ToastMCP Logo ToastMCP
Sign In Get Started

Privacy Policy

Last updated: January 13, 2025

Privacy at a Glance: We collect minimal data necessary to provide our service. Our marketing website uses Umami Analytics (privacy-focused, no personal data) and PostHog for anonymous button click tracking. Our application uses PostHog for product analytics. Your data is processed on Google Cloud Platform servers in the United States. Important: When members use our MCP service, your Ghost blog content is transmitted to third-party AI systems (such as Claude or ChatGPT), which have their own data handling policies. You have full control over your data and can request deletion at any time.

1. Introduction

ToastMCP ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at toastmcp.com and our application at app.toastmcp.com (collectively, the "Service").

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

ToastMCP is operated as a sole proprietorship. For any privacy-related inquiries, please contact us at enrico@toastmcp.com.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide when using our Service:

  • Account Information: Email address, name (optional), and password when you register
  • Ghost Blog Credentials: Ghost Admin API key and Content API key when you connect your blog
  • Payment Information: Billing details processed through LemonSqueezy (we do not store complete payment card information)
  • Communications: Information you provide when contacting our support

2.2 Information Collected Automatically

When you use our Service, we automatically collect certain information:

Data Type Marketing Website (toastmcp.com) Application (app.toastmcp.com)
Analytics Provider Umami Analytics + PostHog PostHog
Personal Data Collected Anonymous button click events only Anonymous usage events, feature interactions
IP Addresses Anonymized by PostHog Anonymized
Cookies PostHog cookies for analytics Session cookies only

2.3 Information from Third Parties

We receive information from third-party services:

  • Ghost API: Member information (email, name, subscription tiers) from your connected Ghost blog
  • Firebase Authentication: Authentication tokens and user identifiers
  • LemonSqueezy: Subscription status, payment history, and billing information

2.4 Ghost Blog Member Data

When you connect your Ghost blog, we access and store:

  • Member email addresses
  • Member names (if available)
  • Membership tier information
  • Subscription status

This data is used solely to provide MCP access to your members and enforce your Ghost paywall tiers. We act as a data processor on your behalf for this member data.

3. How We Use Your Information

We use collected information for the following purposes:

3.1 Service Provision

  • Creating and managing your ToastMCP account
  • Connecting to your Ghost blog and synchronizing members
  • Generating and managing API keys for your members
  • Processing MCP requests from your members
  • Enforcing Ghost membership tier access controls
  • Tracking API usage and enforcing plan limits

3.2 Communication

  • Sending transactional emails (account confirmation, member activation, API keys)
  • Providing customer support
  • Sending important service updates and security notices

3.3 Analytics and Improvement

  • Understanding how users interact with our Service
  • Identifying and fixing bugs and performance issues
  • Improving and developing new features

3.4 Legal and Security

  • Complying with legal obligations
  • Protecting against fraudulent or unauthorized activity
  • Enforcing our Terms and Conditions

4. MCP Content Processing and AI Data Flow

Important: This section explains how your Ghost blog content flows through our system to third-party AI assistants when members use the MCP endpoint.

4.1 How Content Is Transmitted

When a member uses their API key to access your Ghost blog through our MCP endpoint:

  1. The member's AI assistant (e.g., Claude, ChatGPT) sends a request to our MCP server
  2. Our server authenticates the member using their API key
  3. We retrieve the requested content from your connected Ghost blog
  4. Content is transmitted to the member's AI assistant for processing
  5. The AI assistant generates responses based on your content

4.2 What Content Is Transmitted

Through the MCP endpoint, the following blog content may be transmitted to AI systems:

  • Blog post titles, content (HTML and/or text), and excerpts
  • Post metadata including publication dates, authors, and slugs
  • Tag names and descriptions
  • Featured images URLs
  • Membership tier restrictions (for paywall enforcement)

We do NOT transmit: Ghost admin credentials, member personal information, payment details, or analytics data.

4.3 Third-Party AI Data Handling

Once your content is transmitted to a third-party AI system, it is subject to that provider's data handling policies:

AI Provider Data Retention Training Use Privacy Policy
Anthropic (Claude) Varies by plan Opt-out available anthropic.com/privacy
OpenAI (ChatGPT) Varies by plan Opt-out available openai.com/privacy
Other Providers Varies Varies Check provider's policy

We strongly recommend that you:

  • Review the privacy policies of AI providers your members may use
  • Inform your members about how their AI usage affects your content
  • Consider whether sensitive content should be excluded from MCP access

4.4 Our Role in Content Transmission

ToastMCP acts as a conduit for content transmission. We:

  • Do: Authenticate requests, enforce access controls, and transmit authorized content
  • Do: Log API usage for billing and analytics purposes
  • Do NOT: Store copies of transmitted blog content beyond caching for performance
  • Do NOT: Control how AI providers process or retain your content
  • Do NOT: Have visibility into AI-generated outputs based on your content

5. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide the Service you requested
  • Legitimate Interests: Processing for service improvement, security, and fraud prevention
  • Consent: Where you have explicitly consented to specific processing
  • Legal Obligations: Processing required to comply with applicable laws

6. Data Sharing and Disclosure

6.1 Service Providers

We share data with third-party service providers who assist in operating our Service:

Provider Purpose Data Shared Location
Google Cloud Platform Infrastructure hosting All service data United States
Firebase (Google) Authentication, Firestore database Account data, user data United States
LemonSqueezy Payment processing Billing information United States
Mailgun Email delivery Email addresses, email content United States
PostHog Product analytics (app only) Anonymous usage data United States/EU
Umami Website analytics No personal data EU

6.2 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect our rights, privacy, safety, or property.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change.

6.4 With Your Consent

We may share your information for other purposes with your explicit consent.

7. International Data Transfers

Important: Your data is processed and stored on Google Cloud Platform servers located in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States.

For transfers from the EEA, we rely on:

  • Standard Contractual Clauses approved by the European Commission
  • Google Cloud's compliance with EU-US Data Privacy Framework

8. Data Retention

We retain your data for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy:

  • Account Data: Retained while your account is active, plus 30 days after deletion request
  • Ghost Member Data: Retained while your Ghost blog is connected, deleted upon disconnection
  • Usage Logs: Retained for 90 days for analytics and troubleshooting
  • Billing Records: Retained for 7 years as required by tax regulations

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law.

9. Your Privacy Rights

9.1 Rights for All Users

Regardless of your location, you have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data
  • Data Export: Receive your data in a portable format
  • Opt-Out: Opt out of marketing communications

9.2 Additional Rights for EEA Residents (GDPR)

If you are in the European Economic Area, you also have the right to:

  • Restriction: Request restriction of processing in certain circumstances
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time (where processing is based on consent)
  • Lodge Complaint: File a complaint with your local data protection authority

9.3 Rights for California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act:

  • Right to Know: Request disclosure of personal information collected, used, and shared
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt out of the sale or sharing of personal information
  • Non-Discrimination: Not receive discriminatory treatment for exercising your rights

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

9.4 Exercising Your Rights

To exercise any of these rights, please contact us at enrico@toastmcp.com. We will respond to your request within 30 days (or sooner if required by applicable law).

For verification purposes, we may ask you to confirm your identity before processing your request.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest
  • Authentication: Secure authentication via Firebase with industry-standard practices
  • Access Controls: Strict access controls and authentication for system access
  • Infrastructure: Enterprise-grade security on Google Cloud Platform
  • API Key Security: Member API keys are hashed and never displayed in full after generation

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

11. Cookies and Tracking

11.1 Marketing Website (toastmcp.com)

Our marketing website uses two analytics tools:

  • Umami Analytics: A privacy-focused analytics platform that does not use cookies, does not collect personal data, does not track users across websites, and is fully GDPR compliant without requiring consent
  • PostHog: For anonymous button click tracking to understand user engagement. PostHog captures button clicks (e.g., "Get Started", "Sign In") with anonymized data to help us improve the website experience. PostHog may use cookies but does not track personal information on the marketing website.

11.2 Application (app.toastmcp.com)

Our application uses:

  • Session Cookies: Essential cookies to maintain your login session (strictly necessary)
  • PostHog: For product analytics and feature usage tracking

PostHog collects anonymous usage data to help us improve the product. You can opt out of PostHog tracking in your account settings.

12. Children's Privacy

Our Service is not intended for children under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately at enrico@toastmcp.com.

13. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

14. Do Not Track Signals

Our website uses privacy-respecting analytics tools. Umami does not track individual users. PostHog is used for anonymous button click tracking only and does not track personal information on the marketing website.

15. Data Processing Agreement

As a ToastMCP user who connects a Ghost blog, you act as the data controller for your Ghost members' data, and ToastMCP acts as a data processor. We process your members' data only according to your instructions and for the purpose of providing the Service.

For enterprise customers requiring a formal Data Processing Agreement (DPA), please contact us at enrico@toastmcp.com.

16. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

  • Posting the updated policy on this page
  • Updating the "Last updated" date
  • Sending an email notification for significant changes

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

17. Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have concerns about our data practices, please contact us:

Email: enrico@toastmcp.com

Website: https://toastmcp.com

We aim to respond to all privacy-related inquiries within 30 days.

18. Supervisory Authority

If you are located in the European Economic Area and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

ToastMCP Logo ToastMCP
  • Pricing
  • Documentation
  • Privacy Policy
  • Terms of Service

© 2025 ToastMCP. All rights reserved.