Skip to content
MCPShield
Back to Home

Privacy Policy

Last updated: April 12, 2026

1. Who We Are

MCPShield (“we,” “us,” “our”) operates the website at www.mcpshield.co, the MCPShield CLI, the VS Code extension, and the MCPShield GitHub App. This policy explains what data we collect, why, and how we protect it.

2. Data We Collect

Account Data

When you sign up via Clerk, we store your name, email address, and profile image. We do not store passwords — authentication is handled entirely by Clerk.

Scan Data

When you scan an MCP server, we store the target URL, scan results (grade, findings), and metadata (timestamp, scan type). For GitHub scans, we read source code through the GitHub API to analyze it. Source code is processed in memory and is not stored.

Usage Data

We collect IP addresses for rate limiting and abuse prevention. IP addresses are not linked to your account and are used only for per-IP daily limits.

Payment Data

Payments are processed by Stripe. We do not store credit card numbers or bank details. We receive your Stripe customer ID and subscription status to manage your plan.

API Keys

API keys are hashed with SHA-256 before storage. We store only the first 12 characters (the key prefix) in plaintext for identification. The full key is shown once at creation and cannot be retrieved afterward.

3. How We Use Your Data

  • To provide and improve the MCPShield scanning service
  • To enforce rate limits and prevent abuse
  • To send transactional emails (scan alerts, monitor notifications, weekly digests)
  • To process payments and manage subscriptions
  • To maintain our public MCP security database (scan results for public repositories)

4. Third-Party Services

We use the following third-party services that may process your data:

  • Clerk — Authentication and user management
  • Stripe — Payment processing
  • Neon — PostgreSQL database hosting
  • Railway — Application hosting
  • Resend — Transactional email delivery
  • GitHub — Source code access for repository scans (via GitHub App permissions)

5. Data Retention

Scan results are retained indefinitely as part of the public MCP security database. Account data is retained while your account is active. If you delete your account, your personal data will be removed within 30 days. Anonymized scan data may be retained for research purposes.

6. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Object to or restrict processing of your data
  • Export your data in a portable format

To exercise any of these rights, contact us at privacy@mcpshield.co.

7. Cookies

We use essential cookies for authentication (Clerk session cookies). We do not use advertising or tracking cookies. No third-party analytics scripts are loaded on our site.

8. Security

We protect your data with HTTPS encryption, hashed API keys, security headers (HSTS, CSP, X-Frame-Options), and role-based access controls. Webhook secrets are verified with timing-safe signature comparison.

9. Changes

We may update this policy from time to time. Material changes will be communicated via email to registered users. The “Last updated” date at the top reflects the most recent revision.

10. Contact

For privacy questions or data requests, email privacy@mcpshield.co.

Privacy Policy - MCPShield | MCPShield