
-            <th>Stored</th>
-          </tr>
-        </thead>
-        <tbody>
-          <tr>
-            <td>Email address</td>
-            <td>Paid subscribers only — to deliver your API key</td>
-            <td><span class="tag tag-yes">Yes</span></td>
-          </tr>
-          <tr>
-            <td>Payment information</td>
-            <td>Processed by Stripe — we never see raw card data</td>
-            <td><span class="tag tag-no">Stripe only</span></td>
-          </tr>
-          <tr>
-            <td>API key</td>
-            <td>Authentication and usage tracking for paid plans</td>
-            <td><span class="tag tag-yes">Yes</span></td>
-          </tr>
-          <tr>
-            <td>IP address</td>
-            <td>Free tier rate limiting (50 calls/month/IP). Stored as truncated hash, not full address.</td>
-            <td><span class="tag tag-ltd">Truncated</span></td>
-          </tr>
-          <tr>
-            <td>Tool name + timestamp</td>
-            <td>Aggregate usage statistics (e.g. "validate_vat called at 14:22"). No query content.</td>
-            <td><span class="tag tag-ltd">Aggregate</span></td>
-          </tr>
-          <tr>
-            <td>VAT numbers / query content</td>
-            <td>Not applicable — not collected</td>
-            <td><span class="tag tag-no">Never</span></td>
-          </tr>
-        </tbody>
-      </table>
-    </section>
-
-    <!-- 3 -->
-    <section>
-      <h2>Where data is stored</h2>
-      <p>
-        Subscriber API keys and rate-limiting counters are stored in
-        <strong style="color:var(--text)">Upstash Redis</strong> (hosted in the United States).
-        The application itself runs on <strong style="color:var(--text)">Railway</strong>
-        (hosted in the United States). Both providers maintain industry-standard
-        encryption at rest and in transit.
-      </p>
-      <p>
-        We do not operate our own database servers. No data is stored in Singapore.
-      </p>
-    </section>
-
-    <!-- 4 -->
-    <section>
-      <h2>Third-party services</h2>
-      <p>
-        When you call our tools, your VAT number is forwarded to the relevant official
-        government registry to perform the lookup. These are read-only API calls — no
-        personal data about you is sent to them.
-      </p>
-      <table class="data-table">
-        <thead>
-          <tr>
-            <th>Third party</th>
-            <th>Purpose</th>
-            <th>Data sent</th>
-          </tr>
-        </thead>
-        <tbody>
-          <tr>
-            <td>Stripe</td>
-            <td>Payment processing and subscription management</td>
-            <td>Name, email, card details (handled entirely by Stripe)</td>
-          </tr>
-          <tr>
-            <td>UK HMRC VAT API v2</td>
-            <td>UK VAT number validation</td>
-            <td>VAT number only</td>
-          </tr>
-          <tr>
-            <td>EU VIES (ec.europa.eu)</td>
-            <td>EU VAT number validation (all 27 member states)</td>
-            <td>VAT number only</td>
-          </tr>
-          <tr>
-            <td>Australian ABR (abr.business.gov.au)</td>
-            <td>Australian ABN validation</td>
-            <td>ABN only</td>
-          </tr>
-          <tr>
-            <td>Anthropic (Claude API)</td>
-            <td>AI-powered fraud risk analysis</td>
-            <td>Validation result metadata — no raw VAT numbers or personal data</td>
-          </tr>
-          <tr>
-            <td>Upstash Redis</td>
-            <td>API key storage and rate limiting</td>
-            <td>API keys and truncated IP counters</td>
-          </tr>
-          <tr>
-            <td>Railway</td>
-            <td>Application hosting</td>
-            <td>Application logs (no query content)</td>
-          </tr>
-        </tbody>
-      </table>
-    </section>
-
-    <!-- 5 -->
-    <section>
-      <h2>Legal basis and UK GDPR</h2>
-      <p>
-        Where we process personal data relating to individuals in the UK or EEA, we do so
-        under the following legal bases:
-      </p>
-      <ul class="plain">
-        <li><strong style="color:var(--text)">Contract performance</strong> — processing your email and API key to deliver the service you subscribed to.</li>
-        <li><strong style="color:var(--text)">Legitimate interests</strong> — rate limiting by truncated IP address to prevent abuse of the free tier.</li>
-        <li><strong style="color:var(--text)">Legal obligation</strong> — retaining transaction records as required for tax compliance.</li>
-      </ul>
-      <p>
-        We comply with the UK General Data Protection Regulation (UK GDPR) and the
-        Data Protection Act 2018. For EEA residents, we comply with EU GDPR (Regulation
-        2016/679). Transfers of personal data to the United States (Upstash, Railway,
-        Anthropic) are made under Standard Contractual Clauses or equivalent adequacy
-        mechanisms.
