Privacy Policy
Last updated: 2026-06-03. [LEGAL ENTITY NAME] (“we”) is the data controller for CheckMCP.
1. Data we collect
- Account: your email and a hashed password (scrypt). Sessions via an httpOnly cookie.
- Billing: handled by Stripe — we store a Stripe customer id, plan and status, not your card details.
- Usage: MCP server URLs you audit/monitor, scores, findings, API-key usage counts, and gateway call logs (method/tool/verdict/timestamps).
- Technical: IP address (for rate-limiting/abuse prevention) and basic request logs.
- Product analytics: pages viewed and interactions, collected via PostHog to improve the Service. Processed on PostHog’s US infrastructure.
Public audits of public MCP servers may appear in the public directory. Private (token) audits are never cached or published. The self-hosted gateway processes tool traffic inside your infrastructure — that data does not reach us.
2. Why we use it (legal bases)
To provide the Service and your account (contract), to bill you (contract), to secure the Service and prevent abuse (legitimate interest), and to comply with legal obligations. We do not sell your personal data.
3. Sub-processors
- Stripe (payments), the hosting provider (Contabo/VPS), Cloudflare (CDN/proxy), and PostHog (product analytics, processed in the United States). Each processes data to provide their part of the Service; the PostHog transfer relies on standard contractual clauses.
4. Retention
Account data is kept while your account is active. Logs and usage data are kept for a limited period for security and analytics, then deleted or anonymised. You can request deletion of your account.
5. Your rights
If you are in the EU/EEA (GDPR) or California (CCPA), you can request access, correction, deletion, portability, or object to certain processing. Contact [email protected]. You may also lodge a complaint with your data-protection authority.
6. Cookies
We use a strictly-necessary session cookie for authentication and a theme preference stored locally. We also use first-party analytics cookies/local storage set by PostHog to measure product usage. We do not use third-party advertising cookies and do not sell your data.
7. Security
Passwords are hashed (scrypt), API keys are stored hashed, transport is over HTTPS. No method is perfectly secure; we work to protect your data but cannot guarantee absolute security.
8. Contact
Privacy questions or requests: [email protected].