Privacy Policy

Last Updated: January 2025

1. Introduction

This Privacy Policy explains how MCP Sheet Filler ("Service") handles information when you use our open-source MCP server for managing tabular data with Google Sheets.

2. Information We Collect

2.1 User Identity

When using HTTP transport, we collect your email address from your Google OAuth token for the purpose of:

  • Authenticating requests
  • Per-user token isolation (if separate auth flow is used)

2.2 Optional Debug Logging

If the DEBUG_LOG environment variable is configured by the server operator, the Service may log:

  • Tool invocations and operations performed
  • Error messages and stack traces
  • Timestamps of operations

Debug logs do NOT contain:

  • Field values or cell contents from your spreadsheets
  • OAuth tokens or credentials
  • Personal data beyond what is necessary for debugging

3. Information We Do NOT Collect

The Service does NOT:

  • Store your spreadsheet data on our servers
  • Track your usage with cookies or analytics
  • Collect browsing history or device information
  • Share any information with third parties (beyond Google APIs)

4. Data Storage

4.1 Your Data Location

All your tabular data is stored in Google Sheets documents that you own and control. The Service acts as a bridge to read and write this data but does not retain copies.

4.2 Token Handling

HTTP Transport (Remote Deployment):

  • OAuth access tokens are validated per-request
  • Tokens are NOT stored on the server (neither on disk nor in persistent memory)
  • Each request is authenticated independently
  • This design prevents the server operator from accessing your Google credentials

5. Third-Party Services

The Service integrates with Google services:

5.1 Google Sheets API

5.2 Google OAuth 2.0

  • Used for authentication
  • Token validation performed via Google's tokeninfo endpoint
  • Subject to Google's Privacy Policy

6. Data Retention

6.1 Spreadsheet Data

Your data is retained in your Google Sheets according to your Google account settings. The Service does not control data retention in Google Sheets.

6.2 Debug Logs

If debug logging is enabled by the server operator:

  • Log retention is controlled by the server operator
  • Logs are stored locally on the server where the Service runs

7. Your Rights

7.1 Data Access and Portability

  • Your data is stored in Google Sheets, which you fully control
  • You can export, modify, or delete your data at any time through Google Sheets
  • You can revoke the Service's access to your Google account at any time via Google Account Permissions

7.2 GDPR and CCPA Rights

Since your data is stored in Google Sheets:

  • Data subject rights (access, correction, deletion, portability) are exercised through Google
  • See Google's Privacy Policy for details on exercising your rights

7.3 Token Revocation

You can revoke access at any time:

  1. Visit Google Account Permissions
  2. Find "MCP Sheet Filler" (or the OAuth app name)
  3. Click "Remove Access"

8. Security

The Service implements security measures including:

  • RFC 9728 MCP Authorization compliance
  • Token validation via Google's tokeninfo endpoint
  • Per-user authentication isolation
  • No server-side token storage (HTTP mode)

9. Children's Privacy

The Service is not intended for use by children under 13 years of age. We do not knowingly collect information from children under 13.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be indicated by updating the "Last Updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

For questions about this Privacy Policy, please: