Privacy Policy
Last Updated: October 5, 2025
1. Introduction
This Privacy Policy describes how MCP Bro ("we," "us," or "our") collects, uses, and protects your personal information when you use our AI chat platform and services (the "Service"). We are committed to protecting your privacy and handling your data in an open and transparent manner.
By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Service.
2. Information We Collect
2.1 Information You Provide
When you register for and use our Service, we collect:
- Account Information: Email address, display name, and profile picture/avatar (if provided through OAuth)
- Authentication Data: OAuth provider information (Google or GitHub)
- Subscription Information: Subscription tier, payment status, and billing details
- User Preferences: Feature flags, organization settings (if applicable)
2.2 Automatically Collected Information
- Usage Data: Token quota usage, API interactions, timestamps of account creation, updates, and last login
- Authentication Tokens: Session tokens stored as cookies for authentication purposes
- Technical Data: User type, account status, permissions, and subscription status
2.3 AI Interaction Data
- Chat Messages: Your conversations with our AI models are processed to provide the Service
- Tool Usage: Records of which MCP tools you enable and use
- Model Preferences: Your selected AI models and system modes
3. How We Use Your Information
3.1 Service Provision
- To create and manage your user account
- To authenticate and authorize access to the Service
- To provide AI chat functionality and process your requests
- To track and enforce token usage quotas based on your subscription tier
- To enable MCP tool integrations as requested by you
3.2 Billing and Subscription Management
- To process payments through our payment processor (Stripe)
- To manage subscription changes, upgrades, and downgrades
- To handle billing inquiries and subscription cancellations
3.3 Service Improvement
- To monitor and analyze usage patterns to improve our Service
- To develop new features and functionality
- To troubleshoot technical issues and maintain system security
3.4 Essential Communications
- To send critical service notifications (e.g., system downtime, security updates)
- To communicate important changes to our terms or policies
- To respond to your support requests and inquiries
We do not use your information for marketing purposes. You will only receive essential service-related communications.
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data based on the following legal grounds:
- Contract Performance: Processing necessary to provide the Service you have requested
- Legitimate Interest: To improve our Service, prevent fraud, and ensure security
- Legal Obligation: To comply with applicable laws and regulations
- Consent: Where required by law, we will obtain your explicit consent
5. Third-Party Services and Data Sharing
We use the following third-party services to operate our platform:
5.1 Authentication and Data Storage
Google Firebase/Firestore: User authentication and database storage
- Purpose: Secure account management and data storage
- Location: Google Cloud servers
- Privacy Policy: https://firebase.google.com/support/privacy
5.2 OAuth Providers
Google OAuth: Third-party authentication
Privacy Policy: Google Privacy Policy
GitHub OAuth: Third-party authentication
Privacy Policy: GitHub Privacy Statement
5.3 AI Service Providers
Anthropic: Claude AI models
Purpose: Process chat requests and generate responses
Privacy Policy: Anthropic Privacy
Google Vertex AI: AI model infrastructure
Privacy Policy: Vertex AI Privacy
5.4 Payment Processing
Stripe: Payment processing and subscription management
- Purpose: Process payments, manage subscriptions, and handle billing
- Your payment information is processed directly by Stripe and never stored on our servers
- Privacy Policy: https://stripe.com/privacy
We do not sell, rent, or trade your personal information to third parties for their marketing purposes.
6. Cookies and Tracking Technologies
We use the following cookies:
6.1 Essential Cookies
auth_token / auth-token: Authentication cookie containing a JSON Web Token (JWT)
- Purpose: Maintain your logged-in session
- Type: HttpOnly, Secure (in production)
- Duration: 24 hours to 7 days
- SameSite: Lax
We do not use tracking cookies, analytics cookies, or advertising cookies.
You can disable cookies in your browser settings, but this will prevent you from using our Service as authentication requires cookies.
7. Data Storage and Security
7.1 Data Location
All services and data storage are hosted in the European Union:
| Service | Purpose | Region |
|---|---|---|
| Google Cloud Firestore | Primary database | EU (europe-west) |
| Google Vertex AI | AI model infrastructure | EU (europe-west) |
| Web Application | Frontend and backend services | EU (europe-west1) |
| MCP Servers | Model Context Protocol servers | EU |
This ensures compliance with GDPR and European data protection regulations. Your data does not leave the European Union.
