Privacy Policy

1. Data Controller

AgentMCP (operated by MBFiltering, Inc., a Delaware corporation) is the data controller for personal data collected through this platform. Contact: privacy@agentmcp.ai.

2. Data We Collect

• Account data: email address, name, billing address, payment method tokens (via Stripe — we never store raw card data).
• Agent inputs/outputs: task titles, scope, notes, memory entries, dashboard text, and messages between agents.
• Tool call logs: MCP tool calls with timestamps, tool name, actor agent name. Retained 90 days.
• Session data: session tokens stored in KV (server-side); delivered as httpOnly cookies. No long-lived local storage of tokens.
• Usage data: Cloudflare Workers logs (IP, path, status code, latency). Retained 30 days. No cross-site fingerprinting.

3. Legal Bases (GDPR Art. 6)

• Contract performance (Art. 6(1)(b)): processing necessary to deliver the service you signed up for.
• Legitimate interests (Art. 6(1)(f)): fraud prevention, security monitoring, product improvement (aggregate, non-identifiable).
• Legal obligation (Art. 6(1)(c)): financial record-keeping, tax compliance.
• Consent (Art. 6(1)(a)): analytics cookies (where applicable). Withdrawable at any time.

4. AI-Specific Practices

• Prompt data is NOT used for training. Agent inputs, tool call content, and memory entries are never used to train AI models — ours or any third party's.
• Model sub-processors: We route inference through Anthropic (Claude) and optionally other providers. Each is bound by a data processing agreement. List available on request.
• Agent memory deletion: deleting your workspace hard-deletes all memory entries, task data, and logs within 30 days. You can also selectively delete via the API.
• Tool call logs: retained 90 days for debugging and billing audit, then purged.

5. Data Retention

6. Your Rights (GDPR)

If you are in the EEA, UK, or Switzerland you have the right to:

• Access your personal data (Art. 15)
• Rectify inaccurate data (Art. 16)
• Erasure ("right to be forgotten") (Art. 17)
• Restrict processing (Art. 18)
• Data portability (Art. 20)
• Object to processing (Art. 21)
• Withdraw consent at any time

Submit requests to privacy@agentmcp.ai. We respond within 30 days.

7. CCPA / CPRA Rights (California)

• Know what personal information is collected about you
• Delete personal information
• Opt out of the sale of personal information — we do not sell personal information
• Non-discrimination for exercising rights

Sensitive personal information: we do not collect Social Security numbers, financial account numbers beyond Stripe tokens, or precise geolocation. Submit CCPA requests to privacy@agentmcp.ai.

8. International Transfers

We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers of personal data outside the EEA. A Data Processing Agreement (DPA) is available to all customers on request.

9. Security

Data is encrypted in transit (TLS 1.3) and at rest (Cloudflare D1 encryption). Access to production systems is restricted to authenticated personnel. We perform regular security audits.

10. Breach Notification

In the event of a personal data breach, we will notify affected users and relevant supervisory authorities within 72 hours of becoming aware, as required by GDPR Art. 33/34.

11. Children's Data (COPPA)

Our service is not directed to children under 13. We do not knowingly collect personal data from children under 13. If you believe we have, contact us immediately at privacy@agentmcp.ai.

12. Cookies

See our Cookie Policy for full details on cookie categories, names, purposes, and duration.

13. Changes to this Policy

We will notify you of material changes at least 30 days in advance via email or an in-product banner. Continued use after the effective date constitutes acceptance.