Privacy Policy

Last updated: February 2026

What we collect

When you use OpenBSP MCP, we store:

• API key - A randomly generated 256-bit key to authenticate your MCP client
• OAuth tokens - Access and refresh tokens from Google to make API calls on your behalf
• Scopes - Which Google products you authorized (Calendar, Sheets)
• Authorized files - IDs and names of Google Drive files you selected to share

What we don't collect

• Your Google password
• Your email address or personal information
• Your calendar events or spreadsheet data
• Usage logs or analytics

Data protection

We implement multiple layers of security to protect your data:

• Encryption in transit - All connections use HTTPS/TLS. Data is encrypted between your client, our servers, and Google's APIs.
• Encryption at rest - OAuth tokens are encrypted using AES-256-GCM before storage. The encryption key is stored separately from the database in secure environment variables, so a database breach alone cannot expose your Google credentials.
• Minimal data storage - We only store what's necessary to authenticate API requests. Your actual calendar events and spreadsheet contents are never stored.
• Secure infrastructure - Hosted on Cloudflare Workers with built-in DDoS protection, automatic security updates, and isolated execution environments.
• No logging of sensitive data - We do not log API request contents, OAuth tokens, or any data passing through to Google APIs.

How your data flows

When your AI assistant makes a request:

• Your MCP client sends the request to our server over HTTPS with your API key
• We decrypt your stored OAuth token in memory
• We call Google's API over HTTPS on your behalf
• Google's response passes through our server to your client
• No request or response data is logged or stored

Data retention

• API keys and tokens - Stored until you revoke them or they expire
• OAuth states - Temporary data automatically deleted after 10 minutes
• Authorized files - Stored until you delete your API key

How to delete your data

You can delete all your stored data at any time:

• Delete your API key: curl -X DELETE https://g.mcp.openbsp.dev/key/YOUR_API_KEY
• Revoke from Google: Google Account Permissions

Both methods immediately delete your API key, encrypted tokens, and authorized file list from our database.

Third parties

We use:

• Cloudflare - Hosting, infrastructure, and edge security
• Google APIs - Calendar and Sheets access

We do not sell or share your data with any other third parties.

Open source

This project is fully open source. You can review all code, including our security implementations, at github.com/matiasbattocchia/google-mcp.

Contact

For questions about this policy, open an issue on GitHub.

← Back to home