1. Information we collect
We collect account information such as your email address, password hash, display name, workspace name, and legal consent timestamps when you create or manage an account.
When you connect an app, we store workspace-scoped app configuration, Swagger URLs, imported OpenAPI documents, generated MCP tool metadata, verification state, and publish state.
If you configure OAuth, we store provider configuration (client ID, encrypted client secret, authorize and token URLs, scopes) and end-user connection metadata. We do not store end-user access or refresh tokens — those are held by the MCP client and passed to FlowCP on each request.
If you publish a server using a shared-credential auth mode instead of per-user OAuth, the credential you configure is stored encrypted at the server level: for the api_key and bearer modes we store the shared key or token you provide; the none mode stores no credential. These modes run without per-user authorization context and are an explicit, opt-in choice for APIs that do not support per-user OAuth.
2. How we use information
We use your information to provide the dashboard, import Swagger files, generate MCP tools, host runtime endpoints, enforce workspace isolation, process OAuth authorization, and write audit logs for tool execution outcomes.
We may also use operational metadata to secure the service, debug failures, improve reliability, prevent abuse, and communicate with workspace owners about important service changes.
3. OAuth tokens and secrets
OAuth client secrets and workspace secrets are encrypted at rest using AES-256-GCM. End-user access tokens and refresh tokens for your connected APIs are never stored by FlowCP — the MCP client (Claude, Cursor, etc.) holds them and presents them on every tool call. If a token expires, FlowCP propagates the 401 back to the MCP client to re-authorize. Servers using a shared-credential auth mode (see Section 1) deliberately forgo this per-user context and instead use the encrypted credential you configured.
The one exception to end-user token storage is an optional Git integration: if you connect one, that integration's own refresh token is stored encrypted at rest using AES-256-GCM so we can keep the connection active on your behalf.
We redact sensitive headers, request bodies, and secret values from application logs. We do not intentionally log raw authorization credentials.
4. Sharing and subprocessors
We do not sell personal information. We may share information with infrastructure, hosting, database, observability, and communications providers solely to operate FlowCP. These providers are expected to protect information and use it only for contracted service purposes.
We may disclose information if required by law, to protect rights and safety, to investigate abuse, or in connection with a merger, acquisition, financing, or sale of assets.
5. Retention and deletion
We retain account, workspace, app, import, and tool information while your workspace is active or as needed to provide the service, comply with legal obligations, resolve disputes, and enforce agreements. You can request deletion of account or workspace data by contacting us.
Tool execution and audit logs are retained for 30 days and then deleted. These logs identify an end user only by a truncated SHA-256 connection hash — never by a raw token or identity — and never include access tokens, request or response bodies, or personally identifiable information beyond that hash.
6. Security
We use technical and organizational safeguards intended to protect information, including encrypted secret storage, signed sessions, OAuth CSRF protection, fail-closed authorization behavior, and workspace-scoped data access patterns. No system can be guaranteed completely secure.
7. Your choices
You may update account details from the dashboard, disconnect OAuth connections, revoke access from your API provider or FlowCP where supported, and contact us to request access, correction, export, or deletion of personal information.
8. Contact
Questions about this policy can be sent to hello@flowcp.ai.