← Back to consoleMCPShield

Privacy Policy

Last updated: 9 June 2026

1. Controller

MCPShieldVow (“we”, “us”) is the data controller for personal data processed through the MCPShield console. Contact: privacy@mcpshield.dev.

2. Data categories we collect

  • Account data — email address, passkey public credential, display name.
  • Usage data — pages visited, features used, session timestamps (analytics cookies, only with consent).
  • Technical data — IP address, browser type, request logs (essential, 30-day retention).
  • MCP telemetry — tool-call events, sandbox outcomes, threat-intel signals your servers emit. No message content is stored unless you explicitly enable it.

3. Legal basis

  • Contract performance (Art. 6(1)(b) GDPR) — account data, technical logs, MCP telemetry needed to deliver the service.
  • Consent (Art. 6(1)(a) GDPR) — analytics and marketing cookies; you can withdraw at any time via the cookie banner.
  • Legitimate interests (Art. 6(1)(f) GDPR) — security monitoring, fraud prevention.

4. EU data residency

All personal data — PostgreSQL database, MinIO object store, Redis cache — resides on EU-region infrastructure (CONST-STACK-11). No personal data is transferred outside the EEA without Standard Contractual Clauses or an equivalent safeguard.

5. Retention

  • Account data: retained for the lifetime of the account.
  • Request logs: 30 days, then purged automatically.
  • MCP telemetry: 90 days (configurable per tenant).
  • Analytics data: 12 months in aggregate form.

6. Your rights

Under GDPR you have the right to access, rectify, erase, restrict processing, and port your data, and to object to processing based on legitimate interests.

  • Export — request a machine-readable copy of your data via your account settings.
  • Deletion — delete your account from account settings; all personal data is purged within 30 days.
  • Complaints — you may lodge a complaint with your national supervisory authority (e.g. CNPD in Portugal, CNIL in France).

7. Sub-processors

  • Hetzner / OVH — EU VPS hosting (infrastructure layer; no application-level access to personal data).
  • Cloudflare — DNS, CDN, DDoS protection (IP addresses processed at edge; data processing agreement in place).

8. Security

Data in transit is encrypted with TLS 1.2+. Data at rest is stored on encrypted volumes. Authentication uses Ed25519 JWT and WebAuthn passkeys. Access to production infrastructure is restricted to named engineers with MFA.

9. Cookies

We use three categories of cookies. Your choice is stored in localStorage and persists across sessions.

CategoryPurposeConsent required
EssentialSession authentication (httpOnly JWT refresh cookie), CSRF protection.No
AnalyticsAggregate page-view and feature-use statistics (no cross-site tracking).Yes
MarketingPersonalised content and ad measurement (only with explicit consent; no cross-site behavioural tracking).Yes

Non-essential cookies are only set after you click “Accept all” in the consent banner. You can change your choice at any time by clearing your browser’s localStorage for this site.

10. Changes to this policy

Material changes will be announced via the console notification banner at least 14 days before they take effect. The “Last updated” date above reflects the most recent revision.

11. Contact / DPO

Data protection queries: privacy@mcpshield.dev. We respond to all requests within 30 days.