mcpwingBack to home
Legal

Privacy Policy

How MCPWing collects, uses, shares, and protects your information.

1. Effective date

This Privacy Policy is effective as of June 7, 2026.

2. Information we collect

MCPWing is a multi-tenant platform. All data is organization-scoped and isolated using Postgres Row-Level Security. We collect and store the following categories of information:

  • User identity & authentication — email address, phone number (used to deliver one-time passcodes), and authentication state.
  • Organization & membership — organization and team membership and roles.
  • Workspace content — projects, briefs, designs, design comments, skills, and folders.
  • Tickets — tickets and ticket history.
  • MCP resources — MCP servers, tools, collection versions, and customizations.
  • Credentials & tokens— API keys (stored hashed); OAuth clients, authorization codes, and access & refresh tokens (stored hashed).
  • MCP invocation logs — tool inputs and outputs from MCP invocations.
  • Chat — chat conversations and messages.
  • AI usage & budget logs — model, tokens, and cost.
  • Audit logs — actor, action, target, IP address, and user-agent.

3. How we use information

We use the information we collect to:

  • Operate and maintain the MCPWing platform.
  • Deliver MCP tool calls — including via the MCPWing (Wing) connector for Claude — and return their results to you.
  • Provide security, prevent abuse, and protect the integrity of the service.
  • Calculate AI usage, budgets, and billing.

4. How information is shared

We do not sell personal data. We share information only with the sub-processors and third parties below, each engaged to provide a specific part of the service:

  • Supabase — database (Postgres), authentication, and session storage.
  • MojoAuth — email one-time-passcode delivery for sign-in.
  • Google & customer-configured SAML identity providers — optional enterprise single sign-on.
  • Railway — API / backend hosting (api.mcpwing.com).
  • Vercel — web hosting (mcpwing.com).
  • Fireworks AI — LLM inference for the platform's AI features.
  • OpenAI and Anthropic — only when you supply your own API key or connect your own account.
  • jsDelivr (CDN) — serves the Chart.js library used for rendered charts.
  • Slack — optional, admin-configured webhook notifications.

5. Data sent to Claude / Anthropic via the Wing connector

When you use the MCPWing (Wing) connector inside Claude, Anthropic (the provider of Claude) processes the messages and tool calls you exchange with the connector. The connector receives the requests Claude makes on your behalf and returns results back to Claude. Data handled by Claude is subject to Anthropic's privacy practices. See Anthropic's privacy policy at https://www.anthropic.com/legal/privacy.

6. MCPWing desktop application

The MCPWing desktop application for macOS and Windows runs locally on your device. In addition to the platform data described above, the desktop app handles certain information locally on your computer:

  • Provider API keys (bring-your-own) — when you enter your own Anthropic, OpenAI, or other provider keys in the app, they are stored encrypted in your operating system's secure keychain (macOS Keychain / Windows Credential storage) and are never transmitted to MCPWing's servers. They are used only to send requests directly from your device to the provider you configured.
  • Local conversations — chat conversations are stored in a local database on your device. When you work within a MCPWing organization, conversation and workspace data may also sync to MCPWing as described in the sections above.
  • Local files & commands — when you grant the app access to a folder or file, it can read and modify those files and run commands you approve, locally on your device. The contents of files you work on are sent to the AI provider you have configured only as needed to fulfil your requests, and to MCPWing only for features you actively use (for example, uploading a design).
  • Local tool detection — the app may check whether compatible command-line tools (such as the Claude or OpenAI CLIs) are installed and whether they hold stored credentials, so it can offer to reuse them. This check happens locally and does not transmit those credentials to MCPWing.

When you use your own provider keys, your prompts, code, and other inputs go directly from your device to that provider and are governed by the provider's own privacy policy (for example, Anthropic's policy linked above), not routed through MCPWing.

7. Retention

We retain data while the account or organization is active. On project or organization deletion, associated content is deleted within 30 days, except where we are legally required to retain it. Audit logs and AI usage logs are retained for up to 24 months. Data held locally by the desktop app (such as bring-your-own keys and local conversations) remains on your device until you remove it or uninstall the app.

8. Security

  • All data is encrypted in transit using TLS.
  • Secrets such as API keys and OAuth tokens are stored hashed.
  • Per-organization Fireworks keys are encrypted at rest using AES-256-GCM.
  • In the desktop app, bring-your-own provider keys are encrypted at rest using your operating system's secure keychain.
  • Multi-tenant isolation is enforced via Postgres Row-Level Security.
  • The connector uses OAuth 2.1 with PKCE.

9. Your rights

You may request access to, deletion of, or export of your personal data. To exercise these rights, email hello@mcpwing.com.

10. Contact

For any privacy questions, contact us at hello@mcpwing.com.