Privacy Policy
Last updated: April 2026
Short version: We don't log your tool calls, we don't read your files, and we don't sell your data. Ever.
What MCPLink does
MCPLink is a relay service. When an AI assistant calls a tool through MCPLink, the request travels through our proxy to your device and the result travels back. We act as a dumb pipe — the content passes through but is never stored, inspected, or retained.
What we collect
We collect the minimum necessary to operate the service:
- Device ID — a random identifier generated on your device at registration. Used to authenticate your connection.
- Username — a generated human-readable handle derived from your device ID (e.g.
calm-river-3a7f).
- Email address — optional, only if you provide it. Used for billing-related communication.
- Usage counts — a daily request counter per device, used to enforce plan limits. No timestamps, no tool names, no content.
- Connection metadata — IP address and connection time, held in server logs for up to 7 days for abuse prevention.
We do not collect:
- The content of any tool calls (file contents, shell output, screen captures, etc.)
- The names of tools you call
- Browsing behaviour or analytics
- Any data from your computer beyond what you explicitly pass through a tool call
Billing data (paid plans)
Payments are handled by Stripe. We store your Stripe customer ID and subscription status so we can manage your plan. We never see or store your full card number. Stripe's privacy policy governs payment data: stripe.com/privacy.
How we use data
- To authenticate your device and route tool calls to it
- To enforce your plan's rate limits
- To manage your subscription if you're on a paid plan
- To investigate abuse or security incidents if necessary
We do not sell, share, or use your data for advertising.
Data storage and security
Account data is stored in an SQLite database on our server. The server is an AWS EC2 instance (Oregon region). We use HTTPS for all client-proxy communication and bearer JWT tokens for device authentication. Tokens expire after 30 days and can be revoked at any time.
Data retention
- Account records are kept for as long as your account is active.
- Daily usage counts are purged after 48 hours.
- Revoked token records are purged after 90 days.
- Server logs are retained for up to 7 days.
Deleting your data
To delete your account and all associated data, email privacy@lxg2it.com. We will process the request within 7 days.
Children
MCPLink is not directed at children under 13. We do not knowingly collect data from children.
Changes to this policy
We'll update the "Last updated" date at the top of this page if we make changes. Continued use of the service after changes constitutes acceptance.
Contact
Questions? Email privacy@lxg2it.com.