ShipMCP
Get started
Legal

Privacy Policy

Effective date: 2026-04-28 · Version 1.1

ShipMCP (“we,” “us”) is operated by MR Dula Enterprise, LLC (Raleigh, NC, USA). This policy explains what data we collect when you or your AI agents use shipmcp.io, www.shipmcp.io, and mcp.shipmcp.io (collectively, the “Service”), why we collect it, and what we do with it.

Who we are

Data controller: MR Dula Enterprise, LLC. Contact: matt@mrdula.solutions.

What we collect

We only collect what the Service needs to function. Specifically:

  • Account data: email, optional name, hashed password, and tenant ID. Passwords are stored as bcrypt hashes — even we cannot read your raw password. Magic-link tokens are stored as SHA-256 hashes with a 15-minute TTL and single-use enforcement.
  • API tokens: only the SHA-256 hash and an optional label (e.g. “Claude Desktop”). The raw bearer token is shown to you exactly once at creation and rotation; we never store it.
  • OAuth client registrations: client_id, client_name, registered redirect URIs. Authorization codes are stored as SHA-256 hashes with a 5-minute TTL.
  • Endpoints and content: every file you upload, every URL you ingest, the extracted markdown, schema introspection results, and the per-endpoint Postgres database we provision on your behalf. Content lives in your dedicated Neon Postgres project (separate connection string per endpoint) and the original uploaded bytes are archived in Cloudflare R2 when you opt in to the “Keep originals” toggle.
  • Agent activity: when an MCP agent calls your endpoint we record the tool name, tenant ID, and timing for usage accounting and rate limiting. Tool arguments and response bodies are not retained beyond the immediate request unless they're persisted as a side effect (e.g. an agent's insert_documents call materializes its arguments as a row in your DB).
  • Write & ingest job rows: when an agent calls a write or ingest tool, we persist the tool name, arguments (with binary blobs replaced by a length placeholder), status, and result for the audit trail and so you can poll job state. These rows are pruned after 30 days.
  • Payment metadata: subscription status, plan tier, billing cycle, and customer ID with our payments provider. We do not see card numbers or bank details — checkout, billing, and the customer portal are hosted by Dodo Payments.
  • Operational logs: HTTP method/path, response status, timing, and error stack traces from Cloudflare Workers. Used for debugging, uptime, and security review.
  • Audit log: durable record of significant events (endpoint provisioned, appended, deleted; account deleted; agent writes). Retained per the schedule below.

Encryption and isolation

All traffic to and from every endpoint (shipmcp.io, mcp.shipmcp.io) is over TLS 1.3 (HSTS preload-eligible, with max-age=31536000; includeSubDomains). Original-file archives in Cloudflare R2 are encrypted at rest by R2 using AES-256. Per-endpoint Neon Postgres projects use Neon's at-rest encryption. Per-endpoint isolation is physical — every endpoint has its own Neon project with its own connection string, not row-level security in a shared database.

Why we process your data

  • To provide the Service you (or your authorized agents) signed up for.
  • To enforce per-tenant boundaries: tenants only see their own endpoints, tokens, and data.
  • To bill correctly and prevent abuse.
  • To debug errors and keep the Service available.
  • To meet legal obligations when validly served.

We do not sell your data, your content, or your endpoint contents. We do not train AI models on customer content. We do not share data with advertisers.

Sub-processors

We rely on a small set of vendors to run the Service. Each processes only the data needed for its function:

  • Cloudflare — edge compute (Workers), object storage (R2), control-plane database (D1), durable rate-limit counters, queue-driven ingest pipeline, and Browser Rendering for URL ingest. Hosts shipmcp.io, www.shipmcp.io, and mcp.shipmcp.io.
  • Neon — managed Postgres. Each ShipMCP endpoint provisions a dedicated Neon project; your data lives there, isolated from every other tenant.
  • Cloudflare Workers AI — the AI gateway used for document conversion (PDF, DOCX, PPTX, images via the toMarkdown binding) and audio transcription (Whisper turbo). Workers AI processes content during ingest and does not retain it for training.
  • Dodo Payments — Merchant of Record for subscription billing and tax collection. Receives your email, plan, and payment instrument details directly via their hosted checkout.
  • Loops — transactional email (magic-link sign-in, billing receipts, account notices) and product-update broadcasts to account owners who haven't opted out. Receives recipient email, name (if supplied), and the message body for those flows.

We do not use third-party advertising or analytics SDKs. We do not load Google Analytics, Meta Pixel, or similar trackers on any page.

Cookies

ShipMCP uses a single first-party session cookie (shipmcp_session) on shipmcp.io, set with HttpOnly, Secure, and SameSite=Lax. It identifies your authenticated session and expires when you sign out or after 30 days of inactivity. We do not use third-party cookies.

Your rights

You can request a copy of, correction to, or deletion of any personal data we hold about you by emailing matt@mrdula.solutions. Account self-delete and endpoint self-delete are available from the dashboard at any time. If you are in the EU/UK, you also have the right to lodge a complaint with your local data protection authority.

Retention

  • Endpoint content (Postgres rows, R2 archives) is retained until you delete the endpoint or your account. Hard-delete completes within 30 days, including teardown of the per-tenant Neon project.
  • Account data is retained until you delete your account.
  • Write & ingest job rows are pruned after 30 days.
  • Audit log is retained for 12 months.
  • Operational logs are retained for 30 days.
  • Payment ledger is retained for 7 years for tax and accounting purposes.
  • Magic-link tokens expire 15 minutes after issue and are deleted from the database within 24 hours after expiry.

International transfers

ShipMCP is operated from the United States. Sub-processors (Cloudflare, Neon, Dodo Payments, Loops) operate globally distributed infrastructure and may process data outside your country of residence. We rely on Standard Contractual Clauses where required.

Children

ShipMCP is not directed at children under 13 (or 16 in the EEA), and we do not knowingly collect personal data from them.

Security

Bearer tokens are stored as SHA-256 hashes. Passwords are bcrypt-hashed. OAuth authorization codes are SHA-256-hashed and single-use. PKCE (S256) is mandatory on the OAuth flow; plain is refused. Signed download / upload URLs are HS256 JWTs with short TTLs (120s for downloads, 300s for uploads) and tenant claims that we re-bind on every request. Cross-tenant access is physically impossible — endpoints live in separate Neon projects and tokens are scoped to the owning tenant.

Changes to this policy

We will update the effective date at the top of this page when we make material changes. For substantive changes that affect how we handle existing data, we will additionally email account owners before the change takes effect.

© 2026 MR Dula Enterprise, LLC