Privacy Policy

We use the information we collect to:

• Provide, maintain, and improve the Service, including account management, Tool discovery, and installation functionality.
• Process transactions and send related information, including purchase confirmations and payout notifications.
• Send transactional emails (account verification, password resets, purchase receipts, security alerts) via our email provider, Resend.
• Monitor and analyze usage trends and preferences to improve user experience and platform performance.
• Detect, prevent, and address fraud, abuse, security incidents, and technical issues.
• Enforce our Terms of Service and protect the rights, property, and safety of MCP Marketplace, our users, and the public.
• Communicate with you about Service updates, new features, and (with your consent where required) promotional content. You may opt out of promotional communications at any time.

MCP Marketplace uses a minimal cookie approach. We use the following cookies:

• Authentication Cookie. A session cookie set by our authentication provider to maintain your authenticated session. This is strictly necessary for the Service to function and cannot be disabled while using authenticated features.
• Security Cookies. Cookies used for CSRF protection and to prevent abuse.

We do not use advertising cookies, third-party tracking pixels, or behavioral targeting cookies. We do not sell your browsing data or engage in cross-site tracking.

Our hosting provider may collect standard web server logs including IP addresses and request metadata for infrastructure and security purposes.

We share information with the following third-party service providers who assist us in operating the Service. Each processes data only as necessary to perform their function:

• Stripe — Payment processing and Creator payout management. Stripe receives payment information directly from you and processes it under their own privacy policy.
• GitHub — Optional authentication provider. If you sign in with GitHub, we receive profile information you authorize during the OAuth flow.
• Infrastructure providers — We use third-party services for database hosting, authentication, website hosting, and content delivery. These providers may process request metadata (such as IP address) for infrastructure operation and security purposes.
• Email delivery provider — We use a third-party service to send transactional emails. This provider processes your email address and message content for email delivery purposes only.

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

We may disclose information if required by law, legal process, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

• Account Data is retained for the duration of your account and deleted within 30 days of account deletion, unless retention is required by law.
• Transaction Records are retained for a minimum of 7 years to comply with tax and financial reporting obligations.
• Usage Data is retained in aggregated, anonymized form indefinitely for analytics and platform improvement purposes. Identifiable usage data is deleted within 90 days.
• Server Logs are retained for up to 30 days for security and debugging purposes.

When data is no longer needed, we delete or anonymize it. If deletion is not immediately possible (for example, because data is stored in backup archives), we will securely isolate it from further processing until deletion is feasible.

Depending on your location, you may have the following rights regarding your personal data. We honor these rights regardless of your jurisdiction where technically feasible:

• Access. You may request a copy of the personal data we hold about you.
• Rectification. You may request that we correct inaccurate or incomplete personal data.
• Erasure. You may request that we delete your personal data, subject to legal retention obligations.
• Restriction. You may request that we restrict the processing of your personal data under certain circumstances.
• Data Portability. You may request a copy of your data in a structured, commonly used, machine-readable format.
• Objection. You may object to our processing of your personal data where we rely on legitimate interests as the legal basis.
• Withdraw Consent. Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing performed before withdrawal.

To exercise any of these rights, contact us at support@mcp-marketplace.io. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

We implement reasonable technical and organizational measures to protect your personal information, including:

• Encryption of data in transit using TLS/HTTPS.
• Encryption of sensitive data at rest.
• Row-level security policies in our database to ensure users can only access their own data.
• Regular security scanning of all Tools submitted to the Marketplace.
• Access controls limiting access to personal data on a need-to-know basis.

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but will promptly notify affected users in the event of a data breach as required by applicable law.

MCP Marketplace is operated from the United States. If you are accessing the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States or other countries where our service providers operate.

Where personal data is transferred from the EEA, UK, or Switzerland to countries not deemed to provide an adequate level of data protection, we rely on the safeguards and data protection commitments provided by our service providers to help ensure your data is protected.

MCP Marketplace is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information promptly. If you believe we have inadvertently collected information from a child under 18, please contact us at support@mcp-marketplace.io.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Provide prominent notice on the Service (e.g., a banner notification) for significant changes.
• Where required by law, obtain your consent before applying material changes that affect how we process your existing data.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: support@mcp-marketplace.io
• Website: mcp-marketplace.io

For data protection inquiries from the European Economic Area, you may also contact us at the email above with the subject line "GDPR Request" and we will direct your inquiry to the appropriate team.