Privacy Policy

This Privacy Policy describes how Holladay Digital LLC ("we", "us", or "our") collects, uses, and shares information in connection with your use of BlitzMCP (https://blitzmcp.net). By using the service, you agree to the practices described here.

1. Information We Collect

Account information

When you create an account, we collect your email address and any profile information you provide. Authentication is handled by Supabase Auth; we do not store plaintext passwords.

Usage data

We log API calls made through the gateway, including timestamps, MCP server identifiers, tool names, response status codes, and token usage counts. We do not log the content of upstream API requests or responses by default.

Billing information

Payment processing is handled by Stripe. We do not store full card numbers or bank account details. We receive and store billing metadata from Stripe, including subscription status, plan type, and transaction identifiers.

Uploaded content

We store API specifications, tool manifests, and credentials you upload. Upstream API credentials are encrypted at rest using Supabase Vault (AES-256 via pgsodium). We access credential values only to execute API calls on your behalf.

Technical data

We collect standard server logs including IP addresses, browser user agents, referring URLs, and error traces. This data is used for security monitoring, debugging, and abuse prevention.

2. How We Use Your Information

• To provide, operate, and improve the service;
• To process payments and manage your subscription;
• To send transactional emails (account confirmation, billing receipts, usage alerts);
• To detect and prevent fraud, abuse, and security incidents;
• To respond to your support requests;
• To comply with legal obligations.

We do not sell your personal information. We do not use your data to train AI models or share it with advertising networks.

3. Information Sharing

We share your information only in these limited circumstances:

• Service providers. We use Supabase (database and auth), Stripe (payments), and Amazon Web Services (hosting and secrets management). These providers process data on our behalf and are contractually bound to protect it.
• Legal requirements. We may disclose information if required by law, court order, or to protect the rights and safety of Holladay Digital LLC, our users, or the public.
• Business transfers. If Holladay Digital LLC is acquired or merges with another entity, your information may be transferred as part of that transaction. We will notify you before your data is subject to a materially different privacy policy.

4. Data Retention

We retain your account data for as long as your account is active. Usage event logs are retained for 12 months and then deleted. If you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal or financial compliance purposes (e.g., billing records are kept for 7 years per tax law).

5. Security

We use industry-standard security measures including TLS in transit, AES-256 encryption for credentials at rest, hashed API tokens (SHA-256), and row-level security on all database tables. No method of transmission or storage is 100% secure. We will notify affected users of any data breach as required by applicable law.

6. Cookies, Analytics and Session Recording

We use strictly necessary cookies to maintain your authenticated session. We do not use advertising or cross-site tracking cookies.

We use PostHog (posthog.com) for product analytics and session recording. This includes page views, feature usage, and anonymised session replays to help us improve the product. All form inputs — including passwords and API keys — are masked and never captured in recordings. PostHog data is stored on US-based servers. You can review PostHog's privacy practices at posthog.com/privacy.

To opt out of analytics and session recording, you can disable JavaScript or use a browser extension such as an ad blocker that blocks PostHog's tracking script.

7. Your Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of your account and associated data.
• Portability: Request an export of your data in a machine-readable format.
• Objection: Object to certain processing activities.

To exercise any of these rights, email us at contact@blitzmcp.net. We will respond within 30 days.

8. Children's Privacy

The service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us and we will delete it promptly.

9. International Transfers

BlitzMCP is operated from the United States. If you are located outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country. By using the service, you consent to this transfer.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice in the service at least 14 days before they take effect. Your continued use of the service after that date constitutes your acceptance of the updated policy.

11. Contact

Privacy questions or requests should be directed to: