Privacy Policy — MCP Compliance Preflight

# Privacy Policy -- MCP Compliance Preflight Scanner

**Effective Date:** 2026-06-05
**Entity:** DynSup Labs LLC

## What We Collect

### From Subscribers
- Email address (for account management)
- Payment information (processed by Stripe; we do not store card numbers)
- API key (stored as SHA-256 hash only)

### From Scanned Servers
- Server metadata (name, version, capabilities)
- Tool names and descriptions
- OAuth scope declarations
- Response headers
- No personal data from the scanned server's users is collected

### From Service Usage
- Scan timestamps and target URLs
- Scan results (pass/fail/warn per check)
- Claude API usage metrics (token counts, not content)
- Aggregate request telemetry: funnel stage, endpoint path, coarse geo (country) and network-block/ASN, user-agent category, and a bot-vs-human classification -- collected via Cloudflare Workers Analytics Engine for service-usage measurement. We do not store raw IP addresses or raw user-agent strings.

## How We Use Data

- To perform compliance scans as requested
- To enforce rate limits and subscription tiers
- To track spending against risk-control caps
- To improve scan accuracy (aggregated, anonymized)

## Subprocessors

| Subprocessor | Purpose | Data Shared |
|---|---|---|
| Cloudflare | Hosting, KV storage, D1 database | All service data |
| Stripe | Payment processing (merchant of record: DynSup Labs LLC) | Subscriber payment info |
| Anthropic (Claude API) | Semantic analysis of tool descriptions | Tool names and descriptions from scanned servers |

## AI Disclosure

This Service uses Claude (Anthropic) AI to analyze tool descriptions from scanned MCP servers. Tool descriptions are sent to Anthropic's API for analysis. Anthropic's data retention and usage policies apply to this data. We do not send subscriber PII to Anthropic.

## Data Retention

- Scan results: 90 days
- Subscriber account data: duration of subscription + 30 days
- Payment records: 7 years (tax compliance)
- Aggregated analytics: indefinite (these are counts by funnel stage / country / user-agent category and contain no identifiers)
- Bot-deduplication signal: a salted hash whose salt rotates daily and is discarded on rotation, so the signal de-links within 24 hours; never retained as a long-term identifier

## Your Rights

### CCPA (California Residents)
- Right to know what data we collect
- Right to delete (subject to legal retention requirements)
- We do not sell or share personal information

### GDPR (EU Residents)
- Legal basis: Contract performance (scans), Legitimate interest (security)
- Right to access, rectification, erasure, portability
- Contact: privacy@dynsuplabs.com

## Contact

For privacy inquiries: privacy@dynsuplabs.com