Privacy Policy
MCP Hive Marketplace Platform
Effective Date: 2026-01-01
Last Updated: 2026-01-01
Entity: MCP Hive (Canadian Federal Corporation)
1. Introduction
1.1 Overview
This Privacy Policy describes how MCP Hive, a Canadian federal corporation ("MCP Hive," "we," "us," or "our"), collects, uses, discloses, and protects your personal information when you access or use the MCP Hive platform, website, and related services (collectively, the "Platform").
MCP Hive operates as a marketplace connecting MCP Server Providers ("Providers") with users who access MCP Servers ("Consumers"). This Privacy Policy applies to all users of the Platform, regardless of their role.
1.2 Scope
This Privacy Policy applies to:
(a) Information collected through the Platform, including the MCP Hive website (mcp-hive.com) and related APIs;
(b) Information collected when you register an account, subscribe to our services, or register an MCP Server;
(c) Information generated through your use of MCP Servers on the Platform;
(d) Communications between you and MCP Hive.
This Privacy Policy does not apply to third-party websites, services, or MCP Servers that may be linked to or accessible through the Platform. We encourage you to review the privacy policies of any third-party services you interact with.
1.3 Consent
By creating an account, accessing, or using the Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your personal information as described herein.
If you do not agree with this Privacy Policy, you should not access or use the Platform.
1.4 Definitions
| Term | Definition |
|---|---|
| Personal Information | Information that identifies, relates to, or could reasonably be linked to you or your household. |
| Invocation Data | Data transmitted to and received from MCP Servers through the Platform, including request parameters and response content. |
| Provider | A user who has registered one or more MCP Servers on the Platform. |
| Consumer | A user who has purchased a subscription and invokes MCP Servers through the Platform. |
2. Information We Collect
2.1 Information You Provide
Account Information:
- Full legal name
- Email address
- Password (stored in hashed form)
- Company name (optional)
Provider Verification Information: When acting as a Provider, you provide additional information through our payment processor, Stripe:
- Government-issued identification
- Date of birth
- Residential or business address
- Phone number
- Tax identification information (e.g., W-8BEN, W-8BEN-E, Social Insurance Number, or Employer Identification Number)
- Bank account information for payouts
Consumer Payment Information: When acting as a Consumer, you provide payment information through Stripe:
- Credit or debit card details
- Billing address
- Payment method preferences
MCP Server Information: When registering an MCP Server, you provide:
- MCP Server name and description
- Category tags
- Deployment type and endpoint URL
- Pricing configuration
Communications:
- Support requests and correspondence
- Feedback and survey responses
- Any other information you voluntarily provide
2.2 Information Collected Automatically
Usage Data:
- Pages and features accessed
- Actions taken on the Platform
- Date and time of access
- Session duration
Device and Technical Data:
- IP address
- Browser type and version
- Operating system
- Device identifiers
- Referring URLs
Invocation Data: When you use MCP Servers through the Platform, we collect:
- The parameters and arguments passed to MCP Server tools
- The responses and outputs returned by MCP Servers
- Timestamps of invocations
- MCP Server and tool identifiers
- Success or failure status
- Response latency
2.3 Information from Third Parties
Payment Processor (Stripe):
- Transaction status and history
- Payment verification results
- Fraud detection signals
- Payout status
Identity Verification:
- Verification status from Stripe Connect
- KYC (Know Your Customer) verification results
3. How We Use Your Information
3.1 Providing and Improving the Platform
We use your information to:
(a) Create and manage your account;
(b) Process subscriptions, payments, and payouts;
(c) Provide access to MCP Servers and process invocations;
(d) Display MCP Server information to Consumers;
(e) Generate usage statistics and analytics for your dashboard;
(f) Improve Platform features, performance, and user experience;
(g) Develop new products and services.
3.2 Quality Evaluation and Monitoring
We use Invocation Data to:
(a) Assess the accuracy, coverage, latency, and error rates of MCP Servers;
(b) Validate MCP Servers during the probation period;
(c) Perform ongoing health checks and quality monitoring;
(d) Generate quality metrics displayed to Providers and Consumers;
(e) Identify and address MCP Server issues or failures.
3.3 Security and Fraud Prevention
We use your information to:
(a) Detect and prevent fraud, abuse, and security threats;
(b) Verify user identity and prevent unauthorized access;
(c) Enforce our Terms of Service and Acceptable Use policies;
(d) Investigate and respond to security incidents.
3.4 Communications
We use your contact information to:
(a) Send transactional emails (account verification, password resets, payment confirmations, payout notifications);
(b) Provide customer support;
(c) Send service announcements and updates;
(d) Send marketing communications (with your consent, where required).
3.5 Legal and Compliance
We use your information to:
(a) Comply with applicable laws, regulations, and legal processes;
(b) Respond to lawful requests from public authorities;
(c) Generate tax documentation (T4A, NR4, 1099 forms as applicable);
(d) Maintain records as required by law.
