DFY Hub MCP Server — Privacy Policy
Effective Date: March 10, 2026
Last Updated: March 10, 2026
Service URL: https://mcp.yourdfyhub.com
Contact: support@yourdfyhub.com
1. Introduction
DFY Hub (“we,” “us,” “our”) operates the DFY Hub MCP Server, a Model Context Protocol (MCP) integration that provides AI agents with access to professional SEO data via third-party data providers. This Privacy Policy explains how we collect, use, store, and protect your information when you use our MCP server through any AI platform (Claude, ChatGPT, Cursor, VS Code, or other MCP-compatible clients).
2. Information We Collect
2.1 Account Information
When you authenticate via OAuth, we receive and store:
- Email address — Used for account identification and billing communications
- DFY Hub user ID — Internal identifier for credit tracking
- Subscription tier — Determines your credit allocation
2.2 Usage Data
For each tool call made through the MCP server, we record:
- Tool name — Which SEO data tool was called
- Credit cost — Number of credits deducted
- Timestamp — When the call was made
- Success/failure status — Whether the call completed successfully
- Error codes — If the call failed, the error type (no request body is logged)
2.3 Information We Do NOT Collect or Store
- Search queries or keywords — We do not log the actual parameters you send to tools (e.g., the keywords you search for, the domains you analyze)
- API response data — SEO data returned by our data providers passes through our server but is NOT stored. We are a stateless proxy for data content.
- AI conversation content — We have no access to your conversations with AI assistants
- Browser cookies or tracking pixels — The MCP server is an API-only service with no web tracking
3. How We Use Your Information
We use collected information for:
- Service delivery — Authenticating your identity and routing API calls
- Credit billing — Tracking credit usage and managing your balance
- Service improvement — Identifying common errors to improve tool instructions and reduce failed calls
- Security — Detecting unauthorized access or abuse patterns
- Customer support — Resolving billing disputes or technical issues
We do NOT use your information for:
- Advertising or marketing profiling
- Selling to third parties
- Training AI models
- Behavioral analytics beyond usage metrics
4. Third-Party Services
4.1 SEO Data Provider
Your tool call parameters are forwarded to our upstream SEO data provider to fulfill requests. The data provider processes these parameters under their own privacy policy. We authenticate with the data provider using our own credentials — your personal information is not shared with the data provider.
4.2 Whop (Payment Processing)
Credit purchases and subscriptions are processed by Whop. We never store your full payment card details. See Whop's privacy policy.
4.3 Cloudflare (Infrastructure)
Our server runs on Cloudflare Workers. Cloudflare may process request metadata (IP addresses, headers) as part of their infrastructure services. See Cloudflare's privacy policy.
4.4 Sentry (Error Tracking)
We use Sentry for error monitoring. When errors occur, Sentry may receive the error message and request metadata (but not request bodies or API response content). See Sentry's privacy policy.
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account info (email, user ID) | Duration of account + 30 days after deletion |
| Usage events (tool name, credits, timestamp) | 12 months (rolling) |
| Credit transaction ledger | 7 years (financial records requirement) |
| OAuth tokens/sessions | 24 hours (JWT expiry) / 10 minutes (auth codes) |
| Error logs | 90 days |
6. Data Security
- All data in transit is encrypted via TLS 1.3
- OAuth 2.1 with PKCE prevents token interception
- JWT access tokens are signed with HS256 and expire after 24 hours
- Credit operations use atomic Durable Object transactions (no double-charging)
- No API response data is persisted — we are a stateless proxy
7. Your Rights
Depending on your jurisdiction (GDPR, CCPA, etc.), you have the right to:
- Access — Request a copy of all data we hold about you
- Correction — Update inaccurate account information
- Deletion — Request deletion of your account and associated data
- Portability — Receive your usage data in a machine-readable format
- Opt-out — Disconnect from the MCP server at any time by revoking OAuth access
To exercise these rights, email support@yourdfyhub.com with your account email. We will respond within 30 days.
8. Children's Privacy
The DFY Hub MCP Server is not directed at children under 13 (or 16 in the EU). We do not knowingly collect information from minors. If you believe a child has provided us data, contact us for immediate deletion.
9. International Data Transfers
Our service runs on Cloudflare's global network. Data may be processed in the United States and other countries where Cloudflare operates. We rely on Cloudflare's data processing agreements and Standard Contractual Clauses for cross-border transfers.
10. Changes to This Policy
We will notify you of material changes by:
- Updating the “Last Updated” date above
- Posting a notice at https://yourdfyhub.com/privacy
- For significant changes, emailing registered users
11. Contact
This privacy policy applies to the DFY Hub MCP Server at mcp.yourdfyhub.com. For the DFY Hub web platform privacy policy, see https://yourdfyhub.com/privacy.