Privacy Policy

Effective Date: 2025-01-01

Last Updated: 2025-01-01

MCPhacker ("we," "us," "our," or "MCPhacker") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the MCPhacker security scanning platform, website, APIs, and all related services (collectively, the "Service").

By accessing or using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with the practices described in this Privacy Policy, please do not use the Service.

This Privacy Policy is incorporated into and subject to our Terms of Service.

1. Information We Collect

We collect information in the following categories:

1.1 Information You Provide Directly

Email Address: When you create an account, you provide your email address, which serves as your primary identifier and authentication mechanism. We use a passwordless login system, so no passwords are collected or stored.
Encryption Passphrase (Zero-Knowledge): When you create an account, you provide a passphrase that is used to derive encryption keys for your scan data. This passphrase is processed entirely client-side in your browser and is never transmitted to our servers or stored by MCPhacker. We have no access to your passphrase and cannot recover it if forgotten.
Scan Target Information: The MCP server URLs, endpoints, and configurations you submit for security scanning. This information is encrypted client-side before being sent to our servers.
Scan Configuration Data: Any settings, parameters, or preferences you configure for your scans. This information is encrypted client-side before storage.
Communications: Any information you provide when you contact us for support, submit feedback, or otherwise communicate with us.

1.2 Information Collected Automatically

When you access or use the Service, we automatically collect certain information, including:

IP Address: Your Internet Protocol (IP) address is collected with each request to the Service. IP addresses are used for security monitoring, rate limiting, abuse prevention, and session management.
User Agent: Your browser or client user agent string, which includes information about your browser type, version, operating system, and device type.
Session Data: Information related to your authenticated session, including session identifiers stored in cookies.
Usage Data: Information about how you interact with the Service, including pages visited, features used, scan frequency, timestamps of access, and error logs.
Referral Data: The URL of the website that referred you to the Service, if applicable.

1.3 Scan Results Data

When you use the Service to perform security scans, we generate and store:

Encrypted Scan Results: The complete output of security scans is encrypted client-side using AES-256-GCM encryption before storage on our servers. We store only encrypted blobs and cannot access the plaintext scan results, including identified vulnerabilities, severity ratings, vulnerability details, and remediation suggestions.
AI Analysis Results: Analysis and insights generated by third-party AI models are also encrypted client-side before storage. MCPhacker does not have access to the plaintext AI analysis.
Scan Metadata: Non-sensitive metadata such as timestamps, scan duration, scan status, and usage counts are stored in plaintext for license enforcement and usage tracking purposes. Sensitive metadata such as target endpoint information and scan configuration details are encrypted client-side before storage.

1.4 Cookies and Session Data

We use cookies to manage your authenticated session. For full details on our cookie practices, please refer to our Cookie Policy.

Session Cookie: An httpOnly cookie with a 15-day expiration period, used exclusively for session authentication and management. This cookie is essential for the functioning of the Service and cannot be disabled while using the Service.

1.5 License and Payment Information

When you purchase a license for the Service:

License Purchase Records: We store records of license purchases, including license type (6-month, 1-year, or lifetime), purchase date, license activation date, and expiration date (if applicable).
Payment Information: Payment processing is handled by Stripe, a third-party payment processor. MCPhacker does not directly collect, store, or process payment card data. Stripe may provide us with transaction identifiers, payment status, and billing email addresses for record-keeping purposes.
Usage Counts: We track your daily scan usage to enforce license-based rate limits (e.g., scans per day for your license tier). These counts are stored in plaintext for operational purposes.

1.6 Honeypot Data Collection

MCPhacker operates security monitoring mechanisms, including honeypot endpoints, on certain areas of the Service (such as administrative login pages). These mechanisms are designed to detect and log unauthorized access attempts. If you attempt to access restricted areas of the Service without authorization, the following data may be collected:

IP Address: The IP address from which the access attempt originated.
Submitted Credentials: Any usernames, passwords, or other credentials submitted during the unauthorized access attempt.
Timestamps: The date and time of each access attempt.
Request Headers: HTTP headers including user agent, referrer, and other request metadata.
Request Patterns: Frequency and patterns of access attempts from the same source.