3.6 Aggregate and Anonymized Data
We may create aggregate or anonymized data from your information. Such data does not identify you personally and may be used for any lawful purpose, including research, analytics, and marketing.
4. Legal Bases for Processing (GDPR)
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:
4.1 Performance of Contract
We process your information as necessary to perform our contract with you, including:
- Creating and managing your account
- Processing payments and payouts
- Providing access to MCP Servers
- Generating usage reports and statements
4.2 Legitimate Interests
We process your information based on our legitimate interests, including:
- Improving and developing the Platform
- Ensuring Platform security and preventing fraud
- Quality monitoring and evaluation of MCP Servers
- Analyzing usage patterns and trends
- Marketing our services (subject to your right to opt out)
We balance our legitimate interests against your rights and interests and do not process your information where our interests are overridden by the impact on you.
4.3 Legal Obligations
We process your information as necessary to comply with legal obligations, including:
- Tax reporting and documentation
- Responding to lawful requests from authorities
- Record-keeping requirements
- Anti-money laundering (AML) and sanctions compliance
4.4 Consent
Where required by law, we obtain your consent before processing your information for certain purposes, such as:
- Sending marketing communications
- Using certain cookies and tracking technologies
You may withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
5. Information Sharing and Disclosure
5.1 With Other Users
Provider Information Shared with Consumers:
- MCP Server name, description, and categories
- Pricing information
- Quality metrics (accuracy, latency, error rates)
Provider-Published Contact Information: Providers may choose to display contact information on their MCP Server listings, such as email addresses, website URLs, or GitHub links. This information is voluntarily published by Providers and is visible to all Platform users. Providers control what contact information, if any, they make public.
Consumer Information Shared with Providers:
- Aggregate usage statistics for their MCP Servers
- We do not share individual Consumer identities with Providers
5.2 Service Providers
We share information with third-party service providers who perform services on our behalf:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing, identity verification, payouts | Payment details, identity documents, bank information, transaction history |
| Cloud Infrastructure Providers | Hosting and data storage | All Platform data (encrypted) |
| Email Service Providers | Transactional and marketing emails | Email address, name, communication preferences |
| Analytics Providers | Usage analytics | Anonymized usage data, device information |
Our service providers are contractually obligated to protect your information and use it only for the purposes we specify.
5.3 Legal Requirements
We may disclose your information when required by law or in response to:
(a) Court orders, subpoenas, or legal process;
(b) Requests from law enforcement or government authorities;
(c) To protect the rights, property, or safety of MCP Hive, our users, or others;
(d) To enforce our Terms of Service or other agreements;
(e) In connection with investigations of fraud, security incidents, or violations of law.
5.4 Business Transfers
In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity. We will notify you via email or prominent notice on the Platform of any such change in ownership or control.
5.5 With Your Consent
We may share your information with third parties when you have given us explicit consent to do so.
5.6 No Sale of Personal Information
MCP Hive does not sell your personal information to third parties. We do not exchange your personal information for monetary or other valuable consideration.
6. International Data Transfers
6.1 Data Location
MCP Hive is based in Canada. Your information may be processed and stored in Canada, the United States, or other countries where our service providers operate.
6.2 Transfers from the EEA, UK, and Switzerland
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data may be transferred to countries outside these regions. When we transfer your data internationally, we implement appropriate safeguards:
(a) Adequacy Decisions: We may transfer data to countries recognized by the European Commission or UK authorities as providing adequate data protection (including Canada for commercial organizations subject to PIPEDA);
(b) Standard Contractual Clauses: We use European Commission-approved Standard Contractual Clauses (SCCs) with service providers in countries without adequacy decisions;
(c) Binding Corporate Rules: Where applicable, we rely on service providers' approved Binding Corporate Rules;
(d) Consent: In some cases, we may transfer data based on your explicit consent.
6.3 Your Rights Regarding Transfers
You have the right to request information about the safeguards we use for international transfers. Contact us at privacy@mcp-hive.com for more information.
7. Data Retention
7.1 Retention Periods
We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account Information | Duration of account + 3 years | Account management, reactivation |
| Invocation Metadata | 6 years | Financial compliance, dispute resolution, aggregate quality metrics |
| Invocation Content | Duration of account | Quality evaluation; deleted upon account deletion |
| Payment and Transaction Records | 7 years | Tax and financial compliance |
| Tax Documentation | 7 years | Legal requirements (CRA, IRS) |
| Provider Verification Documents | Duration of Provider status + 5 years | AML compliance, audit requirements |
| Support Communications | 3 years | Service improvement, dispute resolution |
| Usage and Analytics Data | 2 years (identifiable) / Indefinite (anonymized) | Platform improvement, analytics |
Note on Invocation Data: Invocation data consists of two components: (1) metadata (timestamps, MCP Server identifiers, latency, success/failure status), which is retained for compliance and aggregate quality metrics; and (2) content (the parameters sent and responses received), which may incidentally contain personal information you include in your queries. Invocation content is deleted when you delete your account.
