MCP Security Score

Privacy Policy

Last updated: January 7, 2026

1. Introduction

MCP Security Score is operated by Low Latency Labs ("we," "our," or "us"). We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our security scanning service at mcpscanner.com (the "Service").

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

Contact: For privacy inquiries, email us at hello@lowlatencylabs.app.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address (required for authentication)
  • Full name (optional, if provided)
  • Password (securely hashed, never stored in plain text)

2.2 Scan Data

When you use our scanning service, we collect:

  • GitHub repository URLs you submit for scanning
  • Security scan results including findings, scores, and grades
  • AI-generated analysis and recommendations
  • Timestamps of when scans were performed

Important: We temporarily clone public repositories to perform analysis. During analysis, relevant code snippets are sent to Anthropic's Claude API for security assessment. Repository code is deleted from our servers immediately after the scan completes and is never permanently stored.

2.3 Usage Data

We automatically collect certain information when you use our Service:

  • IP address and approximate location
  • Browser type and version
  • Pages visited and time spent on pages
  • Referring website or source
  • Device information (type, operating system)

2.4 Payment Information

For paid subscriptions, payment processing is handled entirely by Stripe. We do not store your credit card numbers or banking information. We only receive:

  • Stripe customer ID (for linking your subscription)
  • Subscription status (active, canceled, etc.)
  • Billing email address

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our security scanning service
  • Create and manage your account
  • Process your transactions and manage subscriptions
  • Send you scan results and security reports via email (if enabled)
  • Respond to your inquiries and provide customer support
  • Monitor usage patterns to improve our service
  • Detect and prevent fraud or abuse of our Service
  • Comply with legal obligations

3.1 Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your data based on:

  • Contract: To provide the Service you requested
  • Legitimate Interest: To improve our Service and prevent fraud
  • Consent: For marketing communications (which you can withdraw anytime)
  • Legal Obligation: To comply with applicable laws

4. Information Sharing

We do not sell your personal information. We only share your information in the following circumstances:

  • Service Providers: With third-party vendors who assist in operating our Service (listed in Section 5)
  • Legal Requirements: When required by law, subpoena, or legal process
  • Safety: To protect the rights, safety, or property of our users or the public
  • Business Transfers: In connection with a merger, acquisition, or sale of assets

5. Third-Party Services

We use the following third-party services to operate our platform:

5.1 Supabase (Authentication & Database)

We use Supabase for user authentication and data storage. Your account information and scan results are stored on Supabase's secure infrastructure. See Supabase's Privacy Policy.

5.2 Stripe (Payment Processing)

We use Stripe for subscription billing and payment processing. Stripe handles all payment information directly—we never see or store your card details. See Stripe's Privacy Policy.

5.3 Anthropic Claude API (AI Analysis)

We use Anthropic's Claude API to perform AI-powered security analysis. Code snippets from scanned repositories are sent to Claude for analysis. See Anthropic's Privacy Policy for their data handling practices.

5.4 Vercel (Hosting)

Our application is hosted on Vercel. Vercel may collect standard web server logs. See Vercel's Privacy Policy.

6. Data Retention

We retain your data as follows:

  • Account Data: Retained until you delete your account
  • Scan Results: Retained for up to 1 year for paid subscribers, 90 days for free tier
  • Repository Code: Deleted immediately after scan completion (never stored on our servers; snippets sent to Claude API during analysis)
  • Usage Logs: Retained for up to 90 days
  • Payment Records: Retained as required by tax and accounting laws (typically 7 years)

You may request deletion of your data at any time through your account settings or by contacting us at hello@lowlatencylabs.app.

7. Your Rights

Depending on your location, you may have the following rights:

7.1 Access

You can access your personal data through your account dashboard or by requesting a data export.

7.2 Correction

You can update your account information at any time through your account settings.

7.3 Deletion

You can delete your account and all associated data through your account settings. This action is irreversible and will delete all your scan history.

7.4 Data Portability

You can export your data in JSON format through your account settings.

7.5 Opt-Out

You can opt out of marketing emails by clicking the unsubscribe link in any email or updating your preferences in account settings.

7.6 Withdraw Consent

Where we rely on consent to process your data, you may withdraw that consent at any time.

8. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: You can request information about the personal data we collect, use, and disclose
  • Right to Delete: You can request deletion of your personal data
  • Right to Correct: You can request correction of inaccurate personal data
  • Right to Opt-Out: You can opt out of the sale or sharing of your personal data
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights

We do not sell or share your personal information for cross-context behavioral advertising as defined by the CCPA/CPRA.

To exercise your California privacy rights, contact us at hello@lowlatencylabs.app or use the controls in your account settings.

9. Cookies and Tracking

We use the following types of cookies:

  • Essential Cookies: Required for authentication and core functionality. These cannot be disabled.
  • Preference Cookies: Remember your settings like dark/light mode theme.
  • Analytics Cookies: Help us understand how visitors use our site (you can opt out of these).

You can manage your cookie preferences when you first visit our site or through your browser settings. Note that disabling certain cookies may affect functionality.

10. Data Security

We implement appropriate security measures to protect your data:

  • All data is encrypted in transit using HTTPS/TLS 1.3
  • Data at rest is encrypted using AES-256 encryption
  • Passwords are hashed using bcrypt (never stored in plain text)
  • Access to production systems is restricted and logged
  • We use Row-Level Security (RLS) to ensure users can only access their own data
  • Regular security audits and vulnerability assessments

While we strive to protect your data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

11. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

  • Notify affected users within 72 hours of becoming aware of the breach
  • Provide details about what information was affected
  • Describe the steps we are taking to address the breach
  • Offer guidance on steps you can take to protect yourself
  • Report to relevant authorities as required by law

12. Children's Privacy

Our Service is not intended for individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information promptly.

13. International Data Transfers

Your information may be transferred to and processed in the United States and other countries where our service providers operate. These countries may have different data protection laws than your country of residence.

When we transfer data from the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions where applicable
  • Other legally approved transfer mechanisms

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last updated" date
  • Sending an email notification for significant changes

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Operated by: Low Latency Labs
Product: MCP Security Score

See also our Terms of Service