Privacy Policy

Privacy Policy

Protecting the Agentic Layer | Last Updated: Jan 2026

$

Our Privacy Philosophy

HasMCP is built for developers. We believe in minimal data collection and maximum transparency. Our infrastructure is designed to proxy and optimize Model Context Protocol (MCP) tool calls while maintaining strict data silos between the model, the user, and the upstream API.

$

Authentication & Sessions

We use OAuth2 to authenticate our users. We don't persist the access token gatherd during authentication. We store name, email, and picture URL to ensure consistent account access. Email is used as the unique identifier.

Cookies

Essential session cookies only. No third-party tracking or advertising cookies.

Local Storage

Used for user preferences and non-sensitive session tokens to enhance performance.

$

MCP Auth & Authorization

When an MCP server has OAuth2 credentials configured, we use them to authorize tool execution on the underlying API provider:

End-user prompt

Users are prompted to login with the underlying provider for specific defined scopes.

Encrypted Storage

Bearer and Refresh tokens are stored as encrypted values in our database.

$

On-the-fly Data Processing

HasMCP acts as a proxy. We do not store request/response headers or payloads. Data is processed in-memory using user-defined interceptors (Goja/JMESPath) to transform data before delivery.

$

Security & Rate Limiting

To protect our Cloud infrastructure, we implement strict network-level controls:

  • 1
    IP-Based Rate Limiting: Monitoring request volume per IP to ensure stability.
  • 2
    Non-Association: IP addresses are used for defensive thresholds only and are not associated with specific User accounts.
$

Live Debugging

Volatile Logs Policy

Request and response payloads in the Debug Console are volatile. They are streamed via secure SSE directly to your browser, never written to disk, and discarded immediately.

$

Telemetry

We collect aggregated usage statistics to help you manage your mesh:

- Tool calls count
- Token counts (tiktoken)
- Response sizes (bytes)
- Error rate percentages
- Unique User counts
$

Data Retention

Upon account deletion, IAM configs, audit-logs, and secret vault data are purged within 30 days. Aggregated billing data is retained for 6 years to comply with IRS regulations.

$

Exercise Your Rights

For data exports or account deletion requests, contact [email protected].