$ privacy
Effective date:
Undisk MCP is currently operated by Kiarash Adl, a Texas resident using the Undisk MCP business name.
If we later designate a successor entity in writing, references to Undisk MCP, “we,” “us,” or “our” include that successor for periods after the designation becomes effective.
# Minimal collection
Undisk collects and processes data only as needed to create accounts, authenticate users and machines, store and version files, audit workspace actions, enforce limits and billing, operate backups, and run optional diagnostics.
No advertising cookies, tracking pixels, or external browser font requests are evidenced in the current UI code.
# Roles and responsibilities
Workspace content. For files and other content that you or your agents place into a workspace, you or the organization you act for generally decide what personal data is processed and why. In that context, you are typically the controller or business deciding the processing, and Undisk processes that content on your behalf to host, version, back up, search, secure, and transmit the service.
Service-operation data. For account registration, billing, authentication, fraud prevention, abuse detection, security logging, support, and legal-compliance records, Undisk acts as an independent controller or business for its own operational purposes.
Important limit. This practical allocation is provided for clarity only and does not replace a separate data processing agreement where one is required.
# Data categories
| Category | Repository-backed data points | Purpose |
|---|---|---|
| Account and auth | Name, email, password/auth data, email-verification and reset records, optional social OAuth linkage | Account creation, login, verification, reset, and session security |
| Session and device | Session token/cookie state, expiry, IP address, user agent, timestamps | Session management, fraud detection, and account security |
| API and machine auth | API key hashes/prefixes, OAuth token hashes, scopes, expiry, revocation, last-used timestamps | Machine access, rotation, revocation, and scoped authorization |
| Workspace and billing | Workspace IDs, names, providers, status, tier records, billing customer/subscription IDs | Provisioning, routing, paid plans, billing, and grace-period handling |
| Files and versions | File paths, file contents, hashes, sizes, version history, tombstones, timestamps | Core storage, restore, diff, deduplication, and search features |
| Audit and admin | Agent/principal IDs, request IDs, transport type, policy results, anomaly alerts, usage and storage metrics | Tamper-evident auditing, abuse controls, and admin reporting |
| Rate limiting and diagnostics | IP-derived OAuth rate-limit keys, request/error logs, debug-only traces and logs | Abuse prevention, troubleshooting, reliability, and performance diagnostics |
Important clarification. The audit schema supports an optional IP field, but the main gateway flow in this repository does not populate that field for ordinary MCP requests.
Workspace content. If you or your agents place personal data into files, Undisk will process that content because the service is a file workspace by design.
# Cookies and session tech
The repository evidences authentication/session cookies only. Session cookies are configured as Secure, HttpOnly, and SameSite=Lax with a 30-day session lifetime and daily refresh behavior.
# How data is used
1. Account creation, authentication, and credential security.
2. File storage, versioning, restore, diff, and search workflows.
3. Audit trails, policy enforcement, rate limits, abuse controls, and diagnostics.
4. Billing, subscription lifecycle handling, and service administration.
5. Legal compliance, backup operations, and protection of the service and its users.
# Third-party services
| Third party | Role | Data involvement |
|---|---|---|
| Cloudflare | Primary hosting and data infrastructure | Workers, D1, Durable Objects, KV, R2, routing, WebSockets, optional observability |
| Fastly | Optional alternate workspace backend | Workspace data for Fastly-assigned workspaces |
| Polar | Billing processor (Merchant of Record) | Checkout, portal, and subscription lifecycle data |
| OAuth identity providers | Optional social login providers (for example GitHub, Google, Microsoft, Discord) | OAuth account linkage and sign-in via configured providers |
| Grafana Cloud | Debug-only observability destination | Optional log/trace telemetry when debug deploys are enabled |
# Security controls evidenced in code
1. HSTS, nosniff, frame-deny, referrer, permissions, and CSP response headers.
2. Secure, HttpOnly, SameSite session cookies.
3. SHA-256 hashing for API keys, OAuth tokens, content hashes, and audit-chain integrity.
4. HMAC-SHA256 verification for Polar webhooks (Standard Webhooks spec).
5. Path validation, scope checks, workspace ownership checks, secret scanning, rate limiting, and policy enforcement.
6. AI content moderation (Cloudflare Workers AI / Llama Guard 3) for safety scanning of file writes.
7. Daily D1 backups to Cloudflare R2 with the last 30 snapshots retained.
The repository evidences backup creation and cryptographic hashing, but it does not evidence application-level encryption of the SQL backup dump before it is written to R2.
