MCP Privacy
MCP Privacy Policy
This policy supplements the global Trinity Insights Privacy Policy (/legal/privacy) for the specific use of the Trinity Insights MCP Server. It details data collected via MCP, its processing, and your GDPR rights.
1. Data collected via MCP
The Trinity MCP collects the strict minimum required for its operation, security, and tier-aware billing:
- HMAC-SHA256 hash of the API key (the cleartext key is never stored after creation).
- Session metadata : associated user identifier, tier at request time, key identifier.
- Daily aggregated counters : number of calls per tool, average response size, HTTP status. Anonymised at the user level.
- Application logs : technical errors, rate limit status, temporarily retained for support and capacity purposes.
- IP address : processed in transit by our CDN provider for security (WAF, DDoS protection); not stored on the Trinity application side.
2. Data expressly NOT collected
- User prompt content : what you ask your MCP client (Claude, ChatGPT, Cursor, etc.) remains local to that client. Trinity has no access to it.
- Complete output of your AI : the analysis your LLM generates from Trinity data is not transmitted back to Trinity.
- Advertising profiling : no marketing profiling data is collected, processed, or resold.
- Third-party cookies on the MCP subdomain : the mcp.trinityinsights.io subdomain sets no cookies. Only the Authorization Bearer header is transmitted.
3. Processing purposes
- Authentication and tier-aware authorisation of MCP requests.
- Security and abuse prevention (rate limiting, scraping detection, bypass attempts).
- Operational capacity: capacity planning, infrastructure sizing, cache optimisation.
- Billing: confirmation that usage complies with the billed tier (billing remains a flat monthly fee per tier, not metered usage).
- Technical support: reproduction of user-reported bugs upon explicit request.
4. Legal basis (GDPR)
- Performance of the contract : authentication, authorisation, and service provisioning.
- Legitimate interest : security, abuse prevention, operational monitoring.
- Legal obligation : minimum retention required by applicable regulation (anti-fraud, accounting).
5. Retention period
- API key hash : until revocation or termination, plus the applicable statutory archival period.
- Detailed (debug) logs : 30 days maximum.
- Aggregated metrics : 24 months (for capacity planning and roadmap purposes).
- Data after termination : erasure within 30 days, save for any statutory retention obligation.
6. Sub-processors
The Trinity Insights MCP relies on the following categories of sub-processors, all contractually bound to comply with the GDPR:
- Infrastructure host (EU, EEA) : hosting of application servers and databases.
- CDN and WAF provider : content delivery, TLS transport, attack protection (segmented and GDPR-compliant processing).
- User authentication provider : account and session management, subject to its own privacy policy.
- Secrets management tool : zero-knowledge encrypted storage of infrastructure secrets (no user data).
The complete, named list of Trinity Insights sub-processors is maintained in the global Privacy Policy.
7. Your rights (GDPR)
You hold the following rights regarding your personal data, exercisable at any time:
- Right of access to your data.
- Right to rectification of inaccurate data.
- Right to erasure ("right to be forgotten"), subject to any statutory retention obligations.
- Right to restriction of processing.
- Right to data portability in a structured format.
- Right to object to processing based on legitimate interest.
- Right to lodge a complaint with the CNIL (www.cnil.fr) or any other competent supervisory authority.
Exercise your rights by contacting [email protected] with a copy of your identity document (the document will be destroyed immediately after verification).
8. Security
The technical and organisational security measures applicable to the MCP are detailed at /mcp/docs/security: mandatory TLS 1.3, HSTS preload, hashed Bearer authentication, rate limiting, containerised isolation, anonymised logs.
9. Amendments to the Policy
Trinity reserves the right to amend this Policy. Material amendments will be notified to users by email. The date of last update is implicitly the date of the latest revision in the Trinity source repository (git history).