This data is collected solely for security purposes, including identifying and preventing malicious activity, protecting the integrity of the Service, and cooperating with law enforcement when necessary. By attempting to access restricted areas of the Service without authorization, you acknowledge that such activity may be logged and reported.

2. Zero-Knowledge Architecture

2.1 Client-Side Encryption

MCPhacker is designed with a zero-knowledge architecture to protect the privacy and confidentiality of your security scan data. This means:

Encryption Before Transmission: All sensitive scan data, including scan targets, scan configurations, scan results, vulnerability findings, and AI analysis, is encrypted in your browser using strong encryption (AES-256-GCM) before being transmitted to our servers.
Server-Side Encrypted Storage: Our servers store only encrypted blobs of your scan data. We cannot decrypt or access the plaintext content of your scans, vulnerabilities, or security findings.
Client-Side Decryption: When you access your scan results, the encrypted data is retrieved from our servers and decrypted in your browser using your passphrase-derived encryption key. Decryption occurs entirely client-side.

2.2 Encryption Technical Details

The Service uses the following cryptographic methods to protect your data:

Encryption Algorithm: AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode), providing both confidentiality and authenticity.
Key Derivation: Encryption keys are derived from your passphrase using PBKDF2 (Password-Based Key Derivation Function 2) with a high iteration count and per-user salt, making brute-force attacks computationally infeasible.
Passphrase Handling: Your passphrase is processed entirely in your browser's JavaScript environment and is never transmitted to our servers in any form. We have no record of your passphrase.
Key Storage: Encryption keys are stored temporarily in your browser's memory during your session and are cleared when you log out. Keys are never transmitted to or stored on our servers.

2.3 What We CAN Access

MCPhacker has access to the following information:

Your email address and account authentication tokens.
License purchase records and license status (active, expired).
Usage counts and rate limit tracking (number of scans performed per day).
Non-sensitive scan metadata: timestamps, scan duration, scan status (pending, running, completed, failed).
Encrypted blobs of scan data (which we cannot decrypt or read).
IP addresses and session data as described in Section 1.2.

2.4 What We CANNOT Access

Due to the zero-knowledge architecture, MCPhacker does not have access to:

Your encryption passphrase.
Scan targets (MCP server URLs and endpoints).
Scan configurations and parameters.
Scan results, including identified vulnerabilities and security findings.
Vulnerability severity ratings or descriptions.
AI-generated analysis and remediation suggestions.
Any other sensitive scan data that is encrypted client-side.

2.5 Passphrase Responsibility and No Recovery

You are solely responsible for remembering and securely storing your encryption passphrase. Because MCPhacker does not have access to your passphrase and cannot derive your encryption keys:

No Passphrase Recovery: If you forget your passphrase, we cannot recover it or reset it. There is no "forgot password" mechanism for encryption passphrases.
No Data Recovery: If you lose your passphrase, all of your encrypted scan data will become permanently inaccessible. We cannot decrypt your data for you.
User Responsibility: It is your responsibility to use a strong, memorable passphrase and to store it securely. We recommend using a password manager.

By using the zero-knowledge encryption feature, you acknowledge and accept these limitations.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing and Maintaining the Service

Authenticating your identity and managing your Account via passwordless email login.
Processing and executing security scans against your specified Scan Targets (which are encrypted and inaccessible to us).
Generating, encrypting, storing, and facilitating the retrieval of Scan Results and AI-powered analysis (in encrypted form only).
Managing your license status and enforcing usage limits based on your purchased license tier (free, 6-month, 1-year, or lifetime).
Providing customer support and responding to your inquiries (note: we cannot access your encrypted scan data to troubleshoot scan-specific issues).

3.2 Security and Abuse Prevention

Monitoring for unauthorized access, abuse, fraud, and other malicious activity.
Enforcing rate limits and preventing misuse of the Service.
Operating honeypot mechanisms to detect and log unauthorized access attempts.
Identifying and blocking IP addresses associated with malicious activity.
Protecting the integrity, availability, and security of the Service.

