Privacy Policy
Last updated: June 13, 2026
This policy explains what [COMPANY LEGAL NAME] ("MCPsnap", "we") collects when you use mcpsnap.com and the MCPsnap service, why we collect it, and the choices you have. We are the data controller for the personal data described here.
1. Data we collect
Account data
- Email address — used for magic-link sign-in (we never store passwords) and service emails. Authentication is provided by Supabase.
- Plan and preferences — your subscription tier, UI mode, and workspace settings.
Content you connect
- Crawled website content — when you connect a website, we fetch and store the readable text of its public pages to power your MCP server's search tool.
- API definitions and credentials — when you connect an API, we store your OpenAPI specification and, if provided, your API key or token. Credentials are encrypted at rest (AES-256-GCM), never logged, never shown back to you in full, and used only to call your API on your server's behalf.
Usage data
- Tool-call logs — when an AI agent calls one of your MCP servers we record the server, the tool name, and a timestamp, to power your analytics dashboard. For website-search tools we also record the search phrase (truncated). We do not log the arguments of API tool calls, since these may contain sensitive data.
- Technical data — IP addresses are processed transiently for rate limiting and abuse prevention; standard server logs may include IP, user agent, and requested URL.
Payment data
Payments are handled by our Merchant of Record (Lemon Squeezy; we may also use Paddle). We never receive or store your card details. We receive only your customer and subscription identifiers, plan, and subscription status, which we store to operate your account.
2. Why we process it (legal bases)
| Purpose | Data | Legal basis (GDPR) |
|---|---|---|
| Provide the Service (hosting your MCP servers) | Account, content, credentials | Contract performance |
| Sign-in and account security | Email, auth cookies | Contract performance |
| Billing and subscription management | Customer/subscription IDs, plan | Contract performance; legal obligation |
| Analytics shown to you about your servers | Tool-call logs | Contract performance; legitimate interest |
| Abuse prevention, rate limiting, security | IP, technical logs | Legitimate interest |
| Service emails (magic links, billing notices) | Contract performance |
3. Public-by-design data
MCP server endpoints you create are public. Content your server returns (crawled text from your website, or responses from your API where you configured it) is delivered to whoever calls the endpoint, including third-party AI agents. Do not connect content you are not prepared to make public.
4. Third parties we share data with (subprocessors)
| Provider | Purpose | Data involved |
|---|---|---|
| Supabase | Database hosting and authentication | Account data, content, usage logs |
| Lemon Squeezy (and/or Paddle) | Payments, invoicing, tax (Merchant of Record) | Email, billing details (held by them) |
| [HOSTING PROVIDER — e.g., Vercel] | Application hosting and logs | Technical data |
We do not sell personal data, and we do not share it with advertisers. We may disclose data where required by law or to protect the Service and its users.
5. International transfers
Our providers may process data in the United States and other countries. Where required, transfers are protected by appropriate safeguards such as Standard Contractual Clauses entered into by our subprocessors.
6. Retention
- Account data — kept while your account is active; deleted within [30] days of account deletion.
- Crawled content — replaced on each re-crawl; deleted when you delete the server or your account.
- Encrypted API credentials — deleted when you delete the server or your account.
- Usage logs — retained up to [12] months, then deleted or aggregated.
- Billing records — retained as required by tax and accounting law.
7. Your rights
Depending on your location (e.g., GDPR, UK GDPR, CCPA/CPRA), you may have the right to access, correct, delete, export, or restrict processing of your personal data, and to object to processing based on legitimate interest. You can delete servers and your account from the dashboard, or contact privacy@mcpsnap.com. You may also lodge a complaint with your supervisory authority. We do not discriminate against you for exercising these rights, and we do not "sell" or "share" personal information as defined by the CCPA.
8. Security
We use industry-standard measures: encryption in transit (TLS), encryption of API credentials at rest, scoped multi-tenant access controls, SSRF-protected crawling, and rate limiting. No method is 100% secure; we will notify affected users of any breach as required by law.
9. Cookies
We use only essential cookies (authentication sessions) and a theme preference. See the Cookie Policy for details.
10. Children
The Service is not directed to children under 16, and we do not knowingly collect their data. If you believe a child has provided us data, contact us and we will delete it.
11. Changes
We will post any changes here and, for material changes, notify you by email or in-app notice at least 14 days before they take effect.
12. Contact
Data controller: [COMPANY LEGAL NAME], [REGISTERED ADDRESS] · privacy@mcpsnap.com