Privacy Policy

1. Data We Collect

When you use WP MCP we collect:

• Account data: email address, hashed password, plan tier.
• WordPress credentials: your site URL and Application Password, stored AES-256 encrypted.
• Usage data: tool name, timestamp, latency, and success/error status for each MCP call.
• Log data: IP address, user-agent, and request timestamps for security and rate-limiting.

2. How We Use Data

• To provide and improve the Service.
• To detect abuse and enforce rate limits.
• To send transactional emails (password reset, quota warnings) via Resend.
• To comply with legal obligations.

3. Data Sharing

We do not sell your data. We share data only with:

• Resend — for transactional email delivery.
• Google Cloud Platform — for hosting (Cloud Run, Cloud SQL).
• Law enforcement when required by law.

4. Data Retention

Usage logs are retained for 90 days. Account data is retained until you delete your account. On deletion, your credentials are immediately removed; aggregated usage statistics may be retained for up to 12 months for analytics.

5. Your Rights (GDPR)

If you are in the EEA or UK you have the right to access, correct, or erase your personal data, restrict or object to processing, and data portability. Use the dashboard Export / Delete Account features, or contact us at privacy@wpmcp.io.

6. Cookies

The dashboard uses a single session cookie (JWT stored in memory) and no third-party tracking cookies.

7. Security

We use TLS in transit, AES-256 at rest for credentials, bcrypt for passwords, and regular security audits. Despite these measures, no system is 100% secure.

8. Children

The Service is not directed at children under 16. We do not knowingly collect data from children.

9. Changes

We will notify you by email of material changes to this policy.

10. Contact

Data controller: WP MCP. Contact: privacy@wpmcp.io