3.3 Communication

Sending passwordless authentication emails (login links).
Sending transactional emails related to your Account and scan activity (scan completion notifications, license changes, license expiration reminders, etc.).
Sending service announcements, security alerts, and administrative messages.
Responding to your support requests, inquiries, and feedback.

3.4 Service Improvement and Analytics

Analyzing usage patterns to understand how the Service is used and to improve its features and performance.
Conducting research and development to enhance vulnerability detection capabilities.
Generating aggregate, anonymized statistics about Service usage, vulnerability trends, and security insights.
Debugging and resolving technical issues.

3.5 Legal and Compliance

Complying with applicable laws, regulations, legal processes, and government requests.
Enforcing our Terms of Service, Acceptable Use Policy, and other policies.
Protecting the rights, property, and safety of MCPhacker, our users, and the public.
Cooperating with law enforcement in investigating potentially illegal or harmful activities.

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Third-Party Service Providers

We share information with third-party service providers who perform services on our behalf, subject to contractual obligations to protect your data:

AI Analysis Providers (OpenRouter): Scan data is transmitted to third-party AI models via the OpenRouter API for the purpose of generating vulnerability analysis and security insights. Important: Due to the technical requirements of AI processing, scan data is transmitted to OpenRouter in plaintext form before client-side encryption occurs. OpenRouter may route your data to various large language model (LLM) providers. We select providers with commercially reasonable data handling practices, but we do not control the data processing practices of these third-party AI model providers. After AI analysis is complete, the analysis results are encrypted client-side before storage on our servers. We recommend reviewing OpenRouter's privacy policy for more details.
Email Delivery Services (Resend): Your email address is shared with Resend for the purpose of delivering authentication emails, notifications, and other transactional communications related to the Service.
Payment Processors (Stripe): License purchases are processed by Stripe, a third-party payment processor. MCPhacker does not directly collect, store, or process payment card data. Stripe handles all payment information securely. Your use of Stripe is subject to their terms and privacy policy. Stripe provides us with transaction identifiers and payment status information for license activation and record-keeping purposes.

4.2 Legal Requirements

We may disclose information we have access to if required to do so by law or in the good faith belief that such action is necessary. Important: Due to our zero-knowledge architecture, we cannot disclose encrypted scan data, scan targets, or scan results in response to legal requests, as we do not have the ability to decrypt this information.

We may disclose the following types of information:

Email addresses, account information, and authentication records.
License purchase records and payment transaction information.
IP addresses, access logs, and session data.
Usage counts and rate limit tracking data.
Non-sensitive scan metadata (timestamps, scan status).
Encrypted blobs of scan data (which cannot be decrypted without your passphrase).

We cannot disclose:

Your encryption passphrase (which we do not have).
Plaintext scan targets, scan results, or vulnerability findings (which are encrypted).

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Service of any change in ownership or uses of your information.

4.4 Aggregate and Anonymized Data

We may share aggregate, anonymized, or de-identified data that cannot reasonably be used to identify you with third parties for purposes including industry research, analytics, and marketing. Such data does not constitute personal information under applicable law.

4.5 With Your Consent

We may share your information with third parties when you have given us your explicit consent to do so.

5. Data Retention

We retain your information for the following periods:

Data Category	Retention Period
Account Information (email)	Duration of account existence plus 30 days after account deletion
Session Data	15 days (session cookie expiry), server-side session records retained for up to 30 days
Encrypted Scan Results	Duration of active license plus 30 days after license expiration. Free tier: 30 days. 6-month license: 6 months + 30 days. 1-year license: 1 year + 30 days. Lifetime license: duration of account existence. You may request earlier deletion.
Scan Metadata	Same as Encrypted Scan Results retention for the applicable license tier
License Purchase Records	Indefinitely for accounting and tax compliance purposes
Payment Transaction Data	7 years for financial record-keeping and tax compliance
Usage Counts	Rolling 30-day period for rate limiting purposes
IP Addresses (access logs)	90 days
User Agent Data	90 days
Honeypot Data	Up to 1 year, or longer if required for ongoing security investigations or legal proceedings
Usage Analytics (aggregate)	Indefinitely in anonymized form
Communication Records	Up to 2 years or as required by law

After the applicable retention period, data is permanently deleted or anonymized such that it can no longer be associated with you. We may retain certain information for longer periods if required by applicable law, legal hold obligations, or pending disputes.

