relay-mcp

Privacy Policy

relay-mcp is an evaluation project. This policy is written in good faith and in plain language to explain what personal data we process and why. It is not legal advice.

Effective date: 2026-07-12 — Version 1.0

In short:

1. Who we are

We are the controller responsible for your personal data. For details about the operator, including the full name and contact details, see our Impressum. You can reach us through the contact form, or by email at mcp@darky.cc.

No Data Protection Officer (DPO) is appointed, as one is not legally required.

Your use of the service is also governed by our Terms of Service.

2. No tracking, and the one cookie we use

The site is self-hosted and loads no third-party analytics, advertising, tracking pixels, content-delivery networks, external fonts, or social plugins. There is no cross-site tracking and no profiling of your browsing.

We set exactly one cookie, relay_session. It is strictly necessary to keep you logged in and holds only an opaque, signed session id — no personal data is readable from it. It is set with SameSite=Strict and Secure (HTTPS only) and expires after 8 hours.

Because this cookie is strictly necessary to run the service, no cookie-consent banner is required. Our forms are protected by a stateless, signed math-captcha token carried in the form itself — this is not a tracking cookie.

3. What personal data we process, why, and on what legal basis

We process the following categories of personal data. For each, we give the purpose and the GDPR Art. 6(1) legal basis.

Where we are subject to a legal obligation (for example to respond to a lawful request), we process data on the basis of Art. 6(1)(c). We do not currently rely on consent-based processing (Art. 6(1)(a)) beyond your agreement to use the service; if we ever ask for your consent separately, you may withdraw it at any time without affecting processing already carried out before withdrawal.

Your right to object: where we rely on our legitimate interests (Art. 6(1)(f)) — namely the security, abuse-prevention, session, and audit-log processing described above — you have the right to object at any time, on grounds relating to your particular situation. Contact us using the details in section 1 and we will stop unless we can show compelling legitimate grounds that override your interests, or the processing is needed to establish, exercise, or defend legal claims. See also section 10.

4. Where the data comes from and whether you must provide it

We collect all of this data directly from you — when you register, log in, use the forms, connect integrations, or mint tokens — including data generated by your own browser and AI clients when you use the service (such as the source IP, user-agent, and MCP request details listed above). We do not obtain your personal data from any third-party source.

Providing your account and authentication data is necessary to use the service: it is a requirement of the contract to provide it, and if you do not, we cannot create or maintain your account or carry out the actions your AI clients request. Integrations and tokens are optional — you provide them only if you choose to connect something.

5. Who receives your data

We keep the sharing of your data to a minimum:

We do not sell your personal data and do not share it for advertising or with any other third party. Third-party integrations you connect are operated by those third parties under their own terms; for personal data you route through them you are the controller and the operator acts as your processor (see Terms of Service, section 16).

6. International transfers

All of your personal data is processed on servers located in the European Union / EEA, and our email is sent from our own server in the EU. We do not transfer your personal data outside the EU/EEA.

If this ever changes, we will update this policy and put an appropriate transfer safeguard (such as the EU Standard Contractual Clauses) in place before any transfer happens.

7. How long we keep your data

8. Automated decision-making

Our login and abuse protection can automatically and temporarily block an IP address or lock an account after repeated failures. This is a security measure: it involves no profiling and produces no legal or similarly significant effect on you within the meaning of Art. 22 GDPR. No other automated decision-making or profiling takes place.

9. How we protect your data

Our security measures include Argon2id password hashing, SHA-256 token hashing, encryption at rest for MFA secrets and integration credentials, mandatory multi-factor authentication, HTTPS/TLS, strict same-site session cookies, and per-tenant isolation.

This is a free evaluation project and, as stated in the Terms of Service, no security or availability guarantee is given.

10. Your rights

Under the GDPR (Art. 15–21) you have the right to:

Where processing is based on consent, you may withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal. Many of these rights you can exercise directly in the app — you can edit your profile, revoke tokens, and delete your account. For anything else, contact us using the details in section 1.

11. Complaints

You have the right to lodge a complaint with a supervisory authority, in addition to any other remedy. The competent authority for us is the Austrian Data Protection Authority (Oesterreichische Datenschutzbehoerde, DSB), Barichgasse 40-42, 1030 Vienna, web dsb.gv.at. You may also complain to the authority of your place of residence or work in the EU/EEA.

12. Children

The service is not directed to children. You must be at least 18 years old to use it (see Terms of Service, section 5).

13. Changes to this policy

We may update this policy as the service develops. The current version and its effective date always appear at the top of this page. Where a change is significant, we will make it reasonably visible; if we ever intend to process your data for a new purpose not described here, we will inform you before doing so.

Effective date: 2026-07-12 — Version 1.0