Privacy Policy

Privacy Policy for DataMCP

• 6 min read

Privacy Policy

Last updated: January 1, 2025

1. Introduction

Individual Entrepreneur Andrei Mironov (“we”, “us”, “our”) operates DataMCP (“Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Contact Information:

2. Information We Collect

Personal Information

  • Account Data: Email address, name, billing information
  • Authentication: Managed through Clerk (third-party service)
  • Payment Data: Processed by Stripe/Paddle (we don’t store payment details)
  • Communication: Support emails and feedback

Database Schema Information

  • Metadata Only: Table names, column names, data types, relationships, constraints
  • No Actual Data: We never access, store, or process your actual database content
  • Connection Strings: Encrypted with AES-256-GCM encryption
  • API Specifications: OpenAPI/Swagger schemas you provide

Usage Information

  • Service Usage: API calls, sync frequency, feature usage
  • Technical Data: IP addresses, browser type, device information
  • Analytics: Google Analytics data (anonymized)
  • Logs: Error logs and performance metrics

Cookies and Tracking

  • Essential Cookies: Session management, authentication
  • Analytics Cookies: Google Analytics for usage statistics
  • Functional Cookies: User preferences, dashboard settings

3. How We Use Your Information

We use collected information to:

  • Provide Service: Extract and sync database schemas, provide MCP endpoints
  • Account Management: Create accounts, process payments, provide support
  • Communication: Send service updates, security alerts, billing notifications
  • Improvement: Analyze usage patterns to improve our service
  • Legal Compliance: Meet legal obligations and protect our rights
  • Security: Detect fraud, prevent abuse, ensure service security

We process your data based on:

  • Contract: To provide the service you’ve subscribed to
  • Legitimate Interest: To improve our service and prevent fraud
  • Consent: For marketing communications and non-essential cookies
  • Legal Obligation: To comply with tax, accounting, and legal requirements

5. Information Sharing and Disclosure

We do not sell, trade, or rent your personal information. We may share information with:

Service Providers

  • Clerk: Authentication and user management
  • Stripe/Paddle: Payment processing
  • Supabase: Database hosting and management
  • Vercel: Application hosting
  • Google Analytics: Usage analytics (anonymized)
  • Resend: Email delivery services
  • When required by law, court order, or government request
  • To protect our rights, property, or safety
  • To prevent fraud or security threats
  • In connection with legal proceedings

Business Transfers

  • In case of merger, acquisition, or sale of assets
  • Users will be notified of any ownership changes

6. Data Security

We implement comprehensive security measures:

Technical Safeguards

  • Encryption: AES-256-GCM for sensitive data at rest
  • Transport Security: TLS 1.3 for data in transit
  • Access Controls: Role-based permissions and authentication
  • Infrastructure: Supabase’s enterprise-grade security

Operational Safeguards

  • Regular Audits: Security assessments and monitoring
  • Employee Training: Security awareness and data handling
  • Incident Response: Procedures for security breaches
  • Backup Security: Encrypted backups with access controls

Database Connection Security

  • Metadata Only: We never access your actual data
  • Encrypted Storage: Connection strings encrypted at rest
  • SSL Enforcement: All database connections use SSL/TLS
  • Limited Access: Minimal permissions for schema reading only

7. Data Retention

We retain data for the following periods:

Account Data

  • Active Accounts: While your account is active
  • Deleted Accounts: 30 days after deletion (for recovery)
  • Billing Records: 7 years (legal requirement)

Schema Data

  • Free Plan: 30 days of schema history
  • Pro/Team Plans: Unlimited history while subscribed
  • After Cancellation: 90 days for potential reactivation

Usage Logs

  • Application Logs: 12 months maximum
  • Analytics Data: 26 months (Google Analytics default)
  • Security Logs: 2 years for security monitoring

Backups

  • Automated Backups: 90 days maximum
  • Disaster Recovery: Secure deletion after retention period

8. Your Rights

Under applicable privacy laws (GDPR, CCPA), you have the right to:

Access and Portability

  • Access: Request a copy of your personal data
  • Portability: Export your data in a machine-readable format
  • Transparency: Understand how your data is processed

Correction and Deletion

  • Rectification: Correct inaccurate personal information
  • Erasure: Request deletion of your personal data
  • Account Deletion: Delete your account and associated data

Control and Objection

  • Restrict Processing: Limit how we process your data
  • Object: Object to processing based on legitimate interests
  • Withdraw Consent: Opt-out of marketing communications
  • Cookie Control: Manage cookie preferences

How to Exercise Rights

  • Email: privacy@datamcp.com
  • Dashboard: Account settings for basic data management
  • Response Time: We respond within 30 days
  • Verification: We may verify your identity before processing requests

9. International Data Transfers

Data Location

  • Primary Storage: United States (Supabase infrastructure)
  • Processing: May occur in various countries where our service providers operate
  • Safeguards: Appropriate safeguards in place for international transfers

Transfer Mechanisms

  • Adequacy Decisions: Where available from regulatory authorities
  • Standard Contractual Clauses: EU-approved data transfer agreements
  • Certification Programs: Participation in recognized privacy frameworks

10. Children’s Privacy

  • Age Restriction: Our service is not intended for children under 16
  • No Collection: We do not knowingly collect data from children
  • Parental Rights: Parents may request deletion of their child’s data
  • Discovery: If we learn we have collected children’s data, we will delete it promptly

11. Marketing Communications

Email Communications

  • Service Emails: Account, billing, and security notifications (required)
  • Marketing Emails: Product updates and promotions (optional)
  • Unsubscribe: Easy opt-out from marketing emails
  • Preferences: Manage communication preferences in your account

Third-Party Marketing

  • No Sharing: We don’t share your data with third-party marketers
  • Analytics: Anonymized data may be used for marketing insights
  • Advertising: We don’t use your personal data for targeted advertising

12. Cookies and Tracking Technologies

Types of Cookies

  • Essential: Required for service functionality
  • Analytics: Google Analytics for usage statistics
  • Functional: User preferences and settings
  • Performance: Service optimization and monitoring
  • Browser Settings: Control cookies through browser preferences
  • Opt-Out: Google Analytics opt-out available
  • Consent: We request consent for non-essential cookies
  • Updates: Cookie preferences can be changed anytime

13. Third-Party Services

We use the following third-party services:

Authentication

Payments

Infrastructure

Analytics

14. Data Breach Notification

In case of a data breach:

  • Detection: We monitor for security incidents continuously
  • Assessment: Immediate evaluation of breach scope and impact
  • Notification: Users notified within 72 hours if personal data is affected
  • Authorities: Regulatory authorities notified as required by law
  • Remediation: Immediate steps taken to secure data and prevent further breaches

15. Privacy Policy Updates

  • Changes: We may update this policy to reflect service changes or legal requirements
  • Notification: Material changes will be announced via email or service notification
  • Effective Date: Changes take effect 30 days after notification
  • Continued Use: Using the service after changes constitutes acceptance
  • Version History: Previous versions available upon request

16. Contact Information

Data Controller: Individual Entrepreneur Andrei Mironov
Registration: Georgia, Adjgeni Region, Village Varkhani, 7th str, N 7
ID Number: 322777492

Privacy Contacts:

Response Time: We respond to privacy inquiries within 30 days.

This Privacy Policy is effective as of January 1, 2025. By using DataMCP, you acknowledge that you have read and understood this Privacy Policy.