Privacy Policy
Last updated: July 1, 2026
This describes what mcpauth actually collects and stores to run the service — not a generic template. If something below doesn't match what the product does, that's a bug in this page, not the product; please report it.
What we collect
- GitHub account info— when you sign in, GitHub gives us your email, name, and avatar URL. We don't receive or store your GitHub password.
- Projects and Clients — the MCP server URLs, project names, and OAuth client metadata (redirect URIs, client names) you register.
- Tokens, hashed— access tokens, refresh tokens, client secrets, and registration secrets are stored as SHA-256 hashes only. We can't recover the original value from what we store, the same way a password manager can't recover your master password.
- Usage data— a count of distinct token subjects per month, used to enforce plan limits and show usage on your dashboard. We don't log the content of requests your MCP server handles.
- Billing data — if you subscribe to Pro, Stripe collects and stores your payment details. mcpauth stores your Stripe customer and subscription IDs, plan status, and email — never your card number.
Who we share it with
We don't sell your data. We share what's necessary with the infrastructure that runs the service:
- GitHub — for sign-in (OAuth).
- Stripe — for billing and payment processing.
- Railway — hosts the Postgres database.
- Vercel — hosts the application and serves traffic.
- Google Analytics — aggregate site-traffic analytics, only if you accept the cookie banner. It runs on any page you consent on, including the dashboard, not just the marketing pages — see Cookies below.
Cookies
mcpauth sets one essential cookie to keep you signed in — a hashed session token, not a JWT with embedded data. That one isn't optional; without it you can't stay logged in.
Google Analytics is non-essential and only loads after you accept the cookie banner shown on your first visit. Decline (or ignore it) and no analytics cookies are set, on any page. Your choice is remembered in your browser; you can change your mind by clearing site data and reloading.
Data retention
We keep account, Project, and Client data for as long as your account is active. Revoked or expired tokens remain in the database (hashed, inactive) for now rather than being immediately purged, mainly for debugging and abuse investigation.
Deleting your data
There's no self-serve “delete account” button yet. To request deletion of your account and associated data, open an issue on the SDK repository from the email or GitHub account tied to your mcpauth account. We commit to completing deletion requests within 30 days.
Your rights (GDPR / UK GDPR)
If you're in the EU or UK, you have the right to access, correct, delete, restrict, or export the personal data we hold about you, and to object to how we process it. To exercise any of these, use the same channel as data deletion above — open an issue on the SDK repository from the email or GitHub account on your mcpauth account, and specify which right you're exercising. We respond within 30 days.
Our legal basis for processing: account and Project/Client data is processed under contract necessity (we can't run the service you signed up for without it); billing data is processed under contract necessity and, where applicable, legal obligation (tax/accounting records); analytics cookies are processed only under your consent, per the cookie banner. If you believe we haven't handled your data lawfully, you have the right to lodge a complaint with your local data protection supervisory authority.
Data leaves the EU/UK when processed by our infrastructure providers (GitHub, Stripe, Railway, Vercel, Google), each of which maintains its own cross-border transfer safeguards (e.g. Standard Contractual Clauses) as a condition of processing data on our behalf.
Children's privacy
mcpauth is a developer tool and isn't directed at children. We don't knowingly collect data from anyone under 13.
Changes to this policy
We'll update the “Last updated” date above whenever this policy changes.
Contact
Questions about this policy, or a data request? Open an issue on the SDK repository.