Privacy Policy

Last updated: March 8, 2026

1. Information We Collect

Medusa MCP Gateway ("Medusa", "we", "us") collects the following information when you use our service:

  • Account information: Email address and authentication credentials when you create an account.
  • Agent telemetry: Metadata about MCP server configurations, gateway traffic events (method names, server names, tool names, policy verdicts), and agent health status. We do not collect the contents of tool call arguments or responses.
  • Scan results: Security scan findings including severity, category, and remediation status for MCP server configurations you choose to upload.
  • Usage data: Page views, feature usage patterns, and error logs to improve the service.

2. How We Use Your Information

  • To provide and operate the Medusa security dashboard and agent.
  • To enforce security policies and generate DLP incident reports.
  • To display security posture metrics and configuration drift.
  • To improve our product and fix bugs.
  • To communicate important service updates.

3. Data Storage and Security

Your data is stored on Supabase infrastructure with row-level security (RLS) policies ensuring each customer can only access their own data. All data is encrypted in transit (TLS) and at rest.

4. Data Retention

Gateway event telemetry is automatically purged after 90 days. Scan results and baselines are retained until you delete them. Account data is retained while your account is active and for 30 days after deletion.

5. Data Sharing

We do not sell your data. We may share data with third-party service providers (e.g., hosting, error monitoring) solely for operating the service, under strict data processing agreements.

6. Your Rights

You have the right to:

  • Access your data through the dashboard.
  • Delete your scans, baselines, and agent registrations.
  • Request full account deletion by contacting us.
  • Export your data in standard formats (JSON, PDF).

7. Cookies

We use strictly necessary cookies for authentication session management. We do not use advertising or tracking cookies.

8. Contact

For privacy-related inquiries, contact us at privacy@medusa-mcp.dev.