MCPFlo
FeaturesDocsChangelogDownload

legal/privacy

Privacy Policy

Effective Date: July 8, 2026

This Privacy Policy explains how MCPFlo (“MCPFlo”, “we”, “our”, or “us”) handles information in connection with the MCPFlo desktop application and this website (collectively, the “Software”).

MCPFlo is built as a local-first developer tool. This policy is intended to describe, as plainly as possible, what that means for your data.


1. Summary

  • MCPFlo runs on your device and does not require an account.
  • Your server configurations, request history, and cached data stay on your device.
  • Credentials (OAuth tokens, environment variables, request headers) are encrypted at rest using your operating system’s native credential store.
  • MCPFlo does not operate analytics, telemetry, or crash-reporting services that collect your usage data.
  • MCPFlo does not currently perform automatic update checks (see Section 7).
  • We do not sell or share your personal information, as those terms are defined under CCPA/CPRA (see Section 11).
  • Any data exchanged with an MCP server you connect to is governed by that server’s own privacy practices, not this policy.

2. Scope and Our Role

This policy covers the MCPFlo desktop application and this website. For the incidental, minimal data described in Section 6 (Website) below, MCPFlo acts as the data controller. For your server configurations, credentials, and request history, MCPFlo has no access to that data at all — it is created and stored solely on your device, so no controller/processor relationship with us arises over it.

If you connect MCPFlo to a third-party MCP server, that server operator is independently responsible, as controller (or processor, depending on its own arrangements), for any data you send to or receive from it. See Section 5.

3. Information We Do Not Collect

MCPFlo does not collect, transmit, or have access to:

  • your MCP server configurations (names, commands, arguments, URLs);
  • your request and response history, including tool calls, resource reads, or rendered prompts;
  • OAuth tokens, environment variables, request headers, or other credentials you enter;
  • the content of any data returned by MCP servers you connect to.

This information is created and stored entirely on your device, and MCPFlo-operated servers do not receive it unless a specific feature explicitly states otherwise.

4. Local Data Storage

MCPFlo stores the following data locally on your device:

  • Configuration file. Server entries and app preferences are saved to a config.json file in your OS-standard application data directory.
  • Encrypted credentials. OAuth tokens, environment variables, and request headers are encrypted using your operating system’s secure storage (macOS Keychain, Windows DPAPI, or Linux Secret Service, where available) before being written to disk.
  • Capabilities cache. Discovered tools, resources, and prompts for each server may be cached locally to speed up subsequent connections.

You can inspect, back up, or delete this data yourself at any time by locating the relevant files on your device or by removing a server from within the app.

5. Third-Party MCP Servers and Services

MCPFlo is designed to connect to MCP servers, APIs, and other services that you configure. These are typically operated by third parties, or by you.

Any data you send to, or receive from, a third-party server through MCPFlo is subject to that server’s own privacy policy and practices, not this one. We do not control, monitor, or have visibility into how third-party servers handle data.

You are responsible for understanding the privacy practices of any MCP server you choose to connect to, particularly before sending sensitive or personal data through it.

6. Website

This website (the pages you are reading now) is a static site. It does not use cookies, analytics scripts, or third-party trackers to profile visitors.

Our hosting provider may, as a standard part of serving any website, generate basic technical logs (e.g. IP address, requested page, timestamp, user agent) for operational and security purposes such as diagnosing outages and detecting abuse. Our legal basis for this minimal processing is our legitimate interest in operating and securing the website. We do not use these logs to identify individual visitors, and we do not control their retention beyond our hosting provider’s standard practice, which is typically limited to a matter of weeks before rotation or deletion.

7. Software Updates

MCPFlo does not currently include an automatic update-check mechanism. The application does not contact any MCPFlo-operated or third-party service in the background to check for new versions. New versions are published and downloaded manually — for example, from the GitHub Releases page or this website.

If this changes in a future version (for example, if in-app update checking is introduced), we will update this section to describe what information that exchange involves, whether it can be disabled, and what legal basis applies to it, before that feature ships.

8. Data Security

Credentials handled by MCPFlo are encrypted using your operating system’s native security features and are never exposed to the parts of the app that don’t need them. Encryption is tied to your device and OS user account, so encrypted data generally cannot be decrypted if copied to another machine or user account.

No method of storage or transmission is completely secure. You are responsible for securing your own device and for safeguarding any credentials or data you choose to store or transmit through the Software.

9. Third-Party Dependencies

MCPFlo is built using open-source libraries and SDKs (for example, Electron and the Model Context Protocol SDK). We do not configure or enable telemetry, analytics, or crash-reporting in the application ourselves, and we are not aware of any bundled dependency that independently transmits usage data.

