// legal
Privacy Policy
Effective date: July 4, 2026
1. Who we are
MCP Cloud ("we", "us") operates mcpcloud.space, a service that hosts Model Context Protocol (MCP) servers in the cloud. You deploy an MCP server from one of our templates, connect it to your own data source (such as your Google account), and receive a private HTTP endpoint URL that you can plug into AI agents and MCP clients you control (for example Claude or Cursor).
Questions about this policy or your data: support@mcpcloud.space.
2. Information we collect
2.1 Account information
Sign-in is via Google only. When you sign in we receive your basic Google profile: your name, email address and profile picture. We use this to create and identify your MCP Cloud account.
2.2 Google user data accessed by MCP server templates
When you deploy a Google-backed MCP server, you explicitly authorize it through Google's OAuth consent screen. Each template requests only the scope it needs:
- Google Search Console (scope:
webmasters, read and manage) — your list of Search Console properties and their details, search performance analytics (queries, pages, clicks, impressions, CTR, position), sitemap data, and URL indexing inspection results. Because this scope includes management access, the template also exposes write tools: submitting and deleting sitemaps, and adding or removing properties. Destructive operations are disabled by default and must be explicitly enabled per server in your dashboard. - Google Analytics (scope:
analytics.readonly, read-only) — your GA4 account and property metadata, custom dimensions and metrics, and reporting data (standard and realtime reports). - Google AdSense (scope:
adsense.readonly, read-only) — your AdSense accounts, ad clients and ad units, channels, sites, alerts, policy issues, payment information and earnings reports. - At authorization time — the email address of the Google account you connected, so your dashboard can show which account each server is bound to.
The Google SERP template does not use Google OAuth and does not access any Google user data; it queries public search results through a third-party data provider (DataForSEO).
2.3 Service and usage data
- Configuration values you enter for your servers (stored encrypted).
- Your MCP Cloud API keys (stored as a SHA-256 hash plus an encrypted copy so your dashboard can display the endpoint URL), and the time each key was last used.
- Standard session data for signed-in use of the dashboard, such as IP address and browser user agent.
3. How we use Google user data
We access your Google data for one purpose only: to answer the MCP tool calls that your own AI agents and MCP clients make against the servers you deployed. When your agent calls a tool, we fetch the requested data from the relevant Google API in real time and return it directly to your client.
- We do not use Google user data for advertising, and we do not sell it to anyone.
- We do not use Google user data to train machine-learning or AI models.
- We do not transfer Google user data to third parties, except to the MCP clients you connect (at your direction), to our infrastructure providers acting as processors, or where required by law.
- Humans at MCP Cloud do not read your Google data, except with your explicit consent (for example when you ask us for support), where necessary for security and abuse investigation, or where required by law.
4. Google API Services User Data Policy (Limited Use)
MCP Cloud's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
5. How we store and protect data
- OAuth credentials. The Google refresh token granted to each server is encrypted at rest with AES-256-GCM before it is written to our database, as are the configuration values of your servers. Short-lived access tokens are minted from the refresh token per request and are not persisted. The OAuth tokens from Google sign-in are also encrypted at rest using authenticated encryption, and the sign-in ID token is not stored at all.
- No copies of your Google data. We do not store, cache or warehouse the content returned by Google APIs. Each MCP request is handled statelessly: data is fetched from Google and streamed back to your MCP client in the same request.
- Transport security. All traffic to mcpcloud.space and between our servers and Google APIs uses HTTPS/TLS.
- Access to your endpoint. Your MCP endpoint URL embeds one of your API keys; anyone holding that URL can call your server's tools. Treat it like a password. You can disable or delete API keys in your dashboard at any time.
6. Sharing with third parties
We use infrastructure providers to run the service (cloud hosting and a managed database). They process data on our behalf under this policy and do not use it for their own purposes. The Google SERP template sends only your search queries (never Google user data) to DataForSEO to retrieve public search results. We share no other data with third parties, except as described in Section 3 or when required by law.
7. Data retention and deletion
- Deleting an MCP server in your dashboard permanently deletes its stored (encrypted) Google refresh token and configuration from our database, and we ask Google to revoke the underlying grant at the same time. Its endpoint stops working immediately. Likewise, when you re-authorize a server with a new Google grant, we revoke the previous one.
- You can also review and revoke MCP Cloud's access in your Google Account at any time at myaccount.google.com/permissions, which invalidates the grant on Google's side.
- To delete your entire account and all associated data, email support@mcpcloud.space and we will remove it within 30 days.
8. Changes to this policy
We may update this policy as the service evolves. We will post the updated version on this page with a new effective date, and for material changes affecting Google user data we will notify you before they take effect.
9. Contact
For any privacy question or request, contact support@mcpcloud.space.