$ privacy
Effective date: 2026-04-07
Undisk MCP is operated by Kiarash Adl, a Texas resident using the Undisk MCP business name and not a separately identified registered Texas business entity unless later designated in writing.
# Minimal collection
Undisk collects and processes data only as needed to create accounts, authenticate users and machines, store and version files, audit workspace actions, enforce limits and billing, operate backups, and run optional diagnostics.
No advertising cookies, tracking pixels, or external browser font requests are evidenced in the current UI code.
# Data categories
| Category | Repository-backed data points | Purpose |
|---|---|---|
| Account and auth | Name, email, password/auth data, email-verification and reset records, optional GitHub OAuth linkage | Account creation, login, verification, reset, and session security |
| Session and device | Session token/cookie state, expiry, IP address, user agent, timestamps | Session management, fraud detection, and account security |
| API and machine auth | API key hashes/prefixes, OAuth token hashes, scopes, expiry, revocation, last-used timestamps | Machine access, rotation, revocation, and scoped authorization |
| Workspace and billing | Workspace IDs, names, providers, status, tier records, Stripe customer/subscription IDs | Provisioning, routing, paid plans, billing, and grace-period handling |
| Files and versions | File paths, file contents, hashes, sizes, version history, tombstones, timestamps | Core storage, restore, diff, deduplication, and search features |
| Audit and admin | Agent/principal IDs, request IDs, transport type, policy results, anomaly alerts, usage and storage metrics | Tamper-evident auditing, abuse controls, and admin reporting |
| Rate limiting and diagnostics | IP-derived OAuth rate-limit keys, request/error logs, debug-only traces and logs | Abuse prevention, troubleshooting, reliability, and performance diagnostics |
Important clarification. The audit schema supports an optional IP field, but the main gateway flow in this repository does not populate that field for ordinary MCP requests.
Workspace content. If you or your agents place personal data into files, Undisk will process that content because the service is a file workspace by design.
# Cookies and session tech
The repository evidences authentication/session cookies only. Session cookies are configured as Secure, HttpOnly, and SameSite=Lax with a 30-day session lifetime and daily refresh behavior.
# Third-party services
| Third party | Role | Data involvement |
|---|---|---|
| Cloudflare | Primary hosting and data infrastructure | Workers, D1, Durable Objects, KV, R2, routing, WebSockets, optional observability |
| Fastly | Optional alternate workspace backend | Workspace data for Fastly-assigned workspaces |
| Stripe | Billing processor | Checkout, portal, and subscription lifecycle data |
| GitHub | Optional social login and CI/CD provider | OAuth account linkage and repository/deployment workflows |
| Grafana Cloud | Debug-only observability destination | Optional log/trace telemetry when debug deploys are enabled |
# Security controls evidenced in code
1. HSTS, nosniff, frame-deny, referrer, permissions, and CSP response headers.
2. Secure, HttpOnly, SameSite session cookies.
3. SHA-256 hashing for API keys, OAuth tokens, content hashes, and audit-chain integrity.
4. HMAC-SHA256 verification for Stripe webhooks.
5. Path validation, scope checks, workspace ownership checks, secret scanning, rate limiting, and policy enforcement.
6. Daily D1 backups to Cloudflare R2 with the last 30 snapshots retained.
The repository evidences backup creation and cryptographic hashing, but it does not evidence application-level encryption of the SQL backup dump before it is written to R2.
# Retention
| Data set | Retention evidenced in code |
|---|---|
| Sessions | 30-day TTL, refreshed daily |
| OAuth access tokens | 1 hour |
| OAuth refresh tokens | 30 days from creation |
| Auth/workspace cache | 5 minutes |
| OAuth IP rate-limit keys | About 2 minutes |
| Soft-deleted workspaces | 30-day recovery window |
| D1 backups | Last 30 snapshots retained |
| Audit logs - Free / Pro / Team / Enterprise | 7 days / 180+365 days / 365+730 days / 3650+3650 days |
# Privacy rights
Subject to applicable law, you may request access, correction, deletion, restriction, portability, or objection. California residents may request to know, correct, or delete personal information. Based on the repository evidence, Undisk does not sell personal information and does not share it for cross-context behavioral advertising.
# International processing
Undisk uses global infrastructure providers, including U.S.-based processing. Cross-border processing may occur as needed to operate the service.