Privacy Policy

1. Who we are

This Privacy Policy explains how MCPBay ("MCPBay", "we", "us", or "our") collects, uses, stores, shares, and protects your personal data when you visit our website and use our services. MCPBay is a catalog of Model Context Protocol (MCP) servers and a platform for hosting MCP servers for use with AI assistants.

MCPBay is currently a trading name operated by an individual (a sole proprietorship). A United States limited liability company (LLC) is in the process of formation; once it is registered, this policy will be updated with the registered entity's legal name and address, and that entity will become the data controller. Until then, the individual operator is responsible for the processing described here.

For any privacy question, request, or concern, you can reach us at support@mcpbay.pro. This address is our designated contact for all data-protection matters.

2. Scope

This policy applies to:

the MCPBay website at mcpbay.pro and its subdomains;
your account and the features you use while signed in (catalog, submissions, hosting, the secrets cabinet, and usage history);
MCP servers we host on your behalf on *.run.mcpbay.pro, with respect to the data we process to operate that hosting.

This policy does not cover the independent data practices of third-party MCP servers listed in our catalog or operated by other developers, nor the practices of the AI clients you connect to those servers. Those services have their own privacy policies, which govern any data you share with them. See Section 12.

3. Information we collect

We collect only the data we need to run the service. The categories below describe everything we hold.

Account information

When you create an account we collect your email address, your login/username, your preferred language, and your email-verification status. Your password is stored only as an Argon2 hash — we never see, log, or store your plaintext password. If you enable two-factor authentication, we store an encrypted TOTP secret used to verify your one-time codes.

Providing account data is a contractual requirement: it is necessary to create an account and use the service. If you do not provide it, we cannot create your account or provide the service to you.

Security & audit logs

To keep your account safe, we record security-relevant events — successful and failed sign-ins, password changes, email changes, two-factor toggles, and role changes — together with the IP address, browser/user-agent string, and timestamp associated with each event. If you delete your account, we retain an anonymized audit snapshot of the deletion for security and compliance.

Catalog submissions

When you submit a server to the catalog, we collect the server's name, URL, tagline, description, and category, along with the author name and contact email you provide. We also record the IP address, browser/user-agent string, and a consent timestamp at the moment of submission, to evidence your agreement and to deter abuse.

Hosting (GitHub) data

If you choose to host an MCP server from a GitHub repository, we collect your GitHub account ID, login, and public email; the GitHub App installation ID; the repository URL, branch, and Dockerfile path; and the deployment state of your hosted server. A short-lived GitHub access token is used once to verify your identity and repository ownership and is not stored.

Stored credentials (secrets cabinet)

If you store third-party API keys or other secrets so they can be injected into your hosted servers, we encrypt each secret with AES-256-GCM envelope encryption. We store only the ciphertext and the last four characters (for display so you can recognize a key); the plaintext value is never persisted. Access to stored credentials is logged.

Usage data

When you have linked your account and saved a server, we record per-user tool-call events for your usage history: the server, the tool name, the success/error status, the call duration, the timestamp, a paid flag, and any credits charged. We do not record the arguments or payloads you send, the responses you receive, your IP address for these events, or error message text. Separately, we keep anonymous, aggregate tool-usage statistics — counts and trends with no user identity attached — for platform analytics.

Billing data

For paid features we maintain your wallet balance, a credit ledger, and the price charged for each chargeable action. We do not collect or store card or payment-card data — no payment processor is connected at this time.

Cookies & local storage

We use the minimum browser storage needed to keep you signed in and remember your preferences:

mcpbay_session — a session cookie that keeps you signed in. It is HttpOnly, Secure, and SameSite=Strict, and lasts about 7 days.
A short-lived (about 10-minute) GitHub OAuth-state cookie that acts as a CSRF nonce while you connect your GitHub account.
localStorage values for your theme, language, a small authentication snapshot, and account-mode preference, plus a sessionStorage flag.

We use no third-party analytics or advertising cookies at this time.

Sources of personal information

We collect the information above from the following sources:

Directly from you — for example, the account, submission, billing, and credential information you provide.
From GitHub, when you connect your GitHub account to host a server (your GitHub ID, login, public email, and installation details).
Automatically from your device, browser, and usage — for example, IP address and user-agent in security logs and submissions, cookies and local storage, and per-user tool-call events.

4. How we use it

We use your information for the following business and commercial purposes:

to operate and provide the website, catalog, and your account;
to authenticate you and keep your account and sessions secure;
to protect the platform against fraud, abuse, and security threats;
to send you transactional email, such as email verification and password-reset messages;
to host the MCP servers you choose to deploy and to inject the credentials you have authorized;
to meter usage and process credits and billing for paid features;
to moderate catalog submissions and maintain catalog quality;
to maintain anonymous, aggregate analytics about platform usage; and
to comply with our legal obligations and enforce our terms.

No automated decision-making. We do not engage in automated decision-making or profiling that produces legal effects concerning you or that similarly significantly affects you.

