Privacy Policy

Last updated: April 13, 2026

1. Information We Collect

We collect the following types of information:

  • Account information (name, email) when you sign in via Google — on the website or through MCP OAuth
  • Usage data (pages visited, search queries, features used)
  • Contact form submissions (name, email, message)
  • Device and browser information for analytics

2. MCP Server & API Data

When you use the Tapetide MCP server (mcp.tapetide.com) through AI assistants such as ChatGPT, Claude, Cursor, or other MCP-compatible clients, we collect:

  • Authentication data: Your email address obtained via Google OAuth during the MCP connection flow. We do not store your Google password or Google access tokens.
  • Tool call metadata: Which MCP tools you invoke (e.g., search_stocks, get_stock_quote), timestamps, and response latency — used for rate limiting, usage tracking, and service improvement.
  • Rate limiting counters: Per-user request counts stored temporarily to enforce hourly and daily rate limits.
  • OAuth client registrations: When an MCP client (e.g., ChatGPT, Claude) dynamically registers via the /register endpoint, we store the client name and redirect URIs for 90 days.
  • Refresh tokens: Opaque refresh tokens stored in our database to maintain your MCP session. You can revoke these at any time from your account settings.

We do not collect or store:

  • The content of your conversations with AI assistants
  • Your prompts or questions sent to the AI
  • Any data from the AI platform itself (ChatGPT, Claude, etc.)
  • Google access tokens or passwords
  • Internal session IDs, trace IDs, or debug telemetry in tool responses

3. How We Use Your Information

  • To provide and improve the Platform's features
  • To manage your watchlist and personalized experience
  • To respond to your inquiries and support requests
  • To analyze usage patterns and improve performance
  • To send important service-related communications
  • To enforce rate limits and prevent abuse of the MCP server and API
  • To track aggregated tool usage for service improvement (e.g., which tools are most popular)

4. Authentication

We use Google OAuth 2.1 for authentication across both the website (via Firebase) and the MCP server. Your Google credentials are handled directly by Google — we do not store your Google password or Google access tokens. We receive and store your display name, email address, and profile photo URL.

For MCP connections, authentication works through an OAuth 2.1 flow with PKCE. When you connect via an AI assistant (ChatGPT, Claude, etc.), you are redirected to Google to sign in. We issue our own opaque access and refresh tokens — your Google tokens are never exposed to the AI platform or stored beyond the initial exchange.

5. Cookies and Analytics

We use cookies and similar technologies to:

  • Remember your preferences (e.g., dark mode)
  • Maintain your authentication session
  • Collect anonymous usage analytics via PostHog

The MCP server does not use cookies. MCP authentication is handled entirely via Bearer tokens in HTTP headers.

6. Data Sharing

We do not sell your personal information. We may share data with:

  • Firebase/Google for authentication services
  • PostHog for aggregated usage analytics (self-hosted, EU-based)
  • Sentry for frontend error tracking
  • Law enforcement when required by applicable law

7. Data Returned by MCP Tools

When you use Tapetide through an AI assistant, our MCP tools return only publicly available Indian stock market data. Specifically:

  • Stock prices, financial statements, shareholding patterns, analyst ratings, forecasts, and corporate actions
  • Market data such as FII/DII flows, bulk deals, F&O ban lists, IPO subscriptions, and index valuations
  • Stock screener results based on your filter criteria

MCP tool responses do not contain:

  • Your personal information (email, name, account ID)
  • Internal identifiers (session IDs, trace IDs, request IDs)
  • Authentication tokens, keys, or secrets
  • Telemetry, debug payloads, or internal logs

All data returned by MCP tools is read-only market data. No tool modifies, creates, or deletes any data.

8. Data Security

We implement reasonable security measures to protect your information, including:

  • Encrypted connections (HTTPS/TLS) for all communications
  • OAuth 2.1 with PKCE for MCP authentication
  • HMAC-SHA256 signed access tokens (stateless, short-lived)
  • Cryptographically random opaque refresh tokens
  • Per-user rate limiting to prevent abuse
  • Access controls and principle of least privilege

However, no method of transmission over the Internet is 100% secure.

9. Data Retention

We retain your account data for as long as your account is active. Contact form submissions are retained for up to 2 years. You may request deletion of your data by contacting us.

  • MCP OAuth refresh tokens are retained until revoked by you or for up to 1 year of inactivity
  • MCP access tokens expire after 1 hour and are not stored server-side
  • Rate limiting counters are temporary and reset hourly/daily
  • Dynamic client registrations expire after 90 days
  • Tool call usage logs are retained for up to 1 year for analytics

10. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Withdraw consent for data processing
  • Revoke MCP refresh tokens and disconnect AI assistants at any time via your account settings

11. Third-Party AI Platforms

When you use Tapetide through a third-party AI platform (such as ChatGPT, Claude, Cursor, or others), that platform's own privacy policy governs how it handles your conversations, prompts, and data. Tapetide is not responsible for the data practices of third-party AI platforms. We recommend reviewing the privacy policy of any AI platform you use with Tapetide.

Tapetide only receives MCP tool call requests (tool name and parameters) from these platforms — we do not receive or process your conversational context, prompts, or any other data from the AI platform.

12. Children's Privacy

The Platform is not intended for users under the age of 18. We do not knowingly collect personal information from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on the Platform.

14. Contact

For privacy-related inquiries, please contact us or email [email protected].