7.2 Account Deletion
When you request account deletion:
(a) We will delete or anonymize your personal information within 30 days, except as required for legal, tax, or compliance purposes;
(b) Certain information may be retained in anonymized form for analytics;
(c) Invocation content (the parameters and responses of your MCP Server calls) is deleted using scheduled maintenance processes;
(d) Invocation metadata (timestamps, MCP Server identifiers, latency, success/failure status) is retained in de-identified form for financial compliance and aggregate quality metrics;
(e) Information necessary for legal compliance (payment records, tax documentation) will be retained for the applicable retention period.
7.3 Provider Earnings and Tax Records
If you are a Provider, we retain earnings and payout records as required for tax reporting purposes, even after account deletion.
8. Your Rights
8.1 Rights Under Canadian Law (PIPEDA)
If you are a Canadian resident, you have the right to:
(a) Access: Request access to your personal information held by us;
(b) Correction: Request correction of inaccurate or incomplete personal information;
(c) Withdrawal of Consent: Withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions;
(d) Complaint: File a complaint with the Office of the Privacy Commissioner of Canada.
8.2 Rights Under EU/UK Law (GDPR)
If you are located in the EEA, UK, or Switzerland, you have the following rights:
(a) Right of Access: Request a copy of your personal data;
(b) Right to Rectification: Request correction of inaccurate personal data;
(c) Right to Erasure: Request deletion of your personal data ("right to be forgotten");
(d) Right to Restriction: Request restriction of processing of your personal data;
(e) Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format;
(f) Right to Object: Object to processing based on legitimate interests or for direct marketing;
(g) Rights Related to Automated Decision-Making: Not be subject to decisions based solely on automated processing that significantly affect you;
(h) Right to Withdraw Consent: Withdraw consent at any time, where processing is based on consent;
(i) Right to Lodge a Complaint: File a complaint with your local data protection authority.
8.3 Rights Under California Law (CCPA/CPRA)
If you are a California resident, you have the following rights:
(a) Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties with whom we share it;
(b) Right to Delete: Request deletion of your personal information, subject to certain exceptions;
(c) Right to Correct: Request correction of inaccurate personal information;
(d) Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising;
(e) Right to Limit Use of Sensitive Personal Information: Request that we limit the use of sensitive personal information to purposes necessary to provide services;
(f) Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights.
8.4 Exercising Your Rights
To exercise any of these rights, contact us at:
Email: legal@mcp-hive.com
Mail: MCP Hive, 6800 Ave MacDonald apt 703, H3X 3Z2, Montreal, Canada
We will respond to your request within the timeframes required by applicable law (generally 30 days, or 45 days for CCPA requests). We may need to verify your identity before processing your request.
8.5 Authorized Agents
You may designate an authorized agent to make requests on your behalf. We may require verification of the agent's authority and your identity.
8.6 Invocation Data
Invocation content (the parameters you send and responses you receive from MCP Servers) may incidentally contain personal information that you include in your queries. Regarding your rights:
(a) Access: You may request access to your invocation history. We will provide invocation metadata (dates, MCP Servers accessed, usage counts) and, upon specific request, available invocation content;
(b) Deletion: When you delete your account, invocation content is deleted. Invocation metadata is retained in de-identified form for compliance purposes;
(c) Portability: You may request export of your invocation data in a machine-readable format.
We do not individually process or extract personal information that may be embedded within invocation content for purposes other than quality evaluation.
9. Cookies and Tracking Technologies
9.1 Types of Cookies We Use
| Cookie Type | Purpose | Duration |
|---|---|---|
| Strictly Necessary | Essential for Platform functionality (authentication, security, session management) | Session or up to 1 year |
| Functional | Remember your preferences and settings | Up to 1 year |
| Analytics | Understand how users interact with the Platform, improve performance | Up to 2 years |
| Marketing | Deliver relevant advertisements (only with consent) | Up to 1 year |
9.2 Strictly Necessary Cookies
These cookies are essential for the Platform to function and cannot be disabled. They include:
- Authentication cookies (to keep you logged in)
- Security cookies (to detect and prevent fraud)
- Session cookies (to maintain your session state)
9.3 Analytics and Performance Cookies
We use analytics cookies to understand how users interact with the Platform. These cookies collect information such as:
- Pages visited
- Time spent on pages
- Click patterns
- Error messages encountered
This information helps us improve the Platform. Analytics data is typically anonymized or aggregated.