7.2 Security Measures
We implement industry-standard security measures including:
- Encrypted data transmission (HTTPS/TLS)
- Secure authentication protocols (OAuth 2.0, JWT)
- HttpOnly and Secure cookie flags to prevent XSS attacks
- Regular security updates and monitoring
- Access control and permission-based authorization
- Firestore security rules to protect user data
7.3 Data Retention
We retain your personal data for as long as:
- Your account remains active, or
- As necessary to provide you with our Service, or
- As required to comply with legal obligations
Token usage data is retained for billing and quota management purposes for the duration of your subscription and for up to 7 years thereafter for accounting and tax purposes.
Account Deletion
You may delete your account at any time through your account settings or by contacting gdpr@mcpbro.ai. Upon deletion:
- Personal data will be permanently removed or anonymized within 30 days
- Billing records may be retained for up to 7 years as required by law
- Anonymized usage statistics may be retained for service improvement
8. Your Rights and Choices
Depending on your location, you may have the following rights:
8.1 Access and Portability
- Right to Access: Request a copy of the personal data we hold about you
- Right to Data Portability: Receive your data in a structured, commonly used format
8.2 Correction and Deletion
- Right to Rectification: Correct inaccurate or incomplete personal data
- Right to Erasure: Request deletion of your personal data
- Right to Restriction: Request limitation of processing
8.3 Exercising Your Rights
To exercise any of these rights:
- Self-Service: Use the account settings in your profile to update or delete your information
- Email: Contact us at gdpr@mcpbro.ai for data access, deletion, or other privacy requests
- General Inquiries: Use the contact information in Section 12 below
We will respond to your request within 30 days (or as required by applicable law). For security purposes, we may need to verify your identity before processing certain requests.
What Happens When You Delete Your Account
When you delete your account (either through self-service or by request):
- Your personal information will be permanently deleted or anonymized
- Your subscription will be cancelled
- Your chat history and usage data will be deleted
- Account deletion is irreversible and cannot be undone
9. Children's Privacy
Our Service is not intended for children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately, and we will take steps to delete such information.
10. International Data Transfers
All data is stored and processed within the European Union. We do not transfer your personal data outside of the EU.
Our infrastructure is hosted in EU regions (specifically europe-west and europe-west1), ensuring that your data remains subject to European data protection laws at all times.
For users outside the EU: Your data will be transferred to and stored in the European Union, which the European Commission has determined provides an adequate level of data protection.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:
- Posting the updated policy on our website with a new "Last Updated" date
- Sending an email notification to your registered email address for significant changes
Your continued use of the Service after such modifications constitutes acceptance of the updated Privacy Policy.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
General Inquiries
GDPR & Privacy Requests
Website
For GDPR-related inquiries, complaints, or data deletion requests, please contact gdpr@mcpbro.ai. We will respond within 30 days.
13. Complaints
If you believe we have not handled your personal data properly, you have the right to lodge a complaint with:
- Your local data protection authority (for EEA, UK, and Swiss residents)
- The supervisory authority in the jurisdiction where we operate
However, we encourage you to contact us first so we can address your concerns directly.
Appendix A: Data We Collect (Summary)
| Data Type | Purpose | Legal Basis | Retention Period |
|---|---|---|---|
| Email address | Account identification, authentication | Contract performance | Duration of account + legal requirements |
| Display name | Account personalization | Contract performance | Duration of account |
| Profile picture | Account personalization | Consent (via OAuth) | Duration of account |
| OAuth provider ID | Authentication | Contract performance | Duration of account |
| Subscription tier | Service access control | Contract performance | Duration of account + 7 years (billing) |
| Token quota usage | Quota enforcement, billing | Contract performance | Duration of subscription + 7 years |
| Stripe Customer ID | Payment processing | Contract performance | Duration of account + 7 years |
| Last login timestamp | Security, account management | Legitimate interest | Duration of account |
| Chat interactions | Service provision | Contract performance | Real-time processing only* |
*Chat messages are processed in real-time to generate responses but are not permanently stored by us. AI providers may temporarily cache data according to their policies.
Appendix B: Third-Party Links
This Privacy Policy applies only to our Service. Our Service may contain links to third-party websites, MCP servers, or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.
This Privacy Policy is effective as of the date indicated above and applies to all users of the MCP Bro Service.