Privacy Policy · The PluggedIn MCP
On this page
1. About this policy
This product-specific Privacy Policy describes how The PluggedIn MCP (at mcp.genaiunplugged.com) handles your data. It is supplemental to the GenAI Unplugged Privacy Policy (the "Master Privacy Policy"), which covers your data-subject rights (access, correction, deletion, opt-out, portability, CCPA, GDPR), children's privacy, data security standards, and the company-wide contact for privacy requests. In the event of any conflict, the Master Privacy Policy controls.
2. Data controller
GENAI UNPLUGGED LLC (Pennsylvania, USA) is the sole data controller for The PluggedIn MCP. There is no co-brand partner, no revenue-share partner, and no joint controller. Cloudflare, Oracle Cloud, and the other services listed in Section 6 act as data processors under our instructions; they are not independent controllers of your MCP data.
3. What we collect from you
We collect the minimum data needed to operate the subscriber gate, OAuth authentication, MCP tool dispatch, and the audit log.
From the sign-in flow (OAuth and account browser)
- Your Substack email address. Provided by you at login, used to verify subscriber status and mint OAuth tokens.
- Your Substack subscriber tier (free or paid). Resolved from the subs-validator microservice by reading our local Substack subscriber database. We do not receive your Substack password or session credentials.
From the OAuth token lifecycle
- OAuth client registration metadata (client ID, redirect URI). Created at first connect by your MCP client via RFC 7591 dynamic client registration.
- Short-lived authorization codes, access tokens, and refresh tokens. Generated by us, stored server-side in Cloudflare KV. These are opaque tokens; they contain no sensitive payload beyond email + tier.
- A reverse index of email → token IDs, used to support instant tier-flip and one-click disconnect.
From the account browser session
- A signed session cookie (
mcp_account_session). Set in your browser after you click the magic link from the account-flow. Stores your email address and an expiry timestamp. This cookie is used only for the/accountbrowser UI; it does not authenticate MCP tool calls.
From MCP tool calls
- An audit log row per tool call:
{ email, tool_name, model_or_provider, status, timestamp }. We log that a call happened, not what was in it. See "What we do NOT collect" for what is explicitly excluded.
From BYOK headers (X-BYOK-*)
- Nothing. Third-party API key values passed in
X-BYOK-*headers are never collected, never logged, never persisted. They travel in-memory from your MCP client to the upstream provider within a single request lifecycle and are then dropped. See Section 5 for the full technical description.
From the magic-link email flow
- Your email address. Passed to AWS SES (us-east-1, primary) for delivery of the one-time sign-in link, with Resend (US) as a configured fallback. Only one provider handles a given email at a time. The link encodes a 1-hour single-use JWT; we do not retain the JWT after it is verified or expired.
4. How we use it
| Purpose | Data used |
|---|---|
| Verify subscriber status at sign-in | Email address |
| Mint and validate OAuth tokens | Email, tier |
| Gate MCP tool access by tier | Tier (resolved from KV per request) |
| Deliver sign-in magic links | Email address |
Serve the /account browser UI | mcp_account_session cookie |
| Detect abuse, investigate disputes | Audit log (email, tool, model, status, timestamp) |
| Enforce per-email rate limits (20 calls/hour and 100 calls/day per tool) | Email + tool name (via Cloudflare KV counters keyed on email; the audit log itself is read for dispute investigation, not for live rate-limit decisions) |
| Propagate tier changes within 90 minutes | Email → tokens reverse index + subs-validator sync |
| Support one-click disconnect | Email → tokens reverse index |
| Respond to your data deletion request | All of the above |
We do not use your data for advertising, behavioral profiling, or sale to third parties.
5. What we do NOT collect. Stated explicitly
The following items are explicitly excluded from collection. This section backs the "We never store your keys" claim made on the product page.
- Third-party API key values (
X-BYOK-Gemini,X-BYOK-OpenAI,X-BYOK-Anthropic,X-BYOK-YouTube,X-BYOK-Perplexity,X-BYOK-Tavily,X-BYOK-ElevenLabs): key values travel in theX-BYOK-*request header from your MCP client to the Cloudflare Worker. The Worker reads the header value, forwards it to the upstream provider in the same request, and allows it to fall out of memory when the request ends. The key value is never written to Cloudflare KV, Cloudflare D1, Oracle storage, application logs, or any other persistent medium. - Tool call inputs: the arguments your MCP client passes to a tool (your prompts, query strings, file paths, URLs) are not logged or stored by us. Only the fact that a call occurred is recorded in the audit log.
- Tool call outputs: content returned to your MCP client is not logged or stored by us.
- Your Substack password: we authenticate via Substack-issued session tokens that you hold. We never see your Substack login credentials.
- Substack session cookies: if your MCP client presents a Substack session cookie for any reason, we do not store it.
- Payment card data: we do not process payments. Billing occurs on Substack.
