Legal

Privacy Policy

Last updated: May 5, 2026

1. Who we are

Data controller: MCPSafe, Essen, Germany

MCPSafe ("we", "our", "us") operates the security scanning service at mcpsafe.io. We help developers assess the safety of MCP (Model Context Protocol) servers before installation. German law (BDSG + GDPR) applies to all data processing.

2. What data we collect and why

Account data

What: Email address, hashed password (or OAuth name + email)

Why: To create and manage your account

Lawful basis: Contract (Art. 6(1)(b) GDPR)

Retention: Until account deletion

Scan history

What: Package URLs/names you submit, scan results, the scan_id ↔ user_id link

Why: To perform the scan and let you see your past scans. Public scan results for the same package are shared across users via a separate cache that does not contain your identity.

Lawful basis: Contract (Art. 6(1)(b) GDPR)

Retention: 90 days, or until account deletion (whichever is earlier). Public results in the shared cache remain anonymously without any link to you.

API key audit log

What: API key creation and revocation events (key_id, prefix, source IP, label, timestamp)

Why: Account-takeover detection, fraud investigation, and compliance audit trail.

Lawful basis: Legitimate interest (Art. 6(1)(f) GDPR) — keeping accounts and the platform secure.

Retention: 1 year, then automatically deleted (DynamoDB TTL). Cleared earlier on account deletion.

Billing data

What: Subscription tier, billing email, customer ID, invoice events. Card details are stored only by Stripe — we never see them.

Why: To process subscriptions and generate invoices.

Lawful basis: Contract (Art. 6(1)(b) GDPR) + legal obligation (German tax law, Art. 6(1)(c) GDPR)

Retention: Subscription records until cancellation; invoice records 10 years (German tax retention requirement).

Usage analytics

What: Page views, feature usage (via PostHog)

Why: To understand how developers use our scanner

Lawful basis: Consent (Art. 6(1)(a) GDPR) — only collected if you accept analytics cookies

Retention: 2 years (PostHog)

IP addresses

What: IP address (hashed) for rate limiting

Why: Abuse prevention. IPs are hashed after 24 hours and deleted after 7 days.

Lawful basis: Legitimate interest (Art. 6(1)(f) GDPR)

Retention: 7 days

Referral attribution

What: A referral code stored in a first-party cookie (mcpsafe_ref) when you arrive via a ?ref= link

Why: So a referral discount can be applied if you sign up. The cookie holds only the referral code — no identifiers.

Lawful basis: Legitimate interest (Art. 6(1)(f) GDPR) — first-party attribution required to honor a discount you initiated by clicking the share link.

Retention: 30 days, or until consumed at signup (whichever earlier).

Code snippets (LLM analysis)

What: Targeted code excerpts from the package under review

Why: Sent to third-party LLM providers for security analysis. Only targeted excerpts — never the full source tree. Not used to train models under our API agreements.

Lawful basis: Contract (Art. 6(1)(b) GDPR)

3. Automated decision-making (Art. 22 GDPR)

MCPSafe produces automated security grades (A–F) for MCP servers using static analysis, rule engines, and AI models. These grades are informational only — they do not constitute an automated individual decision with legal or similarly significant effect within the meaning of Art. 22 GDPR. You retain full control over whether to install a package.

No profiling is performed on users. Grades are derived solely from the content of the package being scanned, not from any personal data about the person requesting the scan.

4. Cookies

We use strictly necessary cookies for authentication and optional analytics cookies (PostHog) only with your consent. See our Cookie Policy for the full inventory.

5. Who we share data with (sub-processors)

We use the third-party services below to operate MCPSafe. Where data leaves the EEA, the transfer is governed by Standard Contractual Clauses (SCCs) per Art. 46(2)(c) GDPR. We do not sell your data to any third party.

Sub-processor	Role	Region	Transfer mechanism	Privacy policy
AWS	Hosting, database, compute, email (SES)	eu-west-1 (Ireland), eu-central-1 (Frankfurt)	EU/EEA — none required	Policy ↗
Stripe	Payment processing, invoicing	US	SCCs (Art. 46(2)(c) GDPR)	Policy ↗
Vercel	Frontend CDN and edge runtime	Global edge; primary US	SCCs	Policy ↗
Anthropic API	LLM consensus on code snippets	US	SCCs; data retained ≤30 days, no model training	Policy ↗
OpenAI API	LLM consensus on code snippets	US	SCCs; data retained ≤30 days, no model training under our API agreement	Policy ↗
Mistral La Plateforme	LLM consensus on code snippets	EU (France)	EU/EEA — none required	Policy ↗
Google AI (Gemini Flash)	LLM consensus on code snippets	US	SCCs	Policy ↗
AWS Bedrock	LLM consensus (managed model gateway)	us-east-1 (data does not leave the model gateway; not used for training)	SCCs	Policy ↗
PostHog (EU cloud)	Product analytics (consent-gated)	EU	EU/EEA — none required	Policy ↗
GitHub OAuth (optional)	Sign-in provider	US	SCCs	Policy ↗
Google OAuth (optional)	Sign-in provider	US	SCCs	Policy ↗

Code snippets sent to LLM providers are short, targeted excerpts — never your full source tree. None of the providers above use MCPSafe customer data to train their models, per their API agreements with us.

