← MCPy

Privacy Policy

Effective date: April 8, 2026

1. Overview

MCPy ("we", "our", or "us") is a mobile application that lets you chat with multiple AI models and connect them to your apps via Model Context Protocol (MCP) servers. This Privacy Policy explains what data we collect, how we use it, and your rights.

By using MCPy, you agree to the practices described in this policy. If you do not agree, please do not use the app.

2. Information We Collect

Account & Authentication

  • Email address and user ID from Apple Sign-In or Google Sign-In
  • Authentication tokens managed by Supabase Auth

Conversations & Messages

  • Chat messages you send and the AI responses you receive
  • Conversation titles, pinned/archived status, and timestamps
  • AI model used, token counts (prompt and completion), and cost per message in USD

Files & Attachments

  • Images and files you attach to conversations, stored in cloud storage
  • Text file contents read inline when you attach them to a message

Usage & Billing

  • Cumulative token usage and cost per billing cycle linked to your account
  • Subscription status synced from the App Store via RevenueCat

Google Account Data (Optional)

If you choose to connect Google services (Gmail, Google Drive, Google Calendar), we store OAuth access tokens, refresh tokens, permission scopes, and expiry timestamps. This connection is entirely optional and can be revoked at any time from your Google Account settings or within the app.

MCP Server Credentials (Optional)

If you connect third-party MCP servers (e.g., Slack, Notion, GitHub), we store the server URL, authentication header, and OAuth tokens you provide. These are used solely to forward requests to the servers on your behalf.

Device & Local Data

  • App preferences (theme, selected model) stored locally on your device via AsyncStorage
  • We do not collect device identifiers, advertising IDs, or location data

3. How We Use Your Information

  • Providing the service: Routing your messages to AI models, storing your conversation history, and syncing data across your devices
  • Billing: Tracking your token usage and costs to enforce plan limits and display usage statistics
  • Google integrations: Reading and writing to Gmail, Google Drive, and Google Calendar only when you explicitly request an action through the AI
  • MCP actions: Forwarding tool calls to third-party servers you have connected, only when you initiate or approve the action
  • Security: Detecting and preventing abuse, unauthorized access, and policy violations

We do not use your conversation data to train AI models. We do not sell your data to third parties.

4. Google API Services — Limited Use Disclosure

MCPy's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only request Google OAuth scopes that are necessary to perform the specific action you ask the AI to take (Gmail, Drive, or Calendar)
  • Google user data is not transferred to third parties except when necessary to provide the feature you requested (e.g., forwarding a Gmail action to the AI model you are using)
  • We do not use Google user data for advertising purposes
  • We do not allow humans to read your Google data unless you have explicitly consented, it is necessary for security purposes, or it is required by law

5. Third-Party Services

ServicePurpose
SupabaseDatabase, authentication, and file storage
OpenRouterProxies your messages to AI providers (Claude, GPT, Gemini, etc.)
RevenueCatIn-app subscription management (iOS)
Apple Sign-In / Google Sign-InAuthentication
Google APIsGmail, Drive, Calendar access (only if you connect them)

When you send a message, its content is forwarded to OpenRouter and then to the AI provider you selected. Please review each provider's privacy policy for how they handle prompts.

6. Data Retention & Deletion

  • Conversations and messages are retained as long as your account is active
  • You can delete individual conversations at any time within the app
  • To delete your account and all associated data, contact us at the address below. We will process deletion requests within 30 days
  • Google OAuth tokens are deleted from our systems when you disconnect the integration or delete your account

7. Data Security

All data is transmitted over HTTPS. OAuth tokens and credentials are stored encrypted at rest in our database. We use row-level security to ensure your data is accessible only to your account. No system is perfectly secure, and we cannot guarantee absolute security.

8. Children's Privacy

MCPy is not directed to children under the age of 13. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

9. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, or delete your personal data; to withdraw consent; and to data portability. To exercise any of these rights, contact us at the address below.

10. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes by updating the effective date at the top of this page. Continued use of MCPy after changes constitutes acceptance of the updated policy.

11. Contact

For any privacy-related questions or requests, please contact:

Mert Adem Gülenç
support@usemcpy.com