Legal
MCP Connector Privacy Addendum
Last updated June 16, 2026
MCP Connector Privacy Addendum
This addendum supplements the Contentrain Privacy Policy and applies specifically to users of the Contentrain MCP Connector — the remote HTTP MCP server that allows AI clients (such as Claude Desktop, ChatGPT, Cursor, and compatible agents) to perform governed content operations on Contentrain projects.
Where this addendum conflicts with the general Privacy Policy, this addendum takes precedence for connector-specific data flows.
1. OAuth Token Storage and Revocation
How tokens are stored
When you authorize an AI client to connect to Contentrain via the MCP Connector, an OAuth 2.0 access token and refresh token pair is issued. Tokens are:
- Stored hashed at rest, transmitted only over TLS.
- Scoped to the approved scopes and the single target project.
- Never written to Git history, content files, or exported data.
- Never shared with third parties other than the authorizing AI client platform.
Revocation
You can revoke connector access at any time through:
- Studio → Settings → API Keys & Connectors — invalidates the token immediately.
- Sending a revocation request to [email protected].
- Deleting the Contentrain integration from your AI client’s connected apps page.
Revocation is immediate. After revocation, the AI client can no longer perform content operations. Previously created content entries remain in your Git repository and are not deleted by revocation.
2. Content Routing to Third-Party AI Clients
What content the connector transmits
When an AI client calls an MCP tool through the Contentrain connector, the connector may transmit:
- Content entries (fields, values, metadata) needed to answer the tool call.
- Model schemas (field names and types) to give the agent context.
- Branch, locale, and status information relevant to the requested operation.
This content travels from Contentrain’s infrastructure to the AI client platform (e.g., Anthropic’s Claude API, OpenAI’s ChatGPT, or the agent runtime you configured).
Third-party AI provider policies
Contentrain does not control how the receiving AI client platform processes, stores, or retains the content it receives through tool calls. You are responsible for reviewing the data handling policies of the AI client you connect:
- Anthropic (Claude): https://www.anthropic.com/privacy
- OpenAI (ChatGPT): https://openai.com/policies/privacy-policy
- Cursor: https://cursor.com/privacy
We recommend using the API tiers of these providers (not consumer tiers) when operating production content through the MCP Connector, as API tiers typically have stronger data isolation guarantees.
3. No Training on Customer Content
Contentrain does not use your project content, model schemas, vocabulary, or any data transmitted through the MCP Connector to train, fine-tune, or evaluate any machine learning model — our own or a third party’s.
This commitment covers:
- Content entries (collections, singletons, documents, dictionaries).
- Model and field definitions.
- Branch content and review history.
- Tool call inputs and outputs passing through the connector.
If you have a Data Processing Agreement (DPA) requirement, contact [email protected] to arrange a signed DPA that includes this commitment formally.
4. Authentication and Tokens
The connector uses OAuth 2.1 with PKCE (S256) and standards-based discovery (RFC 9728 / RFC 8414). You authenticate to Contentrain Studio and approve scopes on a consent screen; the MCP client never receives your Studio password or Git provider credentials.
- Access tokens are short-lived — they expire 1 hour after issuance.
- With the
offline_accessscope, the client receives a refresh token valid for 30 days, used to renew access silently. Refresh tokens are rotated on each use (a rotation-reuse attempt invalidates the whole token family). After 30 days idle, or once you disconnect, you must re-authenticate. - The authorization code exchanged during sign-in is valid for 2 minutes.
- Tokens are stored hashed at rest, transmitted only over TLS, bound to the approved scopes and the single target project.
- Revocation is immediate: disconnecting deletes live access tokens and revokes the refresh-token family.
5. Sub-Processor List
The following sub-processors may handle data in connection with the MCP Connector:
| Sub-processor | Role |
|---|---|
| GitHub (GitLab if used) | Stores your content; connector reads/writes via Git provider API |
| Railway | Hosting + PostgreSQL — OAuth grants, hashed tokens, logs, metering |
| Cloudflare R2 | Media asset storage (media-stack plans) |
| Resend | Transactional email |
| Sentry | Error monitoring |
| Polar / Stripe | Subscription billing |
| The connected MCP client (Claude/ChatGPT…) | Content is returned there; that provider’s policy governs it |
We update this list when sub-processors change. Material changes are announced at least 14 days in advance via email to account holders.
6. Retention Periods
| Data | Retention |
|---|---|
| Access tokens | Expire 1 hour after issuance |
| Refresh tokens | Expire 30 days; rotated on every use |
| OAuth client registrations (DCR) | Removed after 30 days of no use |
| Grants (connection + scopes/project) | Until you disconnect / delete project / delete account |
| Operational logs | 90 days (automatically purged) |
| Usage / metering | Current billing period + 12-month audit window |
| Content & media | In your Git repo — you control; Git history revertible |
7. Data Deletion Procedure
Deleting content entries
Content entries live in your Git repository. Delete them through Studio, the CLI (contentrain delete), or directly via your Git provider. Contentrain does not retain a separate copy of your content outside Git.
Deleting connector tokens
Revoke tokens as described in Section 1. After revocation, tokens are purged from our database within 24 hours.
Deleting your account
To request full account deletion:
- Email [email protected] with subject line “Account deletion request” from the address associated with your account.
- We will confirm the request within 2 business days and begin deletion within 7 business days.
- Deletion covers: account credentials, OAuth tokens, project metadata, billing profile, and MCP audit logs.
- Content in your Git repository is not deleted by us — you must remove it from your provider (GitHub/GitLab) separately.
- You will receive a confirmation email when deletion is complete.
Right to erasure (GDPR Article 17)
If you are a data subject exercising your right to erasure, email [email protected]. We will process the request within 30 days and inform you of any data we are legally required to retain (e.g., billing records).
Changes to This Addendum
We will notify account holders by email at least 14 days before material changes take effect. Continued use of the MCP Connector after the effective date constitutes acceptance of the updated addendum.
For questions, contact [email protected].