Customers on Team and Business plans can request a Data Processing Agreement (DPA) by emailing info@mcpsafe.io.

6. Your rights under GDPR

Right to access

Request a copy of all data we hold about you.

Right to rectification

Ask us to correct inaccurate data.

Right to erasure

Delete your account and all associated data.

→ Delete account in Settings

Right to data portability

Export your scan history as JSON.

→ Export data in Settings

Right to object

Object to processing based on legitimate interest (e.g. IP hashing for rate limiting).

Right to restrict processing

Ask us to pause processing while a dispute is resolved.

Right to withdraw consent

Change your cookie preferences at any time.

→ Manage cookie preferences

7. How to exercise your rights

Email info@mcpsafe.io. We respond within 30 days as required by GDPR Art. 12.

If you are unsatisfied with our response, you have the right to lodge a complaint with the supervisory authority in your EU member state or, as our lead authority, in Germany: Landesbeauftragte für Datenschutz NRW (ldi.nrw.de). A full list of EU supervisory authorities is available at edpb.europa.eu.

8. Data retention

Data type	Retention period	Reason
Account data	Until account deletion	Service provision
Scan history (your link)	90 days, or until account deletion (whichever earlier)	Service provision; auto-expires via DynamoDB TTL
Public scan results (shared)	Indefinite, anonymous	Community security intelligence; no link to you after deletion
API key audit log	1 year	Account-takeover detection (Art. 32 GDPR security obligation)
API key first-use record	90 days	Anomaly detection for leaked keys
API key usage counters	7 days	Hourly per-key call counts for rate limiting
IP rate-limit counters	Up to 1 month, hashed	Abuse prevention; Art. 6(1)(f) GDPR legitimate interest
Analytics (PostHog)	2 years	Product improvement (consent-gated)
Subscription records	Until cancellation	Service provision
Invoice / billing records	10 years	German tax law (§147 AO)
Backup snapshots (DDB PITR)	Up to 35 days	Disaster recovery (AWS default PITR)

9. International transfers

Primary storage and compute is on AWS in eu-west-1 (Ireland) and eu-central-1 (Frankfurt), both within the EU/EEA. Backups (DynamoDB Point-in-Time Recovery) stay in the same regions.

Some sub-processors are based outside the EEA — see the sub-processor table for the list. Where data leaves the EEA, the transfer is governed by Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR. We minimise what is transferred:

LLM providers receive only short, targeted code excerpts — never full source trees, account data, or personal identifiers.
Stripe receives only what is required to process payments (email, billing name, subscription tier).
OAuth providers receive only the metadata needed to complete the sign-in handshake.

We do not currently transfer data to any country covered by an EU adequacy decision other than what is listed; if that changes we will update this policy and notify registered users.

10. Changes to this policy

We will notify registered users by email if we make material changes, at least 14 days before they take effect. Last updated: May 5, 2026.

Cookie Policy Terms of Service ← Home

Legal

Privacy Policy

Last updated: May 5, 2026

1. Who we are

Data controller: MCPSafe, Essen, Germany

Contact: info@mcpsafe.io

2. What data we collect and why

Account data

What: Email address, hashed password (or OAuth name + email)

Why: To create and manage your account

Lawful basis: Contract (Art. 6(1)(b) GDPR)

Retention: Until account deletion

Scan history

What: Package URLs/names you submit, scan results, the scan_id ↔ user_id link

Why: To perform the scan and let you see your past scans. Public scan results for the same package are shared across users via a separate cache that does not contain your identity.

Lawful basis: Contract (Art. 6(1)(b) GDPR)

Retention: 90 days, or until account deletion (whichever is earlier). Public results in the shared cache remain anonymously without any link to you.

API key audit log

What: API key creation and revocation events (key_id, prefix, source IP, label, timestamp)

Why: Account-takeover detection, fraud investigation, and compliance audit trail.

Lawful basis: Legitimate interest (Art. 6(1)(f) GDPR) — keeping accounts and the platform secure.

Retention: 1 year, then automatically deleted (DynamoDB TTL). Cleared earlier on account deletion.

Billing data

What: Subscription tier, billing email, customer ID, invoice events. Card details are stored only by Stripe — we never see them.

Why: To process subscriptions and generate invoices.

Lawful basis: Contract (Art. 6(1)(b) GDPR) + legal obligation (German tax law, Art. 6(1)(c) GDPR)

Retention: Subscription records until cancellation; invoice records 10 years (German tax retention requirement).

Usage analytics

What: Page views, feature usage (via PostHog)

Why: To understand how developers use our scanner

Lawful basis: Consent (Art. 6(1)(a) GDPR) — only collected if you accept analytics cookies

Retention: 2 years (PostHog)

IP addresses

What: IP address (hashed) for rate limiting

Why: Abuse prevention. IPs are hashed after 24 hours and deleted after 7 days.