That said, we cannot make an absolute guarantee about the runtime behavior of every third-party dependency we bundle. A full list of dependencies is available in the project’s public source repository, should you wish to audit it yourself.

10. Data Retention

MCPFlo does not retain any of your project data, since it never leaves your device. On your device, configuration, credentials, and cached data persist until you remove them — either by deleting a server, clearing the cache, or uninstalling the application (see Section 13).

For the limited operational logs described in Section 6, retention is governed by our hosting provider’s standard log-rotation policy, not by us directly, and is not extended for any secondary purpose.

11. Your Privacy Rights

Depending on where you live, you may have rights under data protection law, including the EU/UK GDPR and the California Consumer Privacy Act as amended by the CPRA. Because MCPFlo does not collect or hold personal data about you beyond the minimal, non-identifying operational logs described in Section 6, most of these rights are inherently satisfied by the local-first design described above — but we confirm them here for clarity:

  • Right to know / access — what data (if any) we hold about you.
  • Right to rectification / correction — of inaccurate data we hold.
  • Right to erasure / deletion — of data we hold about you.
  • Right to data portability — to receive data you provided to us in a portable format.
  • Right to restrict or object to processing, including any processing based on legitimate interest.
  • Right to opt out of the sale or sharing of personal information (CCPA/CPRA). We do not sell or share personal information, as those terms are defined under CCPA/CPRA, so no opt-out is necessary — but you may still submit a request and we will confirm this in writing.
  • Right to non-discrimination for exercising any of the above rights.

To exercise any of these rights, contact us at the address in Section 16. Because we hold no account or contact data linking you to a request, we may ask you to describe the specific interaction (e.g. approximate date and feature used) so we can confirm whether any data exists to act on.

12. Children’s Privacy

MCPFlo is a developer tool intended for professional and technical use and is not directed at children. We do not knowingly collect personal information from children under 13 (as defined by COPPA) or under 16 (the default age of consent for information-society services under GDPR in a number of EU member states, absent a lower age set by national law).

Because MCPFlo does not operate accounts, forms, or data collection of any kind, we do not expect to receive a minor’s personal information in the ordinary course of using the Software. If we nonetheless become aware that we have inadvertently received such information — for example, through an unsolicited support email — we will delete it promptly upon discovery or upon request from a parent or guardian. Contact us at the address in Section 16 to make such a request.

13. Your Choices

Because your data stays on your device, you are in direct control of it:

  • you can view, edit, or delete your configuration file directly;
  • removing a server from MCPFlo clears its stored secrets, configuration, and cached capabilities;
  • uninstalling MCPFlo removes the application; associated local data may remain on disk until you delete it manually, depending on your operating system’s uninstall behavior.

14. International Users and Data Transfers

Because MCPFlo processes data locally on your device rather than on centrally hosted servers, there is generally no cross-border transfer of your project data by us. If you use MCPFlo to connect to third-party or self-hosted MCP servers located in other jurisdictions, that transfer is governed by your configuration choices and the third party’s practices, not by us.

The limited hosting logs described in Section 6 may be processed in the jurisdiction where our hosting provider operates its infrastructure.

15. Security Incident Notification

Because MCPFlo does not operate a central server that stores your project data, most data-security incidents that could occur would be local to your own device, and outside our visibility or control.

If we become aware of a security incident affecting infrastructure we do operate (such as this website or its hosting environment) that creates a real risk to individuals, we will notify affected users without undue delay, using the most direct channel reasonably available to us (which, absent user accounts, will typically be a public notice on this website and/or the project’s GitHub repository), and, where required by applicable law, notify the relevant supervisory authority within the timeframe that law requires.

16. Contact

If you have questions regarding this Privacy Policy, or wish to exercise any of the rights described in Section 11, please contact us at getmcpflo@gmail.com.

17. Governing Law

This Privacy Policy is governed by the laws of India, without regard to its conflict of law principles, consistent with the governing law provision in our Terms & Conditions. Where mandatory data protection law of your own jurisdiction (e.g. GDPR or CCPA/CPRA) grants you rights that cannot be waived by choice of governing law, those rights remain available to you as described in Section 11.

18. Changes to This Policy

We may revise this Privacy Policy from time to time. When we do, we will update the Effective Date at the top of this document. Material changes will be reflected in the version history of this file in our public website repository, where prior versions of this page remain visible via commit history. Your continued use of MCPFlo after a revised policy becomes effective constitutes your acceptance of the updated policy.

19. Related

See also our Terms & Conditions, and the documentation on Secrets & Credential Storage and the Config File for technical detail on how local data is stored.

MCPFlo

Test your MCP servers — invoke tools, inspect resources, and render prompts directly, with no model in the loop.

Resources

DocumentationGithubHelp

Community

TwitterReddit

Legal

PrivacyTerms
© 2026 MCPFlo. All rights reserved.