← Home

Privacy Policy

Last updated: 2026-05-23

Who we are

MCPSpend is operated by NEW RZS SRL, a Romanian limited liability company (CUI RO48756557, Trade Register no. J2023005851235, EUID ROONRC.J2023005851235), incorporated 2023-09-08 with registered office at Str. Gliei 34-38, Corp B, Loc. Bragadiru, Jud. Ilfov, 077025, Romania. We're the data controller for the personal data you provide to us. You can reach us at support@mcpspend.com for any privacy question or to exercise your GDPR rights.

What we collect

We deliberately collect as little as possible. Specifically:

  • Account data: email, optional display name, hashed password, organization name, role.
  • Billing data: Stripe customer ID and subscription ID. Card details are stored by Stripe — we never see or store them.
  • MCP tool-call metadata: tool name, server name, model name, input/output token estimates (size, not content), latency, success or error code, timestamp, the API key that sent the call. We do not collect tool arguments or tool responses — those never leave your machine.
  • Anonymous CLI telemetry: when you run mcpspend init, the CLI sends a schema-fingerprint of the configs it patched (the sorted list of top-level JSON keys, hashed). No paths, no values, no API keys. Opt out with MCPSPEND_NO_TELEMETRY=1.
  • Server logs: IP address (hashed), user-agent, route, status code. Used only for security and debugging.

How we use it

  • Provide the service you signed up for (the dashboard).
  • Send transactional email (magic links, budget alerts, invoices).
  • Enforce plan limits and bill the right organisation.
  • Detect when an MCP client (Cursor, Windsurf, etc.) changes its config schema so we can ship a fix before our auto-discovery breaks for you.
  • Comply with legal obligations (tax, anti-fraud).

We do not sell your data, use it to train any model, or share it with advertisers.

Sub-processors

We use the following sub-processors to run the service:

  • Stripe (US/EU) — payment processing. Receives email + name + billing address. Stripe Privacy.
  • Resend (US) — transactional email delivery. Receives email + the contents of the message we send you. Resend Privacy.
  • Coolify on a Hostinger VPS (EU region) — application hosting + Postgres database. No direct user-facing role.

An Enterprise customer can request a current list of sub-processors and a signed DPA by emailing support@mcpspend.com.

Retention

Tool-call rows are retained based on your plan:

  • Free — 7 days
  • Pro — 30 days
  • Team — 90 days
  • Enterprise — kept until you ask us to delete

Aggregated daily statistics (no PII) are kept indefinitely so historical charts continue to work. Account data is kept while your account is active; you can delete your account anytime by emailing us.

Your GDPR rights

If you're in the EU/UK, you have the right to access, correct, export, and delete your personal data. Email support@mcpspend.com and we'll honour your request within 30 days. You can also complain to your local data protection authority (in Romania: ANSPDCP).

Cookies & analytics

MCPSpend uses a single authentication cookie to keep you signed in.

We use Google Analytics 4 (measurement ID G-R9HSHBNZ8Q) only after you click Accept on the cookie consent banner shown on your first visit. If you click Decline (or never see the banner because of a tracker blocker), gtag.js is never requested and no analytics events are sent.

When loaded, GA4 is configured with anonymize_ip: true and allow_ad_personalization_signals: false, so we don't feed any audience into Google Ads. You can withdraw consent any time by clearing the mcpspend_cookie_consent localStorage key in your browser, after which the banner reappears on your next visit. Consent automatically expires after 12 months and we ask again.

No other third-party tracker, advertising pixel, or session-replay tool runs on the application.

Security

Passwords are hashed with bcrypt. API keys are stored as SHA-256 hashes — we cannot recover them, only revoke. Sensitive configuration values (Slack webhook URLs, etc.) are encrypted at rest with AES-256-GCM. All HTTP traffic uses TLS 1.2+.

Changes

We'll email all account holders if we make a material change to this policy. Minor wording edits will be reflected by the "Last updated" date above.