Privacy Policy

Effective Date: April 27, 2026

At MCP Bundles ("MCP Bundles," "we," "us," or "our"), the privacy of our users is a key part of our philosophy. This Privacy Policy document contains types of information that is collected and recorded by MCP Bundles and how we use it. If you have additional questions or require more information about our Privacy Policy, do not hesitate to contact us at support@mcpbundles.com.

MCP Bundles is a product of ThinkChain Inc ("ThinkChain").

By using our services including our site at mcpbundles.com, and our API services, you hereby consent to our Privacy Policy and agree to its terms. If you do not agree to our Privacy Policy, you should not use the services.

Information We Collect

The personal information that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point we ask you to provide your personal information. We automatically collect the following types of information when you use our Services:

Account Information

  • Email address
  • Full name (optional)
  • Password hash (never stored in plaintext)
  • User preferences (theme, settings)
  • Account creation and modification timestamps
  • Last login date and time

Service Credentials

  • Third-party API keys and credentials (encrypted)
  • OAuth2 access tokens and refresh tokens (encrypted)
  • OAuth2 granted scopes and permissions
  • Provider-specific credential data (encrypted)
  • AI service provider API keys (OpenAI, Anthropic, Google - encrypted)
  • Personal access tokens for MCP server API access

Usage Data

  • Pages and files accessed
  • Time of access
  • Browser version and type
  • Operating system
  • Device information
  • Previously visited pages
  • IP address
  • Session ID
  • MCP server and tool usage statistics
  • API call logs and metadata

Billing Information

  • Stripe customer ID
  • Subscription status and plan details
  • Payment history (processed and stored by Stripe)
  • Billing address (stored by Stripe)

Note: We do not store credit card numbers or complete payment card details. All payment processing is handled securely by Stripe, our payment processor.

How We Use Your Information

We use your information to:

  • Provide and improve our Services
  • Enable MCP (Model Context Protocol) integrations with third-party services
  • Authenticate and authorize access to external APIs on your behalf
  • Process your subscription and billing
  • Maintain and enhance security
  • Prevent abuse of our Services
  • Comply with legal obligations
  • Communicate with you about service updates, security alerts, and support
  • Perform analytics to improve our platform
  • Optimize our Services and user experience
  • Provide customer support
  • Monitor and troubleshoot technical issues
  • Validate and refresh OAuth tokens automatically

Third-Party Services and Integrations

MCP Bundles is designed to connect your AI assistants to external services. When you connect a provider (such as Gmail, GitHub, Notion, Slack, etc.), we store your credentials and act as an intermediary to make API calls on your behalf. We only access the specific scopes and permissions you grant during the OAuth authorization process.

Services We Integrate With

Our platform supports hundreds of third-party service integrations. When you authorize these services, we:

  • Store only the access credentials necessary to authenticate API requests
  • Encrypt all credentials at rest using industry-standard encryption
  • Never share your credentials with other users or third parties
  • Allow you to revoke access at any time through your dashboard
  • Automatically refresh expired tokens when possible

Google User Data

When you connect a Google provider, MCP Bundles requests only the Google OAuth scopes shown during the Google authorization flow for that provider and permission tier. Depending on the Google provider you choose to connect, Google user data may include:

  • Gmail data, including messages, message metadata, labels, drafts, attachments, filters, settings, and email sending actions.
  • Google Calendar data, including calendars, calendar metadata, events, attendees, times, descriptions, and event updates.
  • Google Tasks data, including task lists, tasks, task status, due dates, notes, and task updates.
  • Google People and Contacts data, including names, email addresses, phone numbers, organizations, and contact records.
  • Google Drive, Docs, Sheets, Slides, and Forms data, including files the connected account authorizes, document content, spreadsheet values, presentation content, form structure, form metadata, and form responses.
  • Google Chat data, including spaces, memberships, messages, and messages created through MCP Bundles at your request.
  • Google Analytics, Search Console, YouTube, Google Ads, Google Tag Manager, Blogger, and Classroom data, including account metadata, reporting data, configuration data, and user-requested changes supported by the connected provider.
  • OAuth tokens, refresh tokens, granted scopes, token expiry metadata, and provider account identifiers needed to keep the connection working.

How We Use Google User Data

We use Google user data only to provide and improve user-facing MCP Bundles functionality, including to:

  • Authenticate your Google connection and refresh OAuth tokens when Google permits refresh.
  • Execute tool calls, automations, and MCP requests that you or your authorized workspace users initiate.
  • Return Google data and tool results to your MCP client, AI assistant, browser session, or API client for the workflow you requested.
  • Create, update, send, delete, or otherwise modify Google records only when a connected tool action requests that change.
  • Maintain security, prevent abuse, debug failures, show execution history, and provide support.

Google Data Sharing and AI Processing

We do not sell Google user data. We do not use Google user data for advertising, retargeting, credit decisions, unrelated profiling, or training general-purpose AI or machine learning models. Google user data may be transferred only as needed to provide the functionality you request:

  • To Google APIs, to complete the Google action you requested.
  • To the MCP client, AI assistant, model provider, or API client you choose for the workflow, so it can receive the tool result or act on your instruction.
  • To infrastructure, hosting, database, logging, security, and support providers that process data for MCP Bundles under confidentiality and security obligations.
  • To comply with applicable law, enforce our terms, or protect MCP Bundles, users, or third parties from abuse or security threats.

MCP Bundles personnel do not read Google user data except when you ask us to access specific information for support, when access is required for security or abuse investigation, or when access is necessary to comply with law. Internal access is limited to authorized personnel and the minimum data needed for the approved purpose.