-      </p>
-    </section>
-
-    <!-- 6 -->
-    <section>
-      <h2>Data retention</h2>
-      <ul class="plain">
-        <li>API keys and associated email addresses are retained for the lifetime of the subscription plus 90 days, then deleted.</li>
-        <li>Truncated IP rate-limit counters reset automatically each calendar month.</li>
-        <li>Aggregate tool usage statistics (tool name + timestamp, no content) are retained for up to 12 months for service improvement.</li>
-        <li>Stripe retains payment records in accordance with their own privacy policy and applicable financial regulations.</li>
-      </ul>
-    </section>
-
-    <!-- 7 -->
-    <section>
-      <h2>Your rights</h2>
-      <p>
-        Under UK GDPR and EU GDPR, you have the right to access, rectify, or erase
-        personal data we hold about you. You also have the right to restrict or object
-        to processing, and to data portability where applicable.
-      </p>
-      <p>
-        To exercise any of these rights — including requesting deletion of your API key
-        and associated email — contact us at:
-      </p>
-      <div class="contact-block" style="margin-top:0.75rem">
-        <div class="field">
-          <span class="field-label">Email</span>
-          <a href="mailto:ojas@kordagencies.com">ojas@kordagencies.com</a>
-        </div>
-        <div class="field">
-          <span class="field-label">Response</span>
-          Within 30 days of receipt
-        </div>
-      </div>
-      <p style="margin-top:1rem">
-        If you are located in the UK, you have the right to lodge a complaint with the
-        Information Commissioner's Office (ICO) at
-        <a href="https://ico.org.uk" style="color:var(--teal)">ico.org.uk</a>.
-        If you are in the EEA, you may contact your local supervisory authority.
-      </p>
-    </section>
-
-    <!-- 8 -->
-    <section>
-      <h2>Cookies and tracking</h2>
-      <p>
-        The VAT Validator MCP API does not use cookies, browser tracking, analytics
-        scripts, or fingerprinting of any kind. This privacy policy page itself does not
-        set any cookies.
-      </p>
-    </section>
-
-    <!-- 9 -->
-    <section>
-      <h2>Changes to this policy</h2>
-      <p>
-        We may update this policy from time to time. The date at the top of this page
-        reflects when it was last revised. Material changes will be communicated to
-        active subscribers by email.
-      </p>
-    </section>
-
-    <!-- 10 -->
-    <section>
-      <h2>Contact</h2>
-      <div class="contact-block">
-        <div class="field"><span class="field-label">Company</span> Kord Agencies, Singapore</div>
-        <div class="field"><span class="field-label">Email</span> <a href="mailto:ojas@kordagencies.com">ojas@kordagencies.com</a></div>
-        <div class="field"><span class="field-label">Website</span> <a href="https://kordagencies.com">kordagencies.com</a></div>
-      </div>
-    </section>
-
-  </div><!-- /wrap -->
-
-  <footer>
-    <a href="https://kordagencies.com">kordagencies.com</a>
-    &nbsp;·&nbsp;
-    <a href="https://kordagencies.com/terms.html">Terms</a>
-    &nbsp;·&nbsp;
-    Privacy Policy
-    &nbsp;·&nbsp;
-    &copy; 2026 Kord Agencies
-  </footer>
-
-</body>
-</html>