Privacy Policy

1. Information We Collect

Account information: When you register, we collect your name, email address, and a hashed version of your password. We never store passwords in plaintext.

Usage data: We log MCP tool call events, including the tool name, timestamp, workspace ID, and response status code. We do NOT log the content of data returned from your connected services (e.g., actual order details, repository contents, or database rows).

Connection metadata: We store configuration about your integrations — such as which services you've connected, which tools are enabled, and connection names — but not the credential values themselves (those are encrypted before storage).

Payment information: Billing details such as credit card numbers are collected and processed directly by Stripe. We receive only a token and summary information (last 4 digits, card type, expiry). We do not store full card numbers.

Technical data: We may collect IP addresses, browser type, device information, and cookies for security, fraud prevention, and analytics purposes.

Communications: If you contact us by email or through our contact form, we retain that correspondence to respond to your inquiry.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve the Serve MCP platform
• Authenticate you and secure your account
• Process payments and manage subscriptions
• Send transactional emails (account verification, billing receipts, usage alerts)
• Monitor for abuse, fraud, and security incidents
• Provide customer support
• Analyze aggregate usage patterns to improve the product (we use anonymized, aggregated data only)
• Comply with legal obligations

We do not sell your personal information to third parties. We do not use your data to train AI models.

3. Data Storage and Security

Your data is stored on servers hosted by Vercel and its infrastructure partners in the United States.

We implement the following security measures:

• All third-party credentials encrypted at rest using AES-256-GCM
• Passwords hashed using bcrypt with a high work factor
• MCP bearer tokens hashed before storage (never stored in plaintext)
• All data transmitted over TLS/HTTPS
• Workspace-level data isolation
• Access controls limiting which employees can access production data

Despite these measures, no internet transmission or storage system is 100% secure. If you believe your account has been compromised, please contact us immediately at privacy@servemcp.com.

4. Third-Party Service Providers

We share limited data with trusted third parties to operate our platform:

• Stripe — Payment processing. Stripe processes billing information directly. See Stripe's Privacy Policy.
• Resend — Transactional email delivery (account verification, receipts, alerts).
• Vercel — Hosting and infrastructure. See Vercel's Privacy Policy.

We do not share your personal information with any third party for marketing or advertising purposes.

5. Cookies

We use the following types of cookies:

• Essential cookies: Required for authentication and session management. Cannot be disabled.
• Analytics cookies: Help us understand how users navigate the product. We use privacy-respecting analytics that do not share data with advertising networks.

You can control non-essential cookies through your browser settings. Disabling essential cookies will prevent you from logging in.

6. Data Retention

We retain your account data for as long as your account is active.

If you delete your account:

• Your personal account information is deleted within 30 days
• Connection configurations and workspace data are deleted within 30 days
• Usage logs (anonymized, without personal identifiers) may be retained for up to 12 months for aggregate analytics
• Billing records are retained for 7 years as required by financial regulations

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate personal data
• Deletion: Request deletion of your personal data (“right to be forgotten”)
• Portability: Request a machine-readable export of your data
• Objection: Object to certain processing activities

GDPR (EU/EEA users): If you are located in the European Economic Area, you have rights under the General Data Protection Regulation including the right to lodge a complaint with your local supervisory authority.

CCPA (California users): California residents have rights under the California Consumer Privacy Act, including the right to know, the right to delete, and the right to opt out of the sale of personal information (we do not sell personal information).

To exercise any of these rights, contact us at privacy@servemcp.com.

8. Children's Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us at privacy@servemcp.com and we will promptly delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on our website at least 14 days before the changes take effect. Continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.

10. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

Email: privacy@servemcp.com
Or use our contact form.