Privacy Policy
relay-mcp is an evaluation project. This policy is written in good faith and in plain language to explain what personal data we process and why. It is not legal advice.
Effective date: 2026-07-12 — Version 1.0
In short:
- The service is self-hosted — we load no analytics, ads, tracking pixels, CDNs, external fonts, or social plugins.
- We set exactly one strictly-necessary cookie (an opaque session id), so no cookie-consent banner is needed.
- Your password and access tokens are only ever stored hashed — we cannot see them.
- We never sell your data or share it for advertising.
- We keep security logs (which include IP addresses) for up to 90 days, then delete them.
- You can access, correct, and delete your data — much of it directly in the app.
- You can complain to the Austrian Data Protection Authority (DSB) at any time.
1. Who we are
We are the controller responsible for your personal data. For details about the operator, including the full name and contact details, see our Impressum. You can reach us through the contact form, or by email at mcp@darky.cc.
No Data Protection Officer (DPO) is appointed, as one is not legally required.
Your use of the service is also governed by our Terms of Service.
2. No tracking, and the one cookie we use
The site is self-hosted and loads no third-party analytics, advertising, tracking pixels, content-delivery networks, external fonts, or social plugins. There is no cross-site tracking and no profiling of your browsing.
We set exactly one cookie, relay_session. It is strictly necessary to keep you logged in and holds only an opaque, signed session id — no personal data is readable from it. It is set with SameSite=Strict and Secure (HTTPS only) and expires after 8 hours.
Because this cookie is strictly necessary to run the service, no cookie-consent banner is required. Our forms are protected by a stateless, signed math-captcha token carried in the form itself — this is not a tracking cookie.
3. What personal data we process, why, and on what legal basis
We process the following categories of personal data. For each, we give the purpose and the GDPR Art. 6(1) legal basis.
- Account & identity — your name, email address (also your login identity), role, and tenant/workspace membership. Passwords are stored only as an Argon2id hash, never in plaintext; the operator cannot see your password. Purpose: to create and run your account. Basis: Art. 6(1)(b) (performance of the service/contract).
- Authentication & MFA — a TOTP secret (encrypted at rest) or an email one-time code (stored hashed); MFA recovery codes (stored hashed); any WebAuthn/passkey credentials you register (public key, credential id, a label you choose, a usage counter). Purpose: to authenticate you and secure your account. Basis: Art. 6(1)(b) to sign you in as part of providing the service, and Art. 6(1)(f) (our legitimate interest in securing your login) for the protective aspects.
- Sessions — server-side session records including the source IP address and browser user-agent, with creation, last-seen, and expiry timestamps. Your browser holds only the opaque relay_session cookie. Purpose: to keep you signed in and to secure sessions. Basis: Art. 6(1)(b) to keep you signed in, and Art. 6(1)(f) (our legitimate interest in session security) for the security aspects.
- Security & abuse prevention — login attempts (timestamp, source IP, the identifier/email entered, success/failure), per-IP block counters, and per-account lockout counters. Purpose: to protect the internet-exposed login and forms against brute-force and spam. Basis: Art. 6(1)(f) — our legitimate interest in keeping the service, its login, and its forms secure and preventing abuse.
- Tokens & agents — the names/notes you give to MCP tokens and enrolled agents, a token's last-used time, and permission scopes. Actual bearer tokens are stored only as SHA-256 hashes; a freshly issued token shown once via a one-time link is encrypted at rest and nulled once revealed. Enrolled "agents" are software that runs on your own machines. Purpose: to let your AI clients act with the permissions you assign. Basis: Art. 6(1)(b).
- Integrations — credentials for third-party services you choose to connect (for example SSH, Microsoft Graph, Google Workspace), stored encrypted at rest (Fernet/AES). You decide what to connect. Purpose: to carry out the actions your AI clients request against systems you connect. Basis: Art. 6(1)(b).
- Activity / audit log — one row per request to the MCP endpoint: timestamp, source IP, which token, method, tool name, and status. Purpose: a security and audit trail. Basis: Art. 6(1)(f) — our legitimate interest in keeping an audit log and detecting misuse.
- Email-sending — to verify your address, reset your password, change your email, or send invitations/notifications, we send email to your address via a configured SMTP mail server; only single-use nonce links travel by email. Purpose: account administration and security. Basis: Art. 6(1)(b) for account-administration emails, and Art. 6(1)(f) (our legitimate interest in account security) for security-related messages.
