Privacy Policy
Effective date: April 15, 2026
MCP Stone ("we", "us", "our") operates a zero-trust gateway for AI agents using the Model Context Protocol (MCP). This policy explains what data we collect, how we use it, how long we keep it, and what rights you have.
1. Data We Collect
Account Data
- Email address — provided during sign-up or via OAuth (GitHub).
- Display name and avatar — from your OAuth provider or manually entered.
- Organization name and slug — chosen during onboarding.
Configuration Data
- Server definitions — endpoint URLs, transport settings, and allowed methods for MCP servers you configure.
- Server credentials — API keys and tokens for upstream MCP servers, encrypted at rest with AES-256-GCM.
- Access policies — allow/deny rules controlling which agents can reach which tools on which servers.
- Agent tokens — JWT tokens issued to AI agents. We store a SHA-256 hash, never the raw token.
Audit Data
- Proxy requests — each request through the gateway generates an audit event containing: timestamp, agent ID, tool name, method, policy decision (allow/deny), latency, and error status.
- No request/response bodies — the proxy does not log the content of MCP messages.
- No IP addresses — the data-plane audit log does not record client IP addresses.
Billing Data
- Payment processing is handled entirely by Stripe. We store only a Stripe customer ID and subscription ID. We never see or store credit card numbers.
2. How We Use Your Data
- Service operation — to authenticate you, route MCP requests, enforce access policies, and display your dashboard.
- Auditing — to provide you with an audit trail of agent activity for security and compliance purposes.
- Billing — to manage your subscription and enforce usage quotas.
We do not sell your data. We do not use your data for advertising. We do not train AI models on your data.
3. Data Retention
- Audit events — retained for 90 days by default, then automatically deleted. This is configurable for self-hosted deployments.
- Revoked tokens — removed 30 days after revocation.
- Account data — retained until you delete your account.
- Configuration data — retained until you delete the resource or your account.
4. Your Rights
Under the GDPR and similar privacy regulations, you have the right to:
- Access — view all personal data we hold about you via your profile settings.
- Portability — export all your data as a JSON file via
GET /api/v1/profile/exportor the "Export Data" button in settings. - Rectification — update your display name and organization name in profile settings.
- Erasure — delete your account and all associated data via the "Delete Account" option in profile settings. You can choose to keep or delete audit logs and configuration data separately.
- Restriction — deactivate your account without deletion by contacting us.
5. Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Authentication, application database | Account data, configuration data |
| Neon | Audit event storage | Audit events (no PII) |
| Stripe | Payment processing | Email, subscription plan |
| GitHub | OAuth authentication | Email, display name, avatar (read-only) |
| Plausible Analytics (self-hosted) | Aggregate visitor counts on mcpstone.com | Page URL, referrer, country (no IP retention, no cookies, no cross-site tracking) |
Visitor analytics is provided by a self-hosted Plausible instance at analytics.mcpstone.com. Plausible does not use cookies, does not track individuals across sites, and does not retain IP addresses — it stores only an aggregate per-day hash for deduplicating returning visitors. No data is shared with third parties. You can opt out by enabling Do Not Track in your browser.
6. Security
- All data in transit is encrypted via TLS.
- Server credentials are encrypted at rest using AES-256-GCM envelope encryption.
- Agent tokens are stored as SHA-256 hashes.
- Database access is controlled by row-level security policies.
- The data plane runs as a non-root process in a minimal container.
7. Contact
For privacy-related requests or questions, contact us at privacy@mcpstone.com.