Privacy Policy

We collect only the data necessary to provide the MCPGate service:

• Account data — Your email address and display name, provided when you sign up via Clerk. We do not store passwords; Clerk manages all authentication credentials.
• OAuth tokens — When you connect a third-party service (Gmail, Slack, GitHub, etc.), we store the OAuth access token and refresh token. These are encrypted at rest using AES-256-GCM with per-user encryption keys.
• Audit log data — For every tool call made through MCPGate, we log: the tool name, sanitized arguments (credentials are never logged), timestamp, decision (allowed/blocked), and latency. The content of emails, messages, or files is never stored.
• Usage data — Aggregate counts of API calls per day for rate limiting and plan enforcement.
• Browser preferences — A theme preference cookie (dark/light) stored locally in your browser.

We use the data we collect exclusively to:

• Authenticate you and maintain your session
• Securely proxy API calls to connected third-party services on your behalf
• Enforce guardrail rules you have configured
• Display your activity audit log in the dashboard
• Enforce plan limits (calls per day, connector count)
• Send transactional emails (account activation, billing receipts) — never marketing without consent

We never sell, rent, or share your personal data with third parties for advertising, marketing, or commercial purposes.

All personal data and OAuth tokens are stored in a PostgreSQL 16 database hosted on cloud infrastructure. The following security measures are in place:

• OAuth tokens are encrypted at rest using AES-256-GCM with envelope encryption — each user has a unique data encryption key, itself encrypted by a master key.
• All data in transit is protected by TLS 1.3.
• Database backups are encrypted and retained for 7 days.
• Audit logs are retained for 7 days (Free plan) or 90 days (Pro plan), then automatically deleted.
• We are ISO 27001:2022 certified, meaning our information security management system has been independently audited and certified.

We use the following third-party services to operate MCPGate:

• Clerk (clerk.com) — User authentication. Clerk handles sign-up, sign-in, and session management. Their privacy policy applies to data processed by Clerk.
• Cloud hosting provider — We host our backend infrastructure on a cloud provider (DigitalOcean or AWS). Data is stored in servers located in [region]. We have Data Processing Agreements in place.
• Third-party connectors — When you connect Gmail, Slack, GitHub, etc., data flows between MCPGate and those services. MCPGate acts as an authorized proxy; we do not store the content of API responses beyond what is necessary to display in the dashboard.

You have the following rights with respect to your personal data:

• Access — Request a copy of all personal data we hold about you.
• Rectification — Request correction of inaccurate data.
• Deletion — Request deletion of your account and all associated data. You can do this from the dashboard Settings page, or by emailing us.
• Portability — Request an export of your data in machine-readable format (JSON).
• Objection — Object to processing of your data.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) applies to your personal data.

Legal basis for processing:

• Contract performance — We process your data to provide the service you signed up for.
• Legitimate interest — Audit logging for security and compliance purposes.
• Consent — For any optional data processing (e.g., marketing emails), we will ask for your explicit consent.

Data controller: CodeMax IT Solutions Private Limited, Office No A-201, 202, 2nd Floor, Asian Pinnacle, Fatorda, Goa 403602, India. CIN: U72200GA2015PTC007728.

You have the right to lodge a complaint with your local data protection authority if you believe we have not handled your data correctly.

We use only essential cookies. See our Cookie Policy for full details.

For privacy questions, data requests, or concerns, contact us at: