Last updated: 2026-05-24
MCPSpend is run by NEW RZS SRL (Romania, EU) and is the data controller for everything you submit to us. The GDPR gives you the following rights. We honour every request within 30 days (Art. 12 §3) — usually faster.
See every piece of personal data we hold about you.
How: Sign in → Account → Privacy → "Download my data". Returns a JSON file with profile, memberships, audit log, recent tool calls.
Correct inaccurate or incomplete data.
How: Edit your name / email in the dashboard. For org-level changes ask an OWNER.
Have your account and personal data deleted.
How: Sign in → Account → Privacy → "Delete my account". Anonymises immediately, hard-purges within 30 days. Audit log entries are retained under Art. 17 §3(b) (legal record exemption).
Pause processing without deleting (e.g. during a dispute).
How: Email privacy@mcpspend.com — we suspend the account and stop all background processing within 72h.
Receive your data in a structured, machine-readable format you can take to another service.
How: Same export as Art. 15 — JSON output, documented schema. CSV exports of tool-call history are available on Pro+ via the dashboard.
Object to processing based on legitimate interest (e.g. analytics).
How: Click "Decline" in the cookie banner — Google Analytics never loads. To withdraw any other consent, email privacy@mcpspend.com.
In-app self-serve: /dashboard/account/privacy
Privacy email: privacy@mcpspend.com — for requests we can't handle from the UI (Art. 18, complex rectifications, third-party access).
Security disclosures: security@mcpspend.com
Supervisory authority: if you believe we've mishandled your data you can lodge a complaint with the Romanian DPA (ANSPDCP, dataprotection.ro) or your local EU/EEA authority.
A current list of every third party that processes personal data on our behalf is published on the security page. We notify Enterprise customers at least 30 days before adding a new sub-processor.