Privacy Policy

Last updated: 2026-05-04

Privacy at a Glance

We collect:

  • Email and display name (account basics)
  • Projects, sections, tasks, labels, comments, and image attachments you create
  • Subscription metadata (Stripe customer ID and tier only — no card details)
  • API keys / MCP OAuth grants you authorize, plus audit logs of actions performed via them
  • Push-notification device tokens for devices where you enabled notifications
  • Basic server log data

We don't:

  • Run advertising or remarketing
  • Use cross-site tracking cookies
  • Sell your data to third parties

We use essential cookies for authentication and security. With your explicit consent (cookie banner on first visit), we also load Firebase Analytics to understand product usage in aggregate. You can decline at any time. Read the full details below.

MCPlan ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at mcplan.ai.

By using MCPlan, you agree to the collection and use of information in accordance with this policy.

Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Display name (if provided)
  • Profile picture (if provided via Google OAuth)
  • Authentication credentials (securely managed by Firebase Authentication). Sign-in is currently available via Google OAuth or email/password; additional providers may be added in the future.

User-Generated Content

When you use MCPlan, we store:

  • Projects, sections, tasks, and labels you create
  • Comments and task attachments you upload
  • Saved filter views and workspace preferences
  • Notifications generated for your account

Subscription & Billing Data

If you subscribe to a paid plan, we store a minimal billing record on our side: your Stripe customer ID and current subscription tier. Full invoice history, payment methods, and all card data are held and processed by Stripe on our behalf. We never receive or store your full payment card details.

MCP Access Tokens

When you connect an external MCP client (e.g., Claude Desktop, Cursor) to your MCPlan account, we store an API key / OAuth record including a label you choose, the access scope (currently account-wide or limited to a specific team), creation timestamp, and last-used timestamp. You can revoke any authorized client or key at any time from your account settings.

Notification & Device Data

To deliver task reminders and other push notifications, we store Firebase Cloud Messaging (FCM) device tokens for each device on which you enable notifications, along with a log of notifications sent to you in-app. You can remove an FCM token by signing out of the device or disabling notifications in your settings.

Security & Audit Logs

For security and abuse prevention, we record metadata about sensitive actions performed through the MCP API and the web app (e.g., which tool was invoked, by which API key, timestamp, and result status). Audit logs do not contain your full task content.

Usage Information

We automatically collect certain information about your device and how you interact with MCPlan:

  • IP address and general location
  • Browser type and version
  • Device information
  • Pages visited and features used
  • Date and time of access

Sources of Data (Art. 14 GDPR)

Most data we hold about you comes from you directly (the account form, the content you create in MCPlan, and your use of the Service). When you sign in with a third-party identity provider (currently Google), we additionally receive the following data from that provider, based on the permissions you grant at the consent screen:

  • a stable user identifier
  • your email address
  • your display name
  • your profile picture URL (if available)

Category of recipient / source: Google Ireland Limited and Google LLC. We store this data only for as long as your MCPlan account exists. For Google's own processing of the sign-in event, please refer to Google's Privacy Policy.

Cookies and Similar Technologies

Cookies We Use

MCPlan uses strictly necessary cookies required for the platform to function (session, authentication, CSRF protection, and preference memory). These cookies cannot be disabled without preventing the platform from working properly.

Analytics and Tracking

MCPlan uses Firebase Analytics (Google) to understand aggregate product usage — page views, feature adoption, retention. We load Firebase Analytics only after you accept the cookie banner shown on your first visit. If you decline, no analytics SDK is loaded and no analytics events are sent.

Firebase Analytics may set first-party cookies (e.g._ga) once enabled. Data is stored by Google with IP anonymisation and aggregated reports are visible only to MCPlan staff. We never run advertising, remarketing, or cross-site tracking.

You can change your choice at any time from Settings → Privacy. Server logs (IP, user agent, status codes) are retained short-term for debugging and security regardless of analytics consent.

We will never:

  • Track you across other websites
  • Serve targeted advertisements
  • Sell your data to third parties

How We Use Your Information

  • Provide and maintain the service (projects, tasks, real-time sync, MCP API access, authentication)
  • Improve user experience by understanding feature usage
  • Communicate important service updates, security alerts, and respond to your inquiries
  • Protect against fraud, abuse, and security threats
  • Process payments and manage subscription tiers
  • Comply with applicable laws and regulations

Third-Party Services

MCPlan integrates with several third-party services. Your use of these services is subject to their respective privacy policies.

Firebase (Google Cloud Platform)

We use Firebase for authentication, Firestore database, Cloud Storage, Cloud Functions, and App Hosting. Firebase (operated by Google Ireland Limited / Google LLC) acts as our processor (Auftragsverarbeiter) under Art. 28 GDPR. We have accepted Google's Data Processing and Security Terms, which include EU Standard Contractual Clauses for transfers outside the EEA. Firebase processes data according to Google's Privacy Policy.

