Privacy Policy

Last updated: December 2024

1. Introduction

MCP Moira ("we", "our", "us") is a workflow orchestration service for AI agents. This Privacy Policy explains how we collect, use, and protect your personal data when you use our service at moiraqq.com.

2. Data Controller

MCP Moira is operated as a personal project. For any privacy-related inquiries, contact: support@moiraqq.com

3. Data We Collect

3.1 Account Information

  • Email address - for account identification and communication
  • Name (optional) - for personalization
  • Password hash - securely stored, never in plain text
  • OAuth provider data - if you sign in with GitHub (profile info, email)

3.2 Service Data

  • Workflow definitions - JSON structures you create
  • Workflow execution data - context and state of your workflow runs
  • Execution notes - optional notes you add to executions

3.3 Technical Data

  • IP address - for security and rate limiting
  • Country (derived from IP) - for analytics and compliance
  • User agent - browser/client information for debugging
  • Session data - authentication tokens and session info

3.4 Consent Records

  • Terms acceptance timestamp - when you agreed to Terms of Service
  • Residency confirmation timestamp - when you confirmed non-Russian residency

4. How We Use Your Data

  • Service provision - to provide workflow orchestration functionality
  • Authentication - to verify your identity and manage sessions
  • Email verification - to confirm your email address ownership
  • Security - to detect and prevent unauthorized access
  • Support - to help you with technical issues during alpha testing
  • Compliance - to maintain records required by law (GDPR)

5. Legal Basis for Processing (GDPR)

  • Contract - processing necessary to provide the service you requested
  • Consent - for optional communications and analytics
  • Legitimate interests - for security, fraud prevention, and service improvement
  • Legal obligation - to comply with applicable laws

6. Third-Party Services

6.1 OAuth Providers

If you sign in with GitHub, we receive your email and profile information from GitHub. GitHub's privacy policy applies to data they process.

6.2 Email Service

We use Resend for sending transactional emails (verification, password reset). Resend processes your email address to deliver these emails.

7. Data Retention

  • Account data - retained while your account is active
  • Workflow data - retained until you delete it or your account
  • Audit logs - retained for 90 days for security purposes
  • Deleted workflows - soft-deleted, permanently removed after 30 days

8. Your Rights (GDPR)

Under GDPR, you have the right to:

  • Access - request a copy of your personal data
  • Rectification - correct inaccurate personal data
  • Erasure - request deletion of your personal data
  • Portability - receive your data in a machine-readable format
  • Restriction - limit how we process your data
  • Objection - object to processing based on legitimate interests

To exercise these rights, contact: support@moiraqq.com

9. Admin Access During Alpha

During the alpha testing phase, administrators may access user data (email, IP, activity logs) for debugging and support purposes. This access is logged in the audit trail. For production release, additional access controls and anonymization measures will be implemented.

See our Admin Panel Data Access documentation for details on what data administrators can view.

10. Data Security

  • All data transmitted over HTTPS
  • Passwords stored using secure bcrypt hashing
  • Session tokens with secure, HTTP-only cookies
  • OAuth tokens securely stored and refreshed
  • Regular security audits during development

11. International Transfers

Our servers are located in the European Union. If you access the service from outside the EU, your data will be transferred to and processed in the EU.

12. Cookies

We use essential cookies only for authentication and session management. These cookies are necessary for the service to function and do not require consent.

  • better-auth.session_token - authentication session
  • Theme preference - stored in localStorage, not a cookie

We do not use analytics cookies or tracking cookies.

13. Children's Privacy

MCP Moira is not intended for use by children under 16 years of age. We do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this Privacy Policy as the service evolves. Significant changes will be communicated via email or service notification. Continued use after changes constitutes acceptance of the updated policy.

15. Contact

For privacy-related questions or to exercise your rights:
Email: support@moiraqq.com
GitHub Issues: witqq/mcp-moira-public