Lawful basis: Legitimate interest (Art. 6(1)(f) GDPR)

Retention: 7 days

Referral attribution

What: A referral code stored in a first-party cookie (mcpsafe_ref) when you arrive via a ?ref= link

Why: So a referral discount can be applied if you sign up. The cookie holds only the referral code — no identifiers.

Lawful basis: Legitimate interest (Art. 6(1)(f) GDPR) — first-party attribution required to honor a discount you initiated by clicking the share link.

Retention: 30 days, or until consumed at signup (whichever earlier).

Code snippets (LLM analysis)

What: Targeted code excerpts from the package under review

Why: Sent to third-party LLM providers for security analysis. Only targeted excerpts — never the full source tree. Not used to train models under our API agreements.

Lawful basis: Contract (Art. 6(1)(b) GDPR)

3. Automated decision-making (Art. 22 GDPR)

No profiling is performed on users. Grades are derived solely from the content of the package being scanned, not from any personal data about the person requesting the scan.

4. Cookies

We use strictly necessary cookies for authentication and optional analytics cookies (PostHog) only with your consent. See our Cookie Policy for the full inventory.

5. Who we share data with (sub-processors)

Sub-processor	Role	Region	Transfer mechanism	Privacy policy
AWS	Hosting, database, compute, email (SES)	eu-west-1 (Ireland), eu-central-1 (Frankfurt)	EU/EEA — none required	Policy ↗
Stripe	Payment processing, invoicing	US	SCCs (Art. 46(2)(c) GDPR)	Policy ↗
Vercel	Frontend CDN and edge runtime	Global edge; primary US	SCCs	Policy ↗
Anthropic API	LLM consensus on code snippets	US	SCCs; data retained ≤30 days, no model training	Policy ↗
OpenAI API	LLM consensus on code snippets	US	SCCs; data retained ≤30 days, no model training under our API agreement	Policy ↗
Mistral La Plateforme	LLM consensus on code snippets	EU (France)	EU/EEA — none required	Policy ↗
Google AI (Gemini Flash)	LLM consensus on code snippets	US	SCCs	Policy ↗
AWS Bedrock	LLM consensus (managed model gateway)	us-east-1 (data does not leave the model gateway; not used for training)	SCCs	Policy ↗
PostHog (EU cloud)	Product analytics (consent-gated)	EU	EU/EEA — none required	Policy ↗
GitHub OAuth (optional)	Sign-in provider	US	SCCs	Policy ↗
Google OAuth (optional)	Sign-in provider	US	SCCs	Policy ↗

Customers on Team and Business plans can request a Data Processing Agreement (DPA) by emailing info@mcpsafe.io.

6. Your rights under GDPR

Right to access

Request a copy of all data we hold about you.

Right to rectification

Ask us to correct inaccurate data.

Right to erasure

Delete your account and all associated data.

→ Delete account in Settings

Right to data portability

Export your scan history as JSON.

→ Export data in Settings

Right to object

Object to processing based on legitimate interest (e.g. IP hashing for rate limiting).

Right to restrict processing

Ask us to pause processing while a dispute is resolved.

Right to withdraw consent

Change your cookie preferences at any time.

→ Manage cookie preferences

7. How to exercise your rights

Email info@mcpsafe.io. We respond within 30 days as required by GDPR Art. 12.

8. Data retention

Data type	Retention period	Reason
Account data	Until account deletion	Service provision
Scan history (your link)	90 days, or until account deletion (whichever earlier)	Service provision; auto-expires via DynamoDB TTL
Public scan results (shared)	Indefinite, anonymous	Community security intelligence; no link to you after deletion
API key audit log	1 year	Account-takeover detection (Art. 32 GDPR security obligation)
API key first-use record	90 days	Anomaly detection for leaked keys
API key usage counters	7 days	Hourly per-key call counts for rate limiting
IP rate-limit counters	Up to 1 month, hashed	Abuse prevention; Art. 6(1)(f) GDPR legitimate interest
Analytics (PostHog)	2 years	Product improvement (consent-gated)
Subscription records	Until cancellation	Service provision
Invoice / billing records	10 years	German tax law (§147 AO)
Backup snapshots (DDB PITR)	Up to 35 days	Disaster recovery (AWS default PITR)

9. International transfers

Primary storage and compute is on AWS in eu-west-1 (Ireland) and eu-central-1 (Frankfurt), both within the EU/EEA. Backups (DynamoDB Point-in-Time Recovery) stay in the same regions.

LLM providers receive only short, targeted code excerpts — never full source trees, account data, or personal identifiers.
Stripe receives only what is required to process payments (email, billing name, subscription tier).
OAuth providers receive only the metadata needed to complete the sign-in handshake.

We do not currently transfer data to any country covered by an EU adequacy decision other than what is listed; if that changes we will update this policy and notify registered users.

10. Changes to this policy

We will notify registered users by email if we make material changes, at least 14 days before they take effect. Last updated: May 5, 2026.

Cookie Policy Terms of Service ← Home