Privacy Policy
Last updated: 8 July 2025
1. Information We Collect
| Category | Examples | Purpose |
|---|---|---|
| Account Data | Name, email address, Google OAuth ID | Create & secure your account, deliver Service |
| Payment Data | Limited billing details (tokenized card, ZIP) handled by Stripe | Process subscriptions & invoices |
| Usage Logs | IP address, request headers, endpoint called, query string (address looked-up), timestamps, quota usage | Provide core functionality, rate-limit abuse, analytics |
| Cookies / Local Storage | Auth session cookie, CSRF token, preference flags | Keep you signed in, remember settings |
We do not intentionally collect sensitive personal data (race, health, etc.).
2. How We Use Your Information
- Provide & improve the Service (run look-ups, maintain infrastructure, debug).
- Communicate with you (service announcements, invoices, support).
- Billing & fraud prevention via Stripe and anti-abuse tooling.
- Product analytics (aggregate metrics to understand feature adoption).
- Legal compliance (respond to lawful requests, enforce Terms).
We do not sell or rent your personal information.
3. Legal Bases (GDPR)
| Basis | When applied |
|---|---|
| Contract | To deliver the Service you request (e.g., API look-ups). |
| Legitimate Interests | Security, service analytics, preventing fraud. |
| Consent | Marketing emails (opt-in, unsubscribe anytime). |
| Legal Obligation | Accounting & tax record-keeping. |
4. How We Share Information
| Recipient | Reason |
|---|---|
| Infrastructure Providers (Vercel, AWS, Supabase/Postgres) | Host servers & databases |
| Payment Processor (Stripe) | Manage subscriptions, refunds |
| Analytics (Plausible, self-hosted) | Privacy-friendly usage metrics |
| Law enforcement or regulators | Only when legally required |
All vendors are bound by agreements that protect your data.
5. Data Retention
- Account data — while your account is active + 12 months.
- Payment records — 7 years (tax laws).
- Server logs — 30 days, unless we investigate abuse.
- Lookup queries — anonymised and aggregated after 90 days.
You may delete your account anytime via the Dashboard or by emailing privacy@oz-mcp.com; we’ll erase identifying data within 30 days except where legal obligations require otherwise.
6. Security
We use HTTPS, encrypted databases, least-privilege IAM roles, and audit logging. No method is 100 % secure, but we work hard to protect your data.
7. Your Rights
Depending on your jurisdiction, you may have rights to access, correct, delete, or port your personal data. Send requests to privacy@oz-mcp.com. We’ll respond within 30 days.
8. International Transfers
We host the Service in the United States. If you access from outside the U.S., you consent to transferring your data to U.S. servers.
9. Children
OZ-MCP is not directed to children under 16. We do not knowingly collect data from them.
10. Changes
We may update this policy. We’ll post the revision date and, for material changes, email account holders at least 7 days before it takes effect.
11. Contact Us
Agiato LLC
548 Market St, PMB 12345
San Francisco, CA 94104