Note on Zero-Knowledge Architecture: Cleartext scan data (before encryption) is never stored on our servers. Scan data is encrypted client-side in your browser before transmission, and only encrypted blobs are stored. When the retention period expires, the encrypted blobs are permanently deleted.

6. Your Rights and Choices

6.1 Access and Portability

You have the right to request a copy of the personal information we hold about you. You may request this by contacting us at the email address provided below. We will respond to your request within thirty (30) days.

Zero-Knowledge Limitation: We can provide you with the information we have access to (email address, license records, usage counts, non-sensitive metadata). However, we cannot provide plaintext copies of your encrypted scan data, as we do not have the ability to decrypt it. You can access and export your scan data directly through the Service interface using your passphrase.

6.2 Correction

You have the right to request that we correct any inaccurate personal information we hold about you. Since your primary identifying information is your email address, corrections are generally limited to updating your email address.

6.3 Deletion

You have the right to request the deletion of your personal information. Upon receiving a verified deletion request, we will delete your personal information from our records, subject to the following exceptions:

Information necessary to complete a transaction or provide the Service you requested.
Information necessary to detect security incidents, protect against malicious or illegal activity, or prosecute those responsible.
Information necessary to comply with a legal obligation.
Information necessary for internal uses that are reasonably aligned with your expectations based on your relationship with us.

6.4 Opt-Out of Communications

You may opt out of non-essential communications by contacting us. However, you cannot opt out of transactional emails related to your Account security and authentication (e.g., login links), as these are essential to the functioning of the Service.

6.5 Account Deletion

You may request complete deletion of your Account and all associated data by contacting us. Account deletion is irreversible and will result in the permanent loss of your encrypted scan data, license information, and account data. Warning: Once your account is deleted, your encrypted scan data cannot be recovered, even if you remember your passphrase, as the encrypted blobs will be permanently deleted from our servers.

7. California Consumer Privacy Act (CCPA) Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

7.1 Right to Know

You have the right to request that we disclose:

The categories of personal information we have collected about you.
The categories of sources from which the personal information was collected.
The business or commercial purpose for collecting the personal information.
The categories of third parties with whom we share personal information.
The specific pieces of personal information we have collected about you.

7.2 Right to Delete

You have the right to request that we delete personal information we have collected from you, subject to certain exceptions as outlined in the CCPA.

7.3 Right to Correct

You have the right to request that we correct inaccurate personal information that we maintain about you.

7.4 Right to Opt-Out of Sale or Sharing

MCPhacker does not sell your personal information. We do not sell personal information to third parties as defined under the CCPA. If our practices change in the future, we will update this Privacy Policy and provide you with an opt-out mechanism.

We share personal information with service providers (as described in Section 3.1) solely for the purpose of providing the Service. These disclosures are not considered "sales" or "sharing" under the CCPA as they are made to service providers under written contracts that restrict the use of the information to the specified business purposes.

7.5 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not deny you the Service, charge you different prices, provide a different level of service, or suggest that you will receive a different level of service for exercising your rights. However, the Service may not function correctly if you request the deletion of information essential to your Account.

7.6 Authorized Agents

You may designate an authorized agent to make requests on your behalf under the CCPA. To do so, you must provide the authorized agent with written permission to act on your behalf, and we may require you to verify your identity directly with us.

7.7 How to Submit a CCPA Request

To exercise your CCPA rights, please contact us at the email address provided below. We will verify your identity before processing your request by confirming your email address associated with your Account. We will respond to verified requests within forty-five (45) days. If we need additional time, we will inform you of the reason and extension period (up to an additional 45 days).

7.8 Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA:

CCPA Category	Examples	Collected
Identifiers	Email address, IP address, Account ID	Yes
Internet or other electronic network activity information	Browsing history, user agent, usage data, scan activity	Yes
Geolocation data	Approximate location derived from IP address	Yes
Professional or employment-related information	N/A	No
Education information	N/A	No
Inferences	Vulnerability analysis, security assessments	Yes
Sensitive personal information	N/A	No

8. Children's Privacy (COPPA Compliance)

The Service is not directed to and is not intended for use by children under the age of thirteen (13). We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (COPPA).