- Contact form — the name, email, and message you submit are emailed to the operator to answer your enquiry and are not stored in the application database. Purpose: to handle your enquiry. Basis: Art. 6(1)(f) (responding to your request).
Where we are subject to a legal obligation (for example to respond to a lawful request), we process data on the basis of Art. 6(1)(c). We do not currently rely on consent-based processing (Art. 6(1)(a)) beyond your agreement to use the service; if we ever ask for your consent separately, you may withdraw it at any time without affecting processing already carried out before withdrawal.
Your right to object: where we rely on our legitimate interests (Art. 6(1)(f)) — namely the security, abuse-prevention, session, and audit-log processing described above — you have the right to object at any time, on grounds relating to your particular situation. Contact us using the details in section 1 and we will stop unless we can show compelling legitimate grounds that override your interests, or the processing is needed to establish, exercise, or defend legal claims. See also section 10.
4. Where the data comes from and whether you must provide it
We collect all of this data directly from you — when you register, log in, use the forms, connect integrations, or mint tokens — including data generated by your own browser and AI clients when you use the service (such as the source IP, user-agent, and MCP request details listed above). We do not obtain your personal data from any third-party source.
Providing your account and authentication data is necessary to use the service: it is a requirement of the contract to provide it, and if you do not, we cannot create or maintain your account or carry out the actions your AI clients request. Integrations and tokens are optional — you provide them only if you choose to connect something.
5. Who receives your data
We keep the sharing of your data to a minimum:
- Hosting — the service runs on servers provided by a hosting/infrastructure provider located in the European Union, which acts as our processor for the purpose of running the server.
- Email — outgoing emails (address verification, password resets, notifications) are sent from our own self-hosted mail server, delivering directly to your mail provider. No third-party email provider is involved.
We do not sell your personal data and do not share it for advertising or with any other third party. Third-party integrations you connect are operated by those third parties under their own terms; for personal data you route through them you are the controller and the operator acts as your processor (see Terms of Service, section 16).
6. International transfers
All of your personal data is processed on servers located in the European Union / EEA, and our email is sent from our own server in the EU. We do not transfer your personal data outside the EU/EEA.
If this ever changes, we will update this policy and put an appropriate transfer safeguard (such as the EU Standard Contractual Clauses) in place before any transfer happens.
7. How long we keep your data
- Account and related data — kept until you delete your account or the operator shuts the service down, then deleted within a reasonable period.
- Short-lived security artefacts — password-reset, email-verification, email-change, and MFA one-time codes, and one-time token-view links, are single-use and expire within minutes to hours.
- Login and access logs and abuse counters — kept for up to 90 days for security, then automatically deleted.
- Contact-form emails — kept only as long as needed to handle your enquiry.
8. Automated decision-making
Our login and abuse protection can automatically and temporarily block an IP address or lock an account after repeated failures. This is a security measure: it involves no profiling and produces no legal or similarly significant effect on you within the meaning of Art. 22 GDPR. No other automated decision-making or profiling takes place.
9. How we protect your data
Our security measures include Argon2id password hashing, SHA-256 token hashing, encryption at rest for MFA secrets and integration credentials, mandatory multi-factor authentication, HTTPS/TLS, strict same-site session cookies, and per-tenant isolation.
This is a free evaluation project and, as stated in the Terms of Service, no security or availability guarantee is given.
10. Your rights
Under the GDPR (Art. 15–21) you have the right to:
- Access your personal data (Art. 15);
- Rectification of inaccurate data (Art. 16);
- Erasure of your data (Art. 17);
- Restriction of processing (Art. 18);
- Data portability (Art. 20);
- Object to processing based on our legitimate interests (Art. 21) — see the highlighted note in section 3.
Where processing is based on consent, you may withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal. Many of these rights you can exercise directly in the app — you can edit your profile, revoke tokens, and delete your account. For anything else, contact us using the details in section 1.
11. Complaints
You have the right to lodge a complaint with a supervisory authority, in addition to any other remedy. The competent authority for us is the Austrian Data Protection Authority (Oesterreichische Datenschutzbehoerde, DSB), Barichgasse 40-42, 1030 Vienna, web dsb.gv.at. You may also complain to the authority of your place of residence or work in the EU/EEA.
12. Children
The service is not directed to children. You must be at least 18 years old to use it (see Terms of Service, section 5).
13. Changes to this policy
We may update this policy as the service develops. The current version and its effective date always appear at the top of this page. Where a change is significant, we will make it reasonably visible; if we ever intend to process your data for a new purpose not described here, we will inform you before doing so.
Effective date: 2026-07-12 — Version 1.0