5. Legal bases (GDPR)

If you are in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases under the GDPR / UK GDPR:

Performance of a contract — to create and operate your account, provide hosting, store the credentials you choose, and meter and bill for paid features.
Legitimate interests — to secure the platform, prevent and detect abuse, and maintain anonymous aggregate analytics, balanced against your rights and freedoms.
Consent — for example, the consent you give when submitting a server, and any future analytics or non-essential cookies (which we do not currently use). You may withdraw consent at any time.
Legal obligation — where we must process or retain data to comply with applicable law.

6. How we share

We share personal data only with the service providers (sub-processors) that help us run the platform, and only as needed for them to perform their function:

vpsserver.com — virtual private server and database hosting.
Fly.io — the runner infrastructure for hosted MCP servers.
Zeptomail / Zoho — transactional email delivery.
GitHub — OAuth sign-in for hosting and access to your repository source.
Let's Encrypt — issuance of TLS certificates.

We do not sell personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined under California law.

We may also disclose personal data where required to comply with applicable law, regulation, legal process, or an enforceable governmental request, or to protect the rights, property, or safety of MCPBay, our users, or the public. If MCPBay is involved in a merger, acquisition, financing, or sale of assets, personal data may be transferred as part of that transaction, subject to this policy.

7. International transfers

We are based in, and process data in, the United States, and our sub-processors may process data in the United States and other countries. If you access the service from outside the United States, your personal data will be transferred to and processed in the United States. Where transfers of personal data from the EEA, the UK, or Switzerland are subject to data-protection law, we rely on appropriate safeguards — such as the European Commission's Standard Contractual Clauses (SCCs) — where required.

8. Retention

We keep personal data only for as long as we need it for the purposes described above:

Usage events — retained for approximately 90 days.
Security & audit logs — retained longer than usage events, for security and integrity purposes.
Catalog submissions — retained for as long as the listing is part of the catalog.
Stored credentials — retained until you revoke or delete them.
Account data — retained until you delete your account.

When you delete your account, we perform a hard delete of your account data, while retaining an anonymized audit snapshot of the deletion for security and compliance. Cleanup of hosted applications and uploaded icons happens separately as part of the deletion process.

9. Your rights

EEA / UK (GDPR & UK GDPR)

If you are in the EEA or the UK, you have the right to:

access the personal data we hold about you;
rectify inaccurate or incomplete data;
erase your data ("right to be forgotten");
restrict processing in certain circumstances;
data portability — receive your data in a portable format;
object to processing based on legitimate interests;
withdraw consent at any time, where processing is based on consent; and
lodge a complaint with your local supervisory authority.

As noted in Section 4, we do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

California (CCPA / CPRA)

If you are a California resident, you have the following rights with respect to your personal information:

Right to know / access — to request the categories and specific pieces of personal information we have collected about you. This right covers the 12-month period preceding your request.
Right to delete — to request deletion of personal information we hold about you.
Right to correct — to request correction of inaccurate personal information.
Right to opt out of the sale or sharing of personal information — we do not sell or share your personal information, so there is nothing to opt out of.
Right to limit the use of sensitive personal information — we do not use sensitive personal information for inferences or for any purpose that would trigger this right, so it does not arise; we will honor it if our practices ever change.
Right to non-discrimination — we will not discriminate against you for exercising any of these rights.
Authorized agents — you may use an authorized agent to submit a request on your behalf, subject to verification.

How to exercise your rights

You can exercise your rights in more than one way:

email us at support@mcpbay.pro; or
use the in-app controls in your account — including account deletion, revoking stored credentials in the secrets cabinet, and disconnecting your GitHub account.

We may need to verify your identity before acting on a request, and we will respond within the timeframes required by applicable law.

10. Security

We take reasonable technical and organizational measures to protect your personal data, including:

TLS encryption for data in transit;
Argon2 hashing of passwords (we never store plaintext passwords);
AES-256-GCM envelope encryption for stored credentials;
least-privilege database roles and restricted write paths;
audit logging of security-relevant and credential-access events.

No method of transmission or storage is 100% secure, so while we strive to protect your data, we cannot guarantee absolute security.

11. Children

The service is not directed to children. We do not knowingly collect personal information from children under 13 years of age (the threshold under the U.S. Children's Online Privacy Protection Act, COPPA) or from children under 16 years of age (the digital-consent age under the EU GDPR). If you believe a child has provided us with personal information, please contact us at support@mcpbay.pro and we will take steps to delete it.

12. Third-party MCP servers & links

Our catalog lists, and our platform may host, MCP servers operated by other developers. These third-party MCP servers have their own data practices, and any data you send to them through your AI client is governed by their terms and privacy policies, not ours. We are not responsible for the content, security, or data handling of third-party servers, AI clients, or any external sites linked from our pages. We encourage you to review the privacy policy of any third-party service before you use it.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by appropriate means (for example, by email or an in-app notice). The "Effective" date at the top of this page always shows when the current version took effect. Your continued use of the service after an update means you accept the revised policy.

14. Contact

If you have any questions, requests, or complaints about this Privacy Policy or how we handle your personal data, contact us at support@mcpbay.pro. Once our U.S. LLC is formed, this section will be updated with the registered entity's legal name and address, which will serve as the data controller of record.