Privacy Policy

Last updated: March 1, 2026

1. Introduction

Warpgate ("we", "us", "our") operates the MCP gateway service at usewarpgate.com. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.

2. Information We Collect

Account Information

When you register, we collect your name, email address, and password. Your password is securely hashed and never stored in plain text.

Two-Factor Authentication

If you enable two-factor authentication, we store the encrypted TOTP secret and recovery codes necessary to verify your identity.

Team and Collaboration Data

We store team names, membership roles, and invitation details (email address, role, expiration) that you create through the Service.

MCP Server Configuration

We store the server URLs, authentication credentials, and configuration you provide when connecting upstream MCP servers. Authentication credentials and sensitive environment variables are encrypted at rest.

Endpoints and Bearer Tokens

When you create an endpoint, we store its name, slug, scoped server list, creator, and expiration date. The bearer token attached to each endpoint is hashed before storage; the plain-text value is shown once at creation and is not stored.

Audit Logs

We log MCP requests that pass through the gateway, including: the tool called, request parameters, response summaries, your IP address, timestamps, and processing duration. Audit logs are retained to help you monitor and debug your MCP usage.

Tunnel Agent Data

If you use tunnel agents, we record the agent name, connection status, IP address, and connection timestamps.

Chat Conversations

If you use the built-in chat feature to test tool calls, we store your conversation history and messages within your team workspace.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Authenticate your identity and manage access control
  • Proxy MCP requests to your configured upstream servers
  • Enforce middleware rules (rate limiting, caching, transformation) that you configure
  • Generate audit logs for your review
  • Send transactional emails (verification, password reset, team invitations)
  • Monitor and protect against abuse, fraud, or security threats

We do not sell your personal information. We do not use your MCP request data to train machine learning models.

4. Data Passing Through the Gateway

Warpgate acts as a proxy between MCP clients and upstream servers. Request and response payloads pass through our infrastructure. We log request metadata and response summaries in audit logs, but we do not retain full response bodies beyond what is necessary for the audit log feature.

If you configure caching middleware, cached responses are stored temporarily according to the cache duration you set.

5. Data Security

We take reasonable measures to protect your data, including:

  • Hashing passwords with bcrypt
  • Encrypting sensitive fields (server credentials, environment variables, 2FA secrets) at rest
  • Hashing endpoint bearer tokens so plain-text values are never stored
  • Enforcing rate limiting on authentication and API endpoints
  • Supporting two-factor authentication for account security

While we strive to protect your information, no method of transmission or storage is completely secure. You are responsible for keeping your credentials and endpoint bearer tokens safe.

6. Third-Party Services

We may use third-party services to send transactional emails (such as account verification and password reset emails). These providers process your email address solely for the purpose of delivering messages on our behalf.

When you connect upstream MCP servers that require OAuth authentication, the OAuth flow is conducted directly between Warpgate and the upstream provider. We store the resulting credentials in encrypted form to maintain your connection.

7. Data Retention

We retain your account data for as long as your account is active. Audit logs are retained according to your team's configuration. If you delete your account, we will remove your personal data within a reasonable timeframe, except where retention is required by law.

Stale tunnel agent connections are automatically cleaned up by the system.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and associated data
  • Export your data in a portable format
  • Object to or restrict certain processing of your data

To exercise any of these rights, contact us at the email address below.

9. Cookies and Sessions

We use session cookies to keep you logged in and to protect against cross-site request forgery. We do not use third-party tracking cookies or analytics scripts.

10. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this page. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact

If you have questions about this Privacy Policy, please contact us at [email protected].