Privacy Policy
We built MCPEmails with privacy as a first principle. Your email content is never stored on our servers — it passes through to your agent and disappears. This policy explains what we do collect, and why.
Last updated: May 25, 2026 · Effective: May 25, 2026
1. Who We Are
MCPEmails ("MCPEmails", "we", "us", or "our") operates the MCPEmails service available at mcpemails.com, including all dashboard pages, API endpoints, and the Model Context Protocol (MCP) server that AI agents use to access connected email accounts.
For the purposes of applicable data protection law (including the EU General Data Protection Regulation, "GDPR"), MCPEmails is the data controller for account and usage data. For email content, we act as a data processor on your behalf — we transmit content you authorise us to retrieve, and we do not store it.
Our registered address is: Oslo, Norway. You can reach our privacy team at privacy@mcpemails.com.
2. Data We Collect
2.1 Account data
When you create an account we collect your email address and a hashed password (we never store plaintext passwords). You may optionally provide a display name. This data is required to create and maintain your account.
2.2 Workspace and configuration data
We store the workspace name you choose, and the configuration of each connected inbox (provider type, email address, OAuth status, and connection timestamp). We do not store OAuth access tokens or app passwords in plaintext — they are encrypted with AES-256-GCM before being written to the database, and the encryption key is stored in a separate secrets vault.
2.3 API keys
We store a SHA-256 hash of each API key you create, along with the key's name, scopes, creation timestamp, and last-used timestamp. The raw key value is shown to you exactly once at creation time and is never stored in recoverable form.
2.4 Usage and audit logs
For every MCP tool call your agent makes, we record: the tool name (e.g. read_email), the API key that made the call, the inbox that was accessed, the timestamp, and whether the call succeeded. We do not record email subjects, bodies, recipients, or any other email content in these logs.
2.5 Email content — not stored
When your agent calls read_email, list_inbox, or any other email tool, we fetch the requested content live from your email provider and return it to your agent in the same HTTP response. The content is never written to disk, cached, or logged. Once the HTTP response is sent, we hold no copy of any email body, subject, attachment, or contact detail.
2.6 Technical and operational data
We collect standard server-side operational data including IP addresses (for rate limiting and abuse prevention), request timestamps, HTTP status codes, and error types. This data is retained in aggregated, anonymised form and is not linked to individual accounts after 30 days.
2.7 Cookies and local storage
The dashboard sets one first-party session cookie issued by Supabase Auth to keep you signed in. We do not use tracking cookies, advertising cookies, or any third-party cookies. We store a single theme preference (mcpe-theme) in your browser's local storage.
3. How We Use Your Data
We use the data described above for the following purposes:
3.1 Providing the service
We use your account data to authenticate you, your workspace configuration to route MCP tool calls to the correct email provider, and your API keys to authorise agent requests. Without this data the service cannot function. The legal basis under GDPR is performance of a contract.
3.2 Security and abuse prevention
We use IP addresses, request rates, and error patterns to detect and block abusive activity, enforce rate limits, and protect the availability of the service for all users. The legal basis is our legitimate interests in operating a secure service.
3.3 Usage analytics and product improvement
We use aggregated, anonymised usage data (tool call counts, error rates, latency) to understand how the service is used and to prioritise improvements. We do not use individual-level usage data for this purpose. The legal basis is our legitimate interests in improving the service.
3.4 Billing and plan enforcement
We use usage counts to determine whether your workspace has reached plan limits and to calculate your invoice on paid plans. The legal basis is performance of a contract.
3.5 Legal compliance
We may process and disclose data where required by applicable law, court order, or regulatory authority. The legal basis is compliance with a legal obligation.
3.6 What we will never do
- Sell your personal data or usage data to third parties.
- Use your email content for training AI models.
- Use your data to serve you advertising.
- Share your data with third parties for their own marketing purposes.
4. Data Retention
We keep each category of data for the following periods:
| Data category | Retention period | Reason |
|---|---|---|
| Account data (email, display name) | Until account deletion, plus 30 days | Service operation; recovery window |
| Workspace and inbox configuration | Until deleted by you, plus 30 days | Service operation; recovery window |
| Encrypted OAuth tokens / app passwords | Until inbox disconnected or account deleted | Required to authenticate provider API calls |
| API key hashes | Until revoked, plus 30 days | Audit trail; recovery window |
| MCP tool call audit logs | 90 days (Free & Pro) · 1 year (Enterprise) | Security audit; plan feature |
| Aggregated usage metrics | 2 years | Billing history; product analytics |
| Server operational logs (IP, status) | 30 days raw; anonymised aggregate retained | Abuse prevention; availability |
| Email content | Not stored — zero retention | Privacy by design |
When you delete your account, we initiate deletion of all personal data within 30 days. Aggregated, non-personal usage statistics derived from your account may be retained beyond this period in anonymised form.