If we become aware that we have collected personal information from a child under the age of 13, we will take immediate steps to delete that information from our records. If you are a parent or guardian and believe that your child under 13 has provided personal information to us, please contact us immediately at the email address provided below so that we can take appropriate action.

Users of the Service must be at least 18 years of age.

9. International Data Transfers

MCPhacker is based in the United States, and the Service is hosted on servers located in the United States. If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States.

By using the Service, you consent to the transfer of your information to the United States and acknowledge that:

The data protection laws of the United States may differ from those in your jurisdiction.
Your information will be subject to United States law, including lawful requests by United States government authorities.
We will take commercially reasonable measures to protect your information in accordance with this Privacy Policy, regardless of where it is processed.

If you are located in the European Economic Area (EEA), the United Kingdom, or other regions with data protection laws that may differ from those in the United States, your continued use of the Service constitutes your consent to the transfer of your data to the United States. We may implement additional safeguards, such as Standard Contractual Clauses, as required by applicable law.

10. Data Security

We implement comprehensive administrative, technical, and physical security measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction. These measures include, but are not limited to:

Zero-Knowledge Client-Side Encryption: All sensitive scan data is encrypted in your browser using AES-256-GCM encryption before transmission to our servers. This ensures that even if our servers were compromised, your scan data would remain protected and unreadable without your passphrase.
Encryption in Transit: All data transmitted between your browser and the Service is encrypted using TLS (Transport Layer Security).
Encryption at Rest: All encrypted scan data blobs are stored in encrypted form on our servers. We do not have the keys to decrypt this data.
Strong Key Derivation: Encryption keys are derived from your passphrase using PBKDF2 with a high iteration count, making brute-force attacks on your passphrase computationally infeasible.
Secure Session Management: Authentication sessions are managed using httpOnly cookies that cannot be accessed by client-side scripts, reducing the risk of cross-site scripting (XSS) attacks.
Passwordless Authentication: By using a passwordless email-based authentication system, we eliminate the risk of password-related breaches, password reuse attacks, and credential stuffing.
Access Controls: Access to user data is restricted to authorized personnel on a need-to-know basis. Due to encryption, personnel cannot access plaintext scan data.
Infrastructure Security: The Service is hosted on infrastructure with industry-standard security controls, including firewalls, intrusion detection systems, and regular security updates.
Security Monitoring: We continuously monitor the Service for unauthorized access attempts and suspicious activity, including through the use of honeypot mechanisms.
Rate Limiting: We implement rate limiting to prevent abuse of the Service and protect against brute-force and denial-of-service attacks.
Input Validation and Sanitization: We implement input validation and sanitization measures to protect against injection attacks and other input-based vulnerabilities.

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security. In the event of a data breach affecting your personal information, we will notify you and applicable authorities as required by law.

11. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals. The Service does not currently respond to DNT signals because there is no industry-standard technology for recognizing and implementing DNT signals. We will update this Privacy Policy if a standard for responding to DNT signals is established.

12. Links to Third-Party Websites

The Service may contain links to third-party websites, services, or resources that are not operated or controlled by MCPhacker. This Privacy Policy applies only to the Service and does not apply to any third-party websites. We are not responsible for the privacy practices or content of any third-party websites. We encourage you to review the privacy policies of any third-party websites you visit.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes to this Privacy Policy, we will notify you by:

Posting the updated Privacy Policy on the Service with a revised "Last Updated" date.
Sending a notice to the email address associated with your Account.

Material changes will be effective thirty (30) days after notification. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree to the revised Privacy Policy, you must stop using the Service and may request deletion of your Account.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: privacy@mcphacker.com
General Inquiries: legal@mcphacker.com
Website: https://mcphacker.com

For CCPA-specific requests, please email: privacy@mcphacker.com with the subject line "CCPA Request."

This Privacy Policy was last updated on 2025-01-01.