M MCPowered Scan a server
DirectoryRegistrySecurityInstallLearnBuild Scan a server

Legal

Privacy Policy

Last updated: 2026-05-27

MCPowered's operating posture at v0 is no-account-required, no-PII-collected, and minimum data retention for the operations the site provides. This page explains what that means in practice.

What MCPowered collects

At the free tier, MCPowered collects the following data:

  • Scan submission URLs. When you submit an MCP server (GitHub URL or npm package name) for scanning, MCPowered records the URL or package identifier. This becomes part of the catalog record for the server.
  • Your IP address. Recorded only for rate-limiting and abuse prevention. Retained for 30 days, then deleted.
  • Standard server logs. Cloudflare records the standard HTTP request metadata: timestamp, request path, response code, user agent, referrer. Used for operational debugging and traffic analysis. Retained per Cloudflare's standard retention.
  • Appeals contact form submissions. If you submit an appeal via the methodology page, MCPowered records the contact you provided, the URL you disputed, and the substance of your dispute. Retained until the appeal is resolved plus 12 months of audit-log retention.

What MCPowered does not collect

  • No account is required. MCPowered does not collect email, name, phone number, or any other personally-identifying information at the free tier.
  • No third-party analytics fingerprinting. MCPowered does not embed Google Analytics, Facebook Pixel, Mixpanel, Segment, or any similar tracker.
  • No advertising tracking. MCPowered carries no advertising; no advertising-network identifiers are collected or transmitted.
  • No cookies for tracking purposes. The site uses no cookies at v0. Operational cookies may be set by Cloudflare's edge for DDoS protection; these are functional and do not enable tracking.

Catalog data

Scan results, server metadata, and publisher signal data make up the public catalog. This data is sourced from public registries (GitHub API, npm registry, the LF AAIF official MCP registry, public awesome-list curation, and operator review) and from MCPowered's own scanner output. It is intended for public display.

If you are the publisher of a server in the catalog and want to dispute any factual element of the scan output, the appeals process on the methodology page is the entry point.

Third-party services

  • Cloudflare. Hosts MCPowered's CDN, edge logic, and DNS. Cloudflare's privacy policy applies to the request-level data Cloudflare processes on MCPowered's behalf.
  • GitHub. Public repository data is fetched via the GitHub REST and GraphQL APIs to build catalog records and run scans. No data about MCPowered visitors is sent to GitHub.
  • npm, PyPI, Crates.io. Public package metadata is fetched to identify dependencies and CVEs. No data about MCPowered visitors is sent.
  • GitHub Advisory Database. Public CVE data is fetched for the dependency check. No data about MCPowered visitors is sent.

Data MCPowered does not sell or share

MCPowered does not sell scan submission data, IP data, or any other visitor data to third parties. MCPowered does not share scan submission data with the publishers of the servers being scanned (other than the public per-server pages the scan results render on).

Aggregate statistics (e.g. "X% of indexed MCP servers have at least one warning-severity finding") may be published as catalog-level analysis. No per-visitor data is involved in aggregate statistics.

Data retention

  • Scan submission URLs: retained as the catalog record for the server. Catalog records persist until the server is removed from the catalog (e.g. archived repository, publisher request, MCPowered curation decision).
  • IP addresses: 30 days for rate-limiting; then deleted.
  • Server logs (Cloudflare): per Cloudflare's standard retention policy.
  • Appeals contact form submissions: until resolution plus 12 months of audit-log retention.

The verified-publisher tier (post-v0) will collect publisher contact information, signed attestation documents, and payment information (via Stripe, which has its own privacy policy). When the paid tier launches, an addendum to this policy will be published at this URL describing the additional data collected and how it is processed.

Your rights

Because MCPowered does not collect personally identifying information at the free tier, there is no individual-data record to access, correct, or delete. If you submit an appeal via the methodology page, you have the right to request deletion of the appeals record after resolution.

For users in jurisdictions with broad data-protection regulations (GDPR, CCPA, and similar), the absence of personally-identifying data collection at the free tier means most rights provisions do not apply by default. The paid-tier addendum will reflect the relevant regulations when the tier launches.

Contact

For questions about this policy or about data MCPowered may have collected from you, contact privacy@mcpowered.com.