How It WorksPlatformPricingContactDocs

Legal

Privacy Policy

Effective date: March 14, 2026

1. Overview

MCTL ("we", "our", "us") operates the mctl.ai platform (the "Service"). This policy explains what data we collect, why we collect it, how we use and protect it, and your rights over it. By using the Service you agree to this policy.

Questions or data requests: [email protected]

2. Data We Collect

2.1 GitHub OAuth

When you authenticate via GitHub OAuth we receive:

  • GitHub username and user ID
  • Display name and avatar URL (public profile)
  • Primary verified email address (user:email scope)

We do not request access to your repositories, organizations, or any code. The OAuth scopes used are read:user and user:email.

2.2 Platform Activity

While you use the Service we record:

  • Operations triggered through the API or MCP connector (deploy, scale, rollback, etc.)
  • Workflow execution results and status
  • API request timestamps and HTTP status codes (for security and debugging)

We do not record the content of your source code or environment variable values.

2.3 Session Tokens

OAuth access tokens issued by the Service are short-lived (1-hour TTL). Tokens are stored in your browser's localStorage or sessionStorage and are never persisted server-side beyond the duration of the request.

3. How We Use Your Data

  • Authentication — verifying your identity on every API request
  • Authorization — resolving your team memberships and scoping access to the correct Kubernetes namespaces
  • Audit logging — maintaining an immutable record of platform operations for security and compliance
  • Debugging — diagnosing failures in workflows and deployments

We do not sell your data to third parties. We do not use your data for advertising.

4. Data Retention

  • Access tokens — 1-hour TTL; not stored server-side after token validation
  • Audit logs — retained for 90 days, then automatically purged
  • Profile data (username, email) — retained while your account is active; deleted within 30 days of an account deletion request

5. Third-Party Services

  • GitHub — OAuth identity provider. Your use of GitHub is governed by GitHub's Privacy Statement.
  • Anthropic Claude — when you connect the mctl MCP connector in Claude.ai, Anthropic's platform processes your tool invocations. See Anthropic's Privacy Policy.
  • Cloudflare — CDN and network layer. Cloudflare may log IP addresses and request metadata per their privacy policy.

6. Security

All data in transit is encrypted with TLS 1.2+. OAuth tokens are validated server-side on every request and are never logged. Kubernetes secrets are managed by HashiCorp Vault with audit logging enabled. Access is restricted by Kubernetes RBAC and network policies to the team's own namespace.

7. Your Rights

You may at any time:

  • Access — request a copy of your stored profile data
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your account and associated data
  • Revocation — revoke the GitHub OAuth grant at any time via GitHub → Settings → Applications → Authorized OAuth Apps → Revoke

Send requests to [email protected]. We will respond within 30 days.

8. Changes to This Policy

We may update this policy from time to time. Material changes will be announced via the platform changelog. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

9. Contact

For privacy-related inquiries: [email protected]