5. Third Parties and Data Sharing
5.1 Infrastructure providers (data processors)
We use the following sub-processors to operate the service. Each is bound by a Data Processing Agreement and processes data only on our instructions:
| Provider | Purpose | Data processed | Location |
|---|---|---|---|
| Supabase | Database, auth, edge functions | Account data, workspace config, audit logs | EU (Frankfurt) or US (Virginia) — you choose at signup |
| Vercel | Web hosting, CDN | HTTP request metadata; no email content | Global edge (nearest region to user) |
| Stripe (paid plans only) | Payment processing | Billing email, payment card data (stored by Stripe, not us) | US (Stripe is PCI-DSS certified) |
5.2 Email providers (your providers, not ours)
When you connect Gmail, Outlook, or a Fastmail / IMAP account, MCPEmails authenticates with that provider using credentials you supply. Your email provider's own privacy policy governs the data held in your mailbox. MCPEmails accesses your mailbox only when your agent makes a tool call, and only for the specific messages or folders the tool requests.
5.3 No data brokers or advertising networks
We do not share any data with data brokers, advertising networks, social media platforms, or analytics companies that build user profiles.
5.4 Legal disclosures
We may disclose personal data if required by law, valid legal process (such as a court order or subpoena), or to protect the rights, property, or safety of MCPEmails, our users, or the public. Where permitted by law, we will notify affected users before disclosing their data.
5.5 Business transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify users via the email address on their account before any such transfer occurs and before their data becomes subject to a different privacy policy.
6. International Data Transfers
MCPEmails is operated from Norway, which is subject to the European Economic Area (EEA) data protection framework. If you access the service from outside the EEA, your data may be transferred to and processed in countries within the EEA.
Our infrastructure sub-processors (Supabase, Vercel) operate under Standard Contractual Clauses (SCCs) approved by the European Commission for data transfers to third countries. For Stripe, processing is covered by their EU-US Data Privacy Framework certification.
Enterprise customers can elect to store all account and configuration data exclusively in EU-based infrastructure (Frankfurt region) at no additional cost.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access. Request a copy of all personal data we hold about you.
- Rectification. Ask us to correct inaccurate or incomplete data.
- Erasure ("right to be forgotten"). Request deletion of your personal data. You can trigger this yourself by deleting your account in Dashboard → Settings → Delete Account.
- Restriction. Ask us to restrict processing of your data in certain circumstances.
- Data portability. Request your data in a machine-readable format (JSON).
- Objection. Object to processing based on legitimate interests.
- Withdraw consent. Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, email us at privacy@mcpemails.com. We will respond within 30 days (or 72 hours for urgent security-related requests). We may ask you to verify your identity before processing the request.
If you are located in the EEA or UK, you have the right to lodge a complaint with your local supervisory authority. In Norway, this is the Datatilsynet (datatilsynet.no).
8. Security
We take the security of your data seriously and implement appropriate technical and organisational measures, including:
- All data in transit is encrypted using TLS 1.2 or higher. Connections that do not support TLS are rejected.
- OAuth tokens and IMAP credentials are encrypted at rest using AES-256-GCM. The encryption key is stored in a separate Supabase Vault instance and is never co-located with the encrypted data.
- API keys are hashed with SHA-256 before storage. The raw key cannot be recovered from the hash.
- Database access is protected by Row-Level Security (RLS) policies that prevent one workspace from accessing another's data, even in the event of a query logic error.
- Administrative access to production infrastructure requires multi-factor authentication and is logged.
Despite these measures, no system is perfectly secure. If you discover a security vulnerability, please report it responsibly to security@mcpemails.com. We aim to acknowledge reports within 24 hours and resolve confirmed vulnerabilities within 72 hours for critical issues.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
9. Children's Privacy
MCPEmails is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected data from a child, please contact us at privacy@mcpemails.com and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes — such as collecting new categories of data or sharing data with new third parties — we will:
- Update the "Last updated" date at the top of this page.
- Send an email notification to the address registered on your account at least 14 days before the changes take effect.
- Display a prominent notice in the dashboard for 14 days after the change takes effect.
Your continued use of the service after a change takes effect constitutes acceptance of the updated policy. If you disagree with a material change, you may delete your account before the effective date.
11. Contact Us
If you have questions about this Privacy Policy, wish to exercise a data subject right, or want to report a privacy concern, please contact us:
Questions about your data?
Our privacy team is here to help. Email us and we will respond within 30 days.