6. Third-party processors
| Processor | Role | Data sent | Retention |
|---|---|---|---|
| Cloudflare Workers (US) | Hosts mcp.genaiunplugged.com; receives every request | Request metadata (IP, user agent, path); email + tier resolved from KV | Cloudflare operational logs per Cloudflare's retention (typically ≤ 30 days) |
| Cloudflare KV (US) | Server-side token store | OAuth client registrations, auth codes, access tokens, refresh tokens, email + tier per token, email → tokens index | Per-record TTLs: auth codes 10 min; access tokens 1 h; refresh tokens + email → tokens index 90 days; client registrations 1 year |
| Cloudflare D1 (US) | Append-only audit log | { email, tool_name, model_or_provider, status, timestamp } only. No key values, no inputs, no outputs | 90 days, then auto-deleted |
| Oracle Cloud (Ashburn, US) | FastAPI backend for OAuth UI and bridge endpoints (/auth/mcp/*, /bridge/*) | Email address (sign-in and magic-link flows); subscriber tier lookup via subs-validator | Operational logs per Oracle Cloud defaults; subscriber SQLite is a read-only replica updated from Substack on a 30-minute sync cadence |
| Subs-validator microservice (loopback on Oracle, port 8200) | Resolves subscriber tier from local SQLite | Email address (read-only lookup) | No new data stored; SQLite is a sync of your Substack subscriber record |
| AWS SES (us-east-1, primary) | Magic-link email delivery | Email address, one-time link | SES delivery logs per AWS defaults (typically ≤ 30 days) |
| Resend (US, fallback) | Magic-link email delivery if SES is unavailable | Email address, one-time link | Resend delivery logs per provider defaults (typically ≤ 30 days) |
| Substack | Source of subscriber tier data (pulled by subs-validator sync) | Subscriber list (server-side sync) | Until you unsubscribe |
Your MCP client (Claude Desktop, Cursor, Cline, etc.) is not our sub-processor. Your MCP client is your application; it calls our server on your behalf. We do not share your data with your MCP client vendor beyond what your MCP client receives in the normal tool response.
7. Sessions and cookies
We set a single session cookie in your browser:
| Cookie | Scope | TTL | Flags | Purpose |
|---|---|---|---|---|
mcp_account_session | mcp.genaiunplugged.com | 7 days | HttpOnly, Secure, SameSite=Lax, Path=/ | Browser sign-in for the /account UI only. Not used for MCP tool calls. Stores email + expiry timestamp. First-party. |
OAuth access tokens (1-hour TTL) and refresh tokens (90-day TTL) are stored server-side in Cloudflare KV and delivered to your MCP client as bearer tokens, not cookies. They are not accessible from the browser.
No analytics cookies, no advertising pixels, and no tracking scripts are set at mcp.genaiunplugged.com.
8. Data retention summary
| Data | Where stored | Retention |
|---|---|---|
| OAuth client registrations | Cloudflare KV | 1 year |
| Auth codes | Cloudflare KV | 10 minutes |
| Access tokens (email + tier) | Cloudflare KV | 1 hour |
| Refresh tokens (email + tier) | Cloudflare KV | 90 days |
| Email → tokens reverse index | Cloudflare KV | 90 days |
mcp_account_session cookie | User's browser only | 7 days |
Audit log { email, tool, model, ts, status } | Cloudflare D1 | 90 days, then auto-deleted |
| Third-party API key values (BYOK) | Never stored | 0. Dropped on request completion |
| Tool call inputs and outputs | Never stored | 0 |
| Magic-link JWTs | Never stored after verification | One-time use, 1-hour expiry, then discarded |
9. International transfers
All infrastructure for The PluggedIn MCP is located in the United States (Cloudflare US regions, Oracle Cloud Ashburn US, AWS SES us-east-1, Resend US fallback). We do not intentionally route your data outside the United States. See the Master Privacy Policy for the company-wide transfer position.
10. Your rights
Your data-subject rights. Including access, correction, deletion, opt-out, portability, CCPA rights for California residents, and GDPR rights for EEA residents. Are described in the Master Privacy Policy.
For The PluggedIn MCP specifically:
- Disconnect: revoke all OAuth tokens immediately from mcp.genaiunplugged.com/account. This deletes all KV token records associated with your email within the session.
- Delete audit log rows: email support@genaiunplugged.com with the subject "MCP data deletion request". We will delete your audit log rows within 30 days. The 90-day auto-purge deletes all rows regardless.
- Delete account-session cookie: clear
mcp_account_sessionfrom your browser at any time via your browser's cookie manager. - All other data-subject requests: contact support@genaiunplugged.com. We will respond to data deletion requests within 30 days.
11. Conflict with Master Privacy Policy
Nothing in this product Privacy Policy expands, reduces, or overrides the GenAI Unplugged Master Privacy Policy. If any provision here conflicts with the Master Privacy Policy, the Master Privacy Policy controls.