PlexMCP

Privacy Policy

Effective: January 9, 2026

PlexMCP, Inc. ("PlexMCP," "we," "us," or "our"), based in San Francisco, CA, United States, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

1. Information We Collect

We collect the following types of information:

Account Information

  • Name and email address
  • Organization name (if applicable)
  • Password (stored securely using Argon2id hashing)

Usage Data

  • API request counts and timestamps
  • MCP server configurations and metadata
  • Feature usage analytics

Audit Logs

  • Authentication events
  • Administrative actions
  • Security-related activities

Important:

MCP request and response content is NOT stored by PlexMCP. We only proxy communications between your clients and MCP servers without retaining the content.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process transactions and send billing information
  • Respond to customer support requests
  • Monitor and analyze usage patterns to improve user experience
  • Detect, prevent, and address security issues and fraud
  • Comply with legal obligations

3. Data Storage & Security

We implement industry-standard security measures to protect your data:

  • Encryption in Transit: All data transmitted to and from our servers uses TLS 1.3
  • Encryption at Rest: Sensitive data is encrypted using AES-256
  • Access Control: Row-Level Security (RLS) ensures strict data isolation between organizations
  • Password Security: Passwords are hashed using Argon2id, the recommended algorithm for password hashing
  • Infrastructure: Our services are hosted on secure, SOC 2 compliant infrastructure

4. Data Retention

We retain your data according to the following schedule:

  • Active Accounts: Data is retained while your account remains active
  • Audit Logs: Retained for 7 years for compliance purposes
  • Backups: Operational backups retained for 30 days; archives retained for 1 year
  • Deleted Accounts: After you request deletion, your data enters a 30-day soft delete period (allowing recovery), after which it is permanently deleted

5. Your Rights

We comply with GDPR and provide you with the following rights:

  • Right to Access (Article 15): You can export your data in JSON format through your account settings
  • Right to Erasure (Article 17): You can request deletion of your account, with a 30-day grace period during which the request can be cancelled
  • Right to Rectification: You can update your personal information through your account settings
  • Right to Data Portability: Your data export is provided in a portable JSON format
  • Right to Object: You can contact us to object to certain data processing activities

To exercise these rights, visit your account settings or contact support@plexmcp.com.

6. Data Breach Notification

In the event of a data breach affecting your personal data, we will notify you and relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

7. Third-Party Services

We may use third-party services to help operate our platform. We ensure all third-party providers maintain appropriate security and privacy standards. Key points:

  • We do not sell your personal data to third parties
  • Third-party service providers only receive data necessary for their specific functions
  • All providers are contractually bound to protect your data

8. Cookies

We use cookies for the following purposes:

  • Essential Cookies: Required for authentication and core functionality
  • Analytics: Privacy-focused, in-house analytics (no third-party tracking)

We do not use third-party tracking cookies or sell data to advertisers.

9. Children's Privacy

Our services are not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately at support@plexmcp.com.

10. International Data Transfers

Your data is processed and stored in the United States. If you are accessing our services from outside the United States, please be aware that your data will be transferred to, stored, and processed in the United States. We implement appropriate safeguards to ensure your data is protected in compliance with GDPR requirements.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to your registered account address. The "Effective" date at the top of this policy indicates when it was last updated.

12. Contact Information

For questions about this Privacy Policy or our data practices, please contact us:

PlexMCP, Inc.
San Francisco, CA
United States