MCP Bundles' use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Google Data Storage, Protection, and Deletion

  • Google OAuth access tokens, refresh tokens, credential fields, and provider-specific credential data are encrypted at rest.
  • Google user data is transmitted over TLS and protected by workspace-scoped access controls.
  • We do not make a broad permanent copy of Google content solely because you connect a Google account. Tool results, execution metadata, audit records, support records, and user-created outputs may be retained when needed to provide the requested service, maintain security, or comply with legal obligations.
  • When you delete a Google credential, the stored OAuth tokens and encrypted credential data for that connection are deleted. When you delete your account, Google user data associated with your account is deleted or anonymized within 30 days except where retention is required for legal, security, or abuse-prevention purposes.
  • You can revoke MCP Bundles' Google access from your Google Account permissions page, and you can delete connected credentials from the MCP Bundles dashboard.

How We Share Your Information

We disclose information:

  • To third-party service providers you explicitly authorize (via OAuth or API key)
  • To our service providers and contractors who assist in operating our platform (e.g., hosting, database, payment processing)
  • To fulfill any purpose you provide it for
  • With your explicit consent
  • To comply with legal obligations, court orders, or government requests
  • To protect our rights, property, safety, or the rights of our users or third parties
  • To a buyer or successor in case of business transfer, merger, or acquisition

We do not sell your personal information to third parties.

For Google user data, the Google User Data section controls where it is more specific than this general sharing section.

Data Security

We take data security seriously and implement multiple layers of protection:

  • Encryption at Rest: Sensitive credentials, API keys, and tokens are encrypted using Fernet (symmetric encryption with industry‑standard cryptography)
  • Encryption in Transit: All data transmission uses TLS 1.2 or higher
  • Password Security: User passwords are hashed using Argon2id with per-user salts
  • Token Security: API tokens are stored as SHA-256 hashes, not plaintext
  • Access Controls: Database access is restricted and monitored
  • Regular Security Audits: We perform regular security assessments and updates

While we implement strong security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but commit to maintaining industry-standard protections.

Cookies and Tracking Technologies

MCP Bundles uses cookies and similar tracking technologies to enhance your experience. Cookies are small data files stored on your device that help us:

  • Keep you logged in between sessions
  • Remember your preferences and settings
  • Analyze site traffic and usage patterns
  • Improve site performance and functionality
  • Prevent fraud and enhance security

You can set your browser to refuse cookies, but some features of our Services may not function properly without them.

Log Files

MCP Bundles follows a standard procedure of using log files. These files log visitors when they visit our website and use our services. The information collected includes IP addresses, browser type, Internet Service Provider (ISP), date and time stamps, referring/exit pages, and click data. This information is used for analyzing trends, administering the site, tracking user movement, gathering demographic information, and detecting potential security issues.

Log data is not linked to personally identifiable information except when investigating security incidents or abuse.

Data Retention

We retain your personal information for as long as necessary to:

  • Provide you with our Services
  • Comply with legal obligations
  • Resolve disputes
  • Enforce our agreements

When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal or security purposes. Connected-service credentials are deleted when you delete the credential, and otherwise removed during the account deletion process within 30 days.

Your Rights Under GDPR (European Users)

If you are located in the European Economic Area (EEA), you have the following rights:

  • Right to Access: Request copies of your personal data
  • Right to Rectification: Request correction of inaccurate information
  • Right to Erasure: Request deletion of your personal data
  • Right to Restriction: Request restriction of processing your data
  • Right to Object: Object to our processing of your personal data
  • Right to Data Portability: Request transfer of your data to another organization or directly to you
  • Right to Withdraw Consent: Withdraw consent at any time where we rely on consent to process your data

To exercise these rights, please contact us at privacy@mcpbundles.com. We will respond to your request within one month.

Your Rights Under CCPA (California Users)

Under the California Consumer Privacy Act (CCPA), California consumers have the right to:

  • Right to Know: Request disclosure of the categories and specific pieces of personal data we have collected about you
  • Right to Delete: Request deletion of your personal data
  • Right to Opt-Out: Request that we not sell your personal information (Note: We do not sell personal information)
  • Right to Non-Discrimination: Exercise your privacy rights without receiving discriminatory treatment

To make a request, contact us at privacy@mcpbundles.com. We will verify your identity and respond within 45 days.

California "Do Not Sell" Disclosure

We do not sell your personal information as defined by the CCPA. We have not sold personal information in the past 12 months and do not have plans to sell personal information in the future.

Children's Privacy

Our Services are not directed to individuals under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@mcpbundles.com so we can delete that information.

International Data Transfers

Your information may be transferred to and maintained on computers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ. By using our Services, you consent to the transfer of your information to the United States and other countries where we operate.

For users in the EEA, we ensure adequate safeguards are in place for international transfers, including Standard Contractual Clauses approved by the European Commission.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top. For significant changes, we will provide more prominent notice (such as email notification).

If we materially change how MCP Bundles accesses, uses, stores, or shares Google user data, we will update this Privacy Policy and request any additional consent required before applying that change to your Google connection.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

Contact Us

If you have any questions about this Privacy Policy, please contact us:

Email: privacy@mcpbundles.com

Support: support@mcpbundles.com

Website: https://mcpbundles.com

Also see our Terms of Service

© 2026 ThinkChain Inc. MCP Bundles is a ThinkChain Inc product. All rights reserved.

Privacy Policy - MCP Bundles