Privacy Policy
Effective date: April 7, 2026 Last updated: April 7, 2026
This Privacy Policy describes how MCPR (“we”, “us”, “our”) collects, uses, and protects information when you use the mcpr open-source proxy and mcpr Cloud service at cloud.mcpr.app.
What we collect
Section titled “What we collect”Account data
Section titled “Account data”When you sign up for mcpr Cloud, we collect:
- Email address — used for authentication (magic link login) and service communications.
We do not collect passwords. Authentication is handled via magic link email.
MCP event metadata
Section titled “MCP event metadata”When your mcpr proxy syncs events to mcpr Cloud, we receive:
- Event metadata — method name (e.g.
tools/call), tool name, latency, status code, timestamps, session ID, client type (e.g. ChatGPT, Claude, VS Code). - Request/response sizes — byte counts only, not content.
We do not collect:
- Tool input parameters or arguments
- Tool response bodies or payloads
- User prompts or AI-generated content
- Any data your MCP tools process
The proxy is designed to send metadata only. Your actual MCP traffic stays between the AI client and your server.
Infrastructure data
Section titled “Infrastructure data”- IP address — logged transiently for rate limiting and abuse prevention. Not stored long-term or associated with your account.
- Tunnel metadata — subdomain, connection timestamps, and bandwidth usage for tunnel connections.
Usage data
Section titled “Usage data”- Dashboard interactions — pages visited, features used, time ranges queried. Used to improve the product.
How we use your data
Section titled “How we use your data”- Provide the service — display dashboards, compute health metrics, detect slow calls, group errors.
- Send service emails — magic link authentication, critical service notifications (outages, security issues). No marketing emails.
- Improve the product — aggregate, anonymized usage patterns to guide feature development.
- Prevent abuse — rate limiting, detecting malicious tunnel usage.
Data retention
Section titled “Data retention”- Event metadata — retained for 90 days, then permanently deleted.
- Account data — retained while your account is active. Deleted within 30 days of account deletion request.
- Tunnel logs — retained for 7 days.
Data sharing
Section titled “Data sharing”We do not sell your data. We do not share your data with third parties except:
- Infrastructure providers — we use cloud hosting to run the service. These providers process data on our behalf under data processing agreements.
- Legal requirements — if required by law, subpoena, or court order.
Data location
Section titled “Data location”Data is processed and stored in the United States.
Security
Section titled “Security”- All data in transit is encrypted via TLS.
- Magic link authentication — no passwords stored.
- Event data is isolated per project. Users can only access their own data.
Your rights
Section titled “Your rights”You can:
- Access your data through the mcpr Cloud dashboard.
- Delete your account and all associated data by contacting us.
- Export your event data via the dashboard.
To exercise any of these rights, email [email protected].
Open-source proxy
Section titled “Open-source proxy”The mcpr proxy is open-source (Apache 2.0) and runs entirely on your infrastructure. When used without mcpr Cloud, the proxy collects no data and makes no external network requests. Cloud sync is opt-in and requires explicit configuration.
Children
Section titled “Children”mcpr Cloud is not intended for use by anyone under 16. We do not knowingly collect data from children.
Changes
Section titled “Changes”We may update this policy. Material changes will be communicated via email to registered users. The “last updated” date at the top reflects the most recent revision.
Contact
Section titled “Contact”For privacy questions or data requests:
Email: [email protected]