9.4 Managing Cookies
You can manage cookies through:
(a) Browser Settings: Most browsers allow you to block or delete cookies. Note that blocking all cookies may affect Platform functionality;
(b) Cookie Consent Banner: Where required by law, we display a cookie consent banner allowing you to accept or reject non-essential cookies;
(c) Opt-Out Links: For specific analytics providers, you may use their opt-out mechanisms.
9.5 Do Not Track
Some browsers offer a "Do Not Track" (DNT) feature. We currently do not respond to DNT signals, as there is no industry standard for handling them.
10. Security
10.1 Security Measures
We implement appropriate technical and organizational measures to protect your personal information, including:
(a) Encryption: Data is encrypted in transit (TLS/HTTPS) and at rest;
(b) Access Controls: Access to personal information is restricted to authorized personnel on a need-to-know basis;
(c) Authentication: We use secure authentication mechanisms, including hashed passwords;
(d) Infrastructure Security: Our infrastructure is hosted on secure cloud platforms with industry-standard security certifications;
(e) Monitoring: We monitor for security threats and suspicious activity;
(f) Vendor Security: We require our service providers to maintain appropriate security measures.
10.2 Payment Security
Payment information is processed by Stripe, a PCI-DSS Level 1 certified payment processor. We do not store complete credit card numbers on our servers.
10.3 Security Incidents
In the event of a data breach affecting your personal information, we will:
(a) Notify affected users as required by applicable law (generally within 72 hours of discovery for GDPR);
(b) Report the breach to relevant data protection authorities as required;
(c) Take steps to mitigate harm and prevent future incidents.
10.4 Your Responsibilities
You are responsible for:
(a) Maintaining the confidentiality of your account credentials;
(b) Using strong, unique passwords;
(c) Notifying us promptly of any suspected unauthorized access to your account.
11. Children's Privacy
11.1 Age Restriction
The Platform is not intended for use by individuals under the age of 18 (or the age of majority in their jurisdiction). We do not knowingly collect personal information from children.
11.2 Parental Notification
If we become aware that we have collected personal information from a child, we will take steps to delete such information promptly. If you believe we have collected information from a child, please contact us at legal@mcp-hive.com.
12. Changes to This Privacy Policy
12.1 Notification of Changes
We may update this Privacy Policy from time to time. For material changes, we will:
(a) Provide at least thirty (30) days' advance notice via email to the address associated with your account;
(b) Post a prominent notice on the Platform;
(c) Update the "Last Updated" date at the top of this Privacy Policy.
12.2 Continued Use
Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should discontinue use of the Platform before the changes take effect.
12.3 Prior Versions
Prior versions of this Privacy Policy are available upon request.
13. Contact Us
13.1 Privacy Inquiries
If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
Privacy Officer
Email: legal@mcp-hive.com
Mail: MCP Hive, 6800 Ave MacDonald apt 703, H3X 3Z2, Montreal, Canada
13.2 Data Protection Authority
If you are located in the EEA, UK, or Switzerland and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority.
For Canadian residents:
Office of the Privacy Commissioner of Canada 30 Victoria Street Gatineau, Quebec K1A 1H3 Toll-free: 1-800-282-1376 Website: https://www.priv.gc.ca/
13.3 EU Representative
If you are located in the European Union, you may contact our EU representative at:
[To be designated if required based on EU user volume]
13.4 UK Representative
If you are located in the United Kingdom, you may contact our UK representative at:
[To be designated if required based on UK user volume]
14. Additional Disclosures
14.1 Categories of Personal Information Collected (CCPA)
In the preceding 12 months, we have collected the following categories of personal information:
| Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, IP address, account ID | Yes |
| Customer Records | Billing address, payment information | Yes |
| Commercial Information | Subscription history, transaction records | Yes |
| Internet Activity | Browsing history, search history, Platform interactions | Yes |
| Geolocation Data | General location derived from IP address | Yes |
| Professional Information | Business name, tax ID (for Providers) | Yes |
| Sensitive Personal Information | Government ID, financial account numbers | Yes (Providers only, via Stripe) |
14.2 Sources of Personal Information (CCPA)
We collect personal information from:
(a) Directly from you (registration, payment, communications);
(b) Automatically through your use of the Platform;
(c) Third-party service providers (Stripe, analytics providers).
14.3 Business Purposes for Collection (CCPA)
We collect personal information for the business purposes described in Section 3, including providing services, processing payments, security, and compliance.
14.4 Disclosure of Personal Information (CCPA)
In the preceding 12 months, we have disclosed personal information to the following categories of third parties:
- Payment processors (Stripe)
- Cloud infrastructure providers
- Analytics providers
- Legal and regulatory authorities (as required)
14.5 No Sale or Sharing
We have not sold personal information in the preceding 12 months. We do not share personal information for cross-context behavioral advertising.
END OF PRIVACY POLICY
This document was last updated on 2026-01-01.