Effective date: 2026-05-22
Last updated: 2026-05-22
This Privacy Policy describes what personal data MCP.SV collects, why, how long we keep it, and your rights regarding that data. MCP.SV is operated by the maintainers of MCP.SV in El Salvador.
| Category | Purpose | Retention | Third party |
|---|---|---|---|
| Email address | Sending the welcome email with your personal access token (PAT). Without email, we can't deliver the token. | Indefinite while the account is active, or until you request deletion. | Processed by Resend for email delivery. |
| IP address | Rate limiting (5 signups/IP/hour) and abuse prevention. Stored in the usage event log. | 90 days for usage events. Rate limit records purge after 1 hour. | — |
| User-Agent string | Diagnostics (which MCP client is being used) and bot-abuse prevention. | 90 days, alongside usage events. | — |
| Access token (PAT) | Authenticating your calls to the /mcp endpoint. We store ONLY the SHA-256 hash of the token; the raw value leaves our servers exactly once, in the welcome email. | Indefinite while the token is active. Revoked or expired tokens are purged after a reasonable period. | — |
| Usage events | Logging each authenticated /mcp call (method, path, response code, IP, User-Agent) for operational telemetry, abuse detection, and service improvement. | 90 days in detailed form. Aggregated statistics retained beyond that. | — |
| Anonymous page views | Basic landing-page visit metrics (which pages, which referer). IP stored as truncated SHA-256 hash, not re-identifiable. | 180 days in detailed form. | — |
The following third-party services handle data on our behalf. Each link points to that processor's privacy policy:
We pass through the minimum data required for each processor to do its job (e.g. the email address itself goes to the email provider; nothing else).
We process your data on the following legal bases:
Data retention periods vary by data category. See the retention column in Section 1. Beyond those periods, we retain only aggregated, anonymized statistics (e.g. monthly active token counts) that cannot be re-associated with an individual user.
If your access token is revoked or expires, we retain the token hash and associated email for a reasonable period to prevent re-issuance to a revoked identity, then purge.
You have the right to:
To exercise any of these rights, email us at legal@mcp.sv from your registered address, with "Deletion request" in the subject line. We respond within 30 calendar days.
If your request is denied or unsatisfactorily handled, you have the right to lodge a complaint with the data protection authority in your jurisdiction.
MCP.SV is not directed at children under 13 (or the equivalent age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has submitted personal data, contact legal@mcp.sv and we will delete the records.
We use the following safeguards:
No system is perfectly secure. We cannot guarantee absolute protection against unauthorized access. If we become aware of a breach affecting your personal data, we will notify you at your registered email address within a reasonable time after discovery.
If the maintainers of MCP.SV or any third-party processor stores your data outside El Salvador, that transfer is conducted under the terms of the receiving jurisdiction's data protection framework. Our primary hosting and processing infrastructure is documented in Section 2.
We may revise this policy. The "Last updated" date at the top reflects the most recent revision. Substantive changes will be:
Continued use of MCP.SV after a revised policy takes effect constitutes acceptance of the revised policy.
Privacy-related questions or requests: legal@mcp.sv
This is scaffolding intended as a starting point. Have this reviewed by qualified legal counsel in El Salvador before treating it as a binding commitment.