# Artificial intelligence and your data
We use AI in one narrow capacity: content moderation. Uploaded files may be evaluated by an AI safety model to detect harmful material.
✓ We do not use your file content to train third-party AI or large language models.
✓ We do not use your file content to train our own general-purpose AI models.
✓ We do not sell, license, or provide your content to any third party for AI model training.
✓ We do not use your file content for advertising, profiling, or behavioral targeting.
# Interactive UI Components (MCP Resources)
When you interact with visual UI components provided by Undisk within third-party AI hosts (such as ChatGPT or Claude), data rendered in those iframes is transmitted directly from Undisk's servers to your browser. While this bypasses the AI's standard text context window, your interaction is still subject to the AI provider's iframe sandboxing policies and their respective privacy practices.
# Children's privacy and age requirements
Undisk is not directed to children under 13 and is not designed for use by minors. You may use the service only if you are old enough to consent to online services where you live. If local law requires a higher minimum age than 13, that higher age applies.
If we learn that a child's personal data has been provided to the service without lawful authorization, we will take reasonable steps to delete it.
# Law enforcement and government requests
We will not voluntarily disclose your private files to law enforcement or government agencies. If we receive a legally binding request, we will evaluate it for validity, notify you unless legally prohibited, and limit disclosure to only the data compelled.
Encryption note. Undisk does not currently implement client-side or end-to-end encryption. Files use platform-level encryption at rest from our infrastructure partners. If compelled by a valid legal order, we have the technical ability to produce file content.
# Data portability
You may export your files at any time using the MCP tools (read_file, list_files, search_files) or the web file browser at /files. We do not artificially restrict your ability to retrieve or migrate your content.
# Retention
| Data set | Retention evidenced in code |
|---|---|
| Sessions | 30-day TTL, refreshed daily |
| OAuth access tokens | 1 hour |
| OAuth refresh tokens | 30 days from creation |
| Auth/workspace cache | 5 minutes |
| OAuth IP rate-limit keys | About 2 minutes |
| Soft-deleted workspaces | 30-day recovery window |
| D1 backups | Last 30 snapshots retained |
| Audit logs - Free / Pro / Team / Enterprise | 30 days / 180+365 days / 365+730 days / 3650+3650 days |
# Legal bases for processing
Where GDPR-style laws apply, we generally rely on performance of a contract, legitimate interests, compliance with legal obligations, and consent where a feature specifically requires it.
# Privacy rights
Subject to applicable law, you may request access, correction, deletion, restriction, portability, or objection. California residents may request to know, correct, or delete personal information. Based on the repository evidence, Undisk does not sell personal information and does not share it for cross-context behavioral advertising.
Requests involving workspace content may need to be directed through the workspace owner, employer, or administrator who decided to place that content in the service.
# California privacy disclosures
To the extent California privacy law applies, we collect the categories of information described above for the business purposes described above, we do not sell personal information for money, and based on the repository evidence we do not share it for cross-context behavioral advertising.
# International processing
Undisk uses global infrastructure providers, including U.S.-based processing. Cross-border processing may occur as needed to operate the service.
# Sensitive or regulated data
Do not assume Undisk is suitable for regulated, mission-critical, or high-risk data merely because technical controls exist. If you need regulated-data terms, dedicated residency commitments, or a separate processing agreement, do not proceed without a separate written agreement.
# Changes to this policy
1. If we make a material change, we will use reasonable efforts to give advance notice by email, in-product notice, or both.
2. If a change is non-material, we may update the policy by posting the revised version with a new effective date.
3. If applicable law requires affirmative consent for a specific update, we will obtain it before that update applies.