Privacy Policy
Last updated: June 30, 2026
This Privacy Policy explains what data MCP Inspector ("we", "us") processes when you use the desktop application and website. "MCP Inspector" is a trade name under which the software is operated, based in the United States (Colorado).
1. Your captured traffic stays on your device
When you capture MCP JSON-RPC traffic, it is written to a local database on your own computer (an SQLite file such as mcp-traces.db). On the Free tier this is a small in-memory ring buffer (about 100 recent events per session); on Pro it persists locally for as long as you keep it. We never receive, transmit, or have access to the contents of your captured traffic. You can delete this data at any time by removing the local database.
2. License validation (the main thing we receive)
If you activate a paid license, the Software contacts our license endpoint (license.mcp-inspector.com) to verify the key and enforce machine/seat limits. Each validation request sends:
- your license key;
- a machine fingerprint — a one-way SHA-256 hash derived from a hardware/OS identifier (we cannot reverse it to identify your device);
- the app version and your operating system (e.g., "windows").
We do not collect your IP address for tracking, browsing activity, or the contents of any traffic in this request. Validation results are cached locally (encrypted) so the app works offline for up to 30 days.
3. Account & payment data (when you buy)
Purchases are handled by Stripe. Stripe collects and processes your payment details; we never see or store your full card number. In connection with your purchase and license, we store:
- your email and name/organization name;
- your Stripe customer and subscription IDs;
- a hash of your license key, your tier, seat count, and expiry;
- machine fingerprints bound to your license (for seat enforcement);
- a minimal validation log (hashed key + timestamp) used for rate-limiting, which is pruned after about 7 days.
We use this only to deliver your license key, run your subscription, and enforce seat limits — not for advertising. Our legal bases (where GDPR applies) are performance of our contract with you and our legitimate interest in preventing license abuse.
4. Software updates
The app periodically checks releases.mcp-inspector.com for a newer version. This is a standard update check (version information); it does not transmit your captured data.
5. What we do not do
- No analytics or product telemetry.
- No crash/error reporting services.
- No advertising, cookies for tracking, or third-party tracking.
- No sale of personal data and no "targeted advertising" or profiling as those terms are defined under U.S. state privacy laws.
- No access to the MCP traffic you capture.
6. Team & Enterprise (self-hosted)
The Team aggregator and Enterprise license server run on infrastructure you control. Trace data collected by your team is stored on your own server and never sent to us. Enterprise air-gap mode disables all outbound calls, including license validation. For business customers who need it, a Data Processing Addendum is available.
7. Sub-processors
We rely on a small set of service providers to operate the product. The current list is maintained on our Sub-processors page (Stripe, Supabase, Cloudflare, Backblaze B2, and Resend).
8. Data retention
We keep account and license records for as long as your license is active and as needed for legal and accounting purposes. Validation logs are pruned after about 7 days. Your locally captured traffic is retained only on your device, under your control.
9. Your privacy rights
You may request access to, correction of, deletion of, or a portable copy of the personal data we hold about you, and you may object to or restrict certain processing. Because your captured traffic lives on your device, that data is yours to delete directly. To exercise any right, email [email protected]; we will verify your request and respond within the time required by applicable law.
Colorado residents
Under the Colorado Privacy Act, you have the rights of access, correction, deletion, and data portability, and the right to opt out of the sale of personal data and targeted advertising. We do not sell personal data or conduct targeted advertising, so there is nothing to opt out of and no universal opt-out / Global Privacy Control signal to honor for those purposes. You may still exercise your other rights using the contact above, and appeal a decision by replying to our response.
EU / UK / EEA residents (GDPR)
You have the rights of access, rectification, erasure, restriction, portability, and objection, and the right to lodge a complaint with your local supervisory authority. We process the limited personal data described above as a controller; for business customers, our DPA governs any processing we perform on your behalf.
California residents (CCPA/CPRA)
You have the rights to know, delete, correct, and to opt out of "sale"/"sharing" of personal information. We do not sell or share personal information. We will not discriminate against you for exercising your rights.
10. Children
MCP Inspector is a developer tool intended for adults and is not directed to children under 16. We do not knowingly collect personal data from children.
11. International users
The Software is operated from the United States, and data we process (such as license records) is handled there. By using the Software you understand your information may be processed in the United States. Where required for transfers from the EEA/UK, we rely on appropriate safeguards such as Standard Contractual Clauses through our providers.
12. Changes to this policy
We may update this Policy from time to time. We will reflect changes by updating the "Last updated" date above.
13. Contact
Questions or requests? Email [email protected].
Related: Terms of Service · Sub-processors · DPA · All legal documents