legal/privacy
Effective Date: July 8, 2026
This Privacy Policy explains how MCPFlo (“MCPFlo”, “we”, “our”, or “us”) handles information in connection with the MCPFlo desktop application and this website (collectively, the “Software”).
MCPFlo is built as a local-first developer tool. This policy is intended to describe, as plainly as possible, what that means for your data.
This policy covers the MCPFlo desktop application and this website. For the incidental, minimal data described in Section 6 (Website) below, MCPFlo acts as the data controller. For your server configurations, credentials, and request history, MCPFlo has no access to that data at all — it is created and stored solely on your device, so no controller/processor relationship with us arises over it.
If you connect MCPFlo to a third-party MCP server, that server operator is independently responsible, as controller (or processor, depending on its own arrangements), for any data you send to or receive from it. See Section 5.
MCPFlo does not collect, transmit, or have access to:
This information is created and stored entirely on your device, and MCPFlo-operated servers do not receive it unless a specific feature explicitly states otherwise.
MCPFlo stores the following data locally on your device:
config.json file in your OS-standard application data directory.You can inspect, back up, or delete this data yourself at any time by locating the relevant files on your device or by removing a server from within the app.
MCPFlo is designed to connect to MCP servers, APIs, and other services that you configure. These are typically operated by third parties, or by you.
Any data you send to, or receive from, a third-party server through MCPFlo is subject to that server’s own privacy policy and practices, not this one. We do not control, monitor, or have visibility into how third-party servers handle data.
You are responsible for understanding the privacy practices of any MCP server you choose to connect to, particularly before sending sensitive or personal data through it.
This website (the pages you are reading now) is a static site. It does not use cookies, analytics scripts, or third-party trackers to profile visitors.
Our hosting provider may, as a standard part of serving any website, generate basic technical logs (e.g. IP address, requested page, timestamp, user agent) for operational and security purposes such as diagnosing outages and detecting abuse. Our legal basis for this minimal processing is our legitimate interest in operating and securing the website. We do not use these logs to identify individual visitors, and we do not control their retention beyond our hosting provider’s standard practice, which is typically limited to a matter of weeks before rotation or deletion.
MCPFlo does not currently include an automatic update-check mechanism. The application does not contact any MCPFlo-operated or third-party service in the background to check for new versions. New versions are published and downloaded manually — for example, from the GitHub Releases page or this website.
If this changes in a future version (for example, if in-app update checking is introduced), we will update this section to describe what information that exchange involves, whether it can be disabled, and what legal basis applies to it, before that feature ships.
Credentials handled by MCPFlo are encrypted using your operating system’s native security features and are never exposed to the parts of the app that don’t need them. Encryption is tied to your device and OS user account, so encrypted data generally cannot be decrypted if copied to another machine or user account.
No method of storage or transmission is completely secure. You are responsible for securing your own device and for safeguarding any credentials or data you choose to store or transmit through the Software.
MCPFlo is built using open-source libraries and SDKs (for example, Electron and the Model Context Protocol SDK). We do not configure or enable telemetry, analytics, or crash-reporting in the application ourselves, and we are not aware of any bundled dependency that independently transmits usage data.
That said, we cannot make an absolute guarantee about the runtime behavior of every third-party dependency we bundle. A full list of dependencies is available in the project’s public source repository, should you wish to audit it yourself.
MCPFlo does not retain any of your project data, since it never leaves your device. On your device, configuration, credentials, and cached data persist until you remove them — either by deleting a server, clearing the cache, or uninstalling the application (see Section 13).
For the limited operational logs described in Section 6, retention is governed by our hosting provider’s standard log-rotation policy, not by us directly, and is not extended for any secondary purpose.
Depending on where you live, you may have rights under data protection law, including the EU/UK GDPR and the California Consumer Privacy Act as amended by the CPRA. Because MCPFlo does not collect or hold personal data about you beyond the minimal, non-identifying operational logs described in Section 6, most of these rights are inherently satisfied by the local-first design described above — but we confirm them here for clarity:
To exercise any of these rights, contact us at the address in Section 16. Because we hold no account or contact data linking you to a request, we may ask you to describe the specific interaction (e.g. approximate date and feature used) so we can confirm whether any data exists to act on.
MCPFlo is a developer tool intended for professional and technical use and is not directed at children. We do not knowingly collect personal information from children under 13 (as defined by COPPA) or under 16 (the default age of consent for information-society services under GDPR in a number of EU member states, absent a lower age set by national law).
Because MCPFlo does not operate accounts, forms, or data collection of any kind, we do not expect to receive a minor’s personal information in the ordinary course of using the Software. If we nonetheless become aware that we have inadvertently received such information — for example, through an unsolicited support email — we will delete it promptly upon discovery or upon request from a parent or guardian. Contact us at the address in Section 16 to make such a request.
Because your data stays on your device, you are in direct control of it:
Because MCPFlo processes data locally on your device rather than on centrally hosted servers, there is generally no cross-border transfer of your project data by us. If you use MCPFlo to connect to third-party or self-hosted MCP servers located in other jurisdictions, that transfer is governed by your configuration choices and the third party’s practices, not by us.
The limited hosting logs described in Section 6 may be processed in the jurisdiction where our hosting provider operates its infrastructure.
Because MCPFlo does not operate a central server that stores your project data, most data-security incidents that could occur would be local to your own device, and outside our visibility or control.
If we become aware of a security incident affecting infrastructure we do operate (such as this website or its hosting environment) that creates a real risk to individuals, we will notify affected users without undue delay, using the most direct channel reasonably available to us (which, absent user accounts, will typically be a public notice on this website and/or the project’s GitHub repository), and, where required by applicable law, notify the relevant supervisory authority within the timeframe that law requires.
If you have questions regarding this Privacy Policy, or wish to exercise any of the rights described in Section 11, please contact us at getmcpflo@gmail.com.
This Privacy Policy is governed by the laws of India, without regard to its conflict of law principles, consistent with the governing law provision in our Terms & Conditions. Where mandatory data protection law of your own jurisdiction (e.g. GDPR or CCPA/CPRA) grants you rights that cannot be waived by choice of governing law, those rights remain available to you as described in Section 11.
We may revise this Privacy Policy from time to time. When we do, we will update the Effective Date at the top of this document. Material changes will be reflected in the version history of this file in our public website repository, where prior versions of this page remain visible via commit history. Your continued use of MCPFlo after a revised policy becomes effective constitutes your acceptance of the updated policy.
See also our Terms & Conditions, and the documentation on Secrets & Credential Storage and the Config File for technical detail on how local data is stored.