Stripe

Stripe acts as an independent data controller for payment data under its own privacy policy and Services Agreement. When you enter payment details, those details are collected and processed directly by Stripe — MCPlan never receives your full card data. Back from Stripe we receive only the metadata we need to reconcile your subscription: your Stripe customer ID, the product/tier you purchased, and invoice IDs. See Stripe's Privacy Policy and Stripe Services Agreement.

Resend

We use Resend for transactional emails (password resets, task reminders, workspace invites, subscription notifications). Resend acts as our processor (Auftragsverarbeiter) under Art. 28 GDPR and we have entered into Resend's Data Processing Agreement. When we send you an email via Resend, we pass the minimum data needed to render it: your email address and display name, plus message-specific content such as task titles, due dates, project names, invite tokens, or reset links. Resend processes this data according to their privacy policy. We do not use Resend for marketing emails without your explicit consent.

External MCP Clients

When you authorize an external MCP client (e.g., Claude Desktop, Cursor, or any other compliant client) via OAuth, that client receives the scoped access you grant and can read or modify project data on your behalf. Data transmitted to an authorized client is governed by the client's own privacy practices. You are responsible for choosing which clients to authorize and can revoke access at any time from your account settings.

Data Security

We implement industry-standard security measures to protect your personal information. However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

Data Breach Notification

In the event of a data breach that affects your personal information, we are committed to transparency and prompt notification in compliance with applicable laws (including GDPR Articles 33 and 34). Our breach notification process includes:

  • Notification to supervisory authorities within 72 hours of becoming aware of the breach (as required by GDPR)
  • Direct notification to affected users via email and an in-platform banner
  • Clear description of the nature of the breach, categories of data affected, and potential consequences
  • Information about measures taken to address the breach and mitigate harm
  • Recommended actions you can take to protect yourself

Your Rights and Choices

Depending on your location, you may have the following rights:

  • Access and Portability: request a copy of the personal data we hold about you. We currently honor export requests manually — email contact@mcplan.ai and we will return your data in a machine-readable format within 30 days
  • Correction: update your account information at any time through your profile settings
  • Deletion: request deletion of your account and associated data
  • Objection and Restriction: object to certain types of processing or request that we restrict how we use your data

To exercise any of these rights, contact contact@mcplan.ai.

GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

  • Right to be informed about data collection and use
  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Rights related to automated decision-making and profiling
  • Right to lodge a complaint with a supervisory authority

Competent Supervisory Authority

The supervisory authority competent for MCPlan (Mø's IT, Lübeck) is:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstraße 98
24103 Kiel
Germany
www.datenschutzzentrum.de

Data Protection Officer

Under § 38 BDSG, MCPlan is not required to designate a data-protection officer. All privacy inquiries should be directed to contact@mcplan.ai.

Legal Grounds for Processing

  • Contract: processing necessary to provide the service (Art. 6(1)(b) GDPR)
  • Legitimate interests: improving the platform and preventing fraud (Art. 6(1)(f) GDPR)
  • Consent: for optional features such as analytics (Art. 6(1)(a) GDPR)
  • Legal obligation: compliance with applicable laws (Art. 6(1)(c) GDPR)

CCPA Compliance (California Residents)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: request information about the categories and specific pieces of personal information we have collected about you
  • Right to Delete: request deletion of your personal information, subject to certain exceptions
  • Right to Opt-Out of Sale: we do not sell your personal information to third parties
  • Right to Non-Discrimination: we will not discriminate against you for exercising any of your CCPA rights
  • Right to Correct: request correction of inaccurate personal information

To exercise your California privacy rights, contact contact@mcplan.ai with the subject line "California Privacy Request". We will verify your identity before processing your request and respond within 45 days.

Children's Privacy

MCPlan is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. We will retain and use your information as necessary to comply with legal obligations, resolve disputes, enforce our agreements, and maintain security and prevent fraud.

When you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it by law. Billing records are retained for up to 10 years to comply with German tax and commercial law (§ 147 AO, § 257 HGB).

International Data Transfers

Your data may be transferred to and stored on servers located outside your country of residence. We use Firebase (Google Cloud Platform), which may store data in various regions globally. These international transfers are protected by appropriate safeguards, including:

  • EU Standard Contractual Clauses (SCCs) approved by the European Commission
  • EU-US Data Privacy Framework (DPF) compliance — Google LLC is self-certified under the DPF, which the European Commission recognised by adequacy decision on 10 July 2023
  • Google Cloud Platform's GDPR compliance mechanisms and certifications
  • Appropriate technical and organizational security measures

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date at the top. You are advised to review this Privacy Policy periodically for any changes. Changes are effective when posted on this page.

Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

Email: contact@mcplan.ai
Website: mcplan.ai
Legal: Impress