01Scope and Who We Are
This Policy applies to personal data that Trends MCP processes as a data controller when you visit trendsmcp.ai, register an account, obtain an API key, call the API, connect via the MCP protocol, or otherwise interact with the Service.
Contact details for the controller:
- Trends MCP
- Location: Delaware, United States
- Email (privacy): [email protected]
- Email (general): [email protected]
- Web: trendsmcp.ai
When you use the Service as an end-user of a product that was built on the Service by someone else, that other party is typically the controller of your personal data, and this Policy does not govern their processing. Please consult their privacy notice.
02Data We Collect
Account and billing data
- Your email address (required to register).
- An encrypted password hash, or a token from a third-party identity provider.
- Billing information for paid plans, including name, billing address, VAT/tax ID (if supplied), and the last four digits and brand of your payment card. Full card numbers are handled by our payment processor and are never stored by us.
- Invoicing history and receipts.
API and usage data
- Your API keys (stored in a hashed, non-reversible form).
- The endpoints you call, timestamps, HTTP status codes, latency, response size, and request identifiers.
- Request parameters and query contents, including the keywords, sources, time ranges, and other arguments you pass to the Service. Queries are treated as potentially sensitive and are protected accordingly.
- Error logs and crash traces.
Technical data
- IP address, approximate geolocation derived from it, HTTP user-agent, device and browser characteristics, and referring URL.
- Cookie identifiers and local-storage keys used for session management and CSRF protection.
Communications
- Emails you send us, including any attachments.
- Survey responses and support-ticket contents.
Marketing (opt-in only)
- If you opt in to product updates, we store your email and your opt-in status. You can unsubscribe at any time from any email we send.
Special-category data
We do not intentionally collect special categories of personal data (e.g. health, political opinions, religious beliefs, biometrics). Do not submit such data to the API.
03How We Collect It
- Directly from you when you create an account, enter billing details, make an API request, or email us.
- Automatically from your device and network, via server logs, analytics events, and cookies.
- From third parties, including our payment processor, our identity providers (if you use social login), and anti-abuse services such as Google reCAPTCHA.
04Why We Process It (Purposes and Legal Bases)
Under the EU / UK GDPR, we rely on the following legal bases. Other applicable laws (such as the CCPA/CPRA) are addressed in their own sections below.
| Purpose | Legal basis (GDPR Art. 6) | Example |
|---|---|---|
| Provide and operate the Service | Contract (Art. 6(1)(b)) | Authenticating your API key, routing your request, returning a response. |
| Billing and financial reporting | Contract & Legal obligation (Art. 6(1)(b) and (c)) | Charging your card, issuing an invoice, keeping tax records. |
| Abuse prevention, rate limiting, and security | Legitimate interest (Art. 6(1)(f)) | Throttling brute-force activity, mitigating DDoS attacks, investigating suspected fraud. |
| Product improvement and analytics | Legitimate interest (Art. 6(1)(f)) | Aggregate dashboards showing which endpoints are used, latency percentiles, error rates. We do not use query contents for product improvement without your consent. |
| Customer support | Contract / Legitimate interest | Reading and answering a support ticket. |
| Marketing communications | Consent (Art. 6(1)(a)) or Legitimate interest, where permitted | Product-update email, with unsubscribe in every message. |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) | Responding to valid legal requests, record-keeping, tax law. |
| Establishing, exercising or defending legal claims | Legitimate interest (Art. 6(1)(f)) | Preserving records for a dispute or regulatory investigation. |
05How We Share It
We share personal data only with the limited categories below, and only as necessary.
- Infrastructure and cloud providers that host the API, the database, and the website.
- Payment processors that handle subscription billing.
- Email-delivery providers that send transactional and (opt-in) marketing email.
- Anti-abuse services, including Google reCAPTCHA, for bot detection on sign-up and login flows.
- Analytics providers (when enabled) for aggregate usage insight, configured to respect Do-Not-Track / Global Privacy Control signals where feasible.
- Professional advisers such as auditors, accountants, and lawyers, under confidentiality obligations.
- Authorities and law-enforcement, where we are compelled by a valid legal request or to protect vital interests of an individual.
- Acquirers in the event of a merger, acquisition, reorganization, financing, or sale of assets. We will give reasonable notice before personal data becomes subject to a different privacy policy.
We do not sell personal data. We do not share personal data for cross-context behavioural advertising.
Important note about Third-Party Data Sources: Trends MCP retrieves and normalizes signals from public third-party platforms (such as Google, TikTok, Reddit, Amazon, Wikipedia, and others). We send aggregate, non-identifying requests to those platforms. We do not share your personal account data or individual queries with Third-Party Data Sources as a matter of course.
06Sub-processors
We may engage sub-processors to help us operate the Service. Each sub-processor is bound by a written agreement that imposes confidentiality and data-protection terms consistent with this Policy and, where required, Article 28 of the GDPR. Representative categories include cloud infrastructure, database hosting, payment processing, transactional email, error monitoring, customer support tooling, bot-detection (reCAPTCHA), and optional product analytics.
For the current list of named sub-processors, or to request advance notice of changes, contact [email protected].
07International Data Transfers
The Service is operated globally. Some of our sub-processors are based in, or transfer data to, countries that may not have the same level of data-protection legislation as your own. Where we transfer personal data out of the EEA or the UK to a country that has not received an adequacy decision from the European Commission or the UK government, we rely on appropriate safeguards such as:
- the European Commission’s Standard Contractual Clauses (SCCs), and the UK’s International Data Transfer Addendum where applicable;
- additional technical and organizational measures, such as encryption in transit and at rest, and access controls; and
- transfer-impact assessments, where required.
You can request a copy of the safeguards we rely on by writing to [email protected].
08Retention
We retain personal data only for as long as we need it for the purpose for which it was collected, unless a longer retention period is required or permitted by law. Typical retention windows:
| Category | Typical retention |
|---|---|
| Account data | For the life of the account, then up to 24 months after closure for backups and legal-claim purposes. |
| API request logs (full detail) | Up to 90 days. |
| Aggregated, non-identifying usage metrics | Indefinitely. |
| Billing and tax records | As required by applicable tax law (typically 7–10 years in the EU). |
| Support tickets | Up to 24 months after resolution. |
| Marketing opt-in records | Until opt-out, plus evidence retention of up to 24 months. |
| Security and anti-abuse logs | Up to 12 months. |
09Security
We implement technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include transport-layer encryption (HTTPS / TLS), at-rest encryption on our managed databases, hashed storage of API keys and passwords, principle-of-least-privilege access controls, vendor due diligence, periodic security reviews, and logging and monitoring.
No method of transmission or storage is 100% secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority and affected individuals as required by applicable law. You can report a suspected incident to [email protected].
10Your GDPR / UK GDPR Rights
If the GDPR or UK GDPR applies to your processing, you have the right to:
- Access the personal data we hold about you and receive a copy.
- Rectify inaccurate or incomplete data.
- Erasure (“right to be forgotten”) in the circumstances permitted by law.
- Restrict processing in certain circumstances.
- Data portability, where processing is based on consent or a contract and is carried out by automated means.
- Object to processing based on legitimate interests or direct marketing.
- Withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- Not be subject to a decision based solely on automated processing that has legal or similarly significant effects on you (we do not make such decisions — see Section 14).
- Lodge a complaint with a supervisory authority (see Section 18).
To exercise any of these rights, contact [email protected]. We will respond within the period required by applicable law (normally one month). We may need to verify your identity before we act on a request.
11Your CCPA / CPRA Rights (California)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, disclose, or share, including the categories, sources, purposes, and recipients.
- Access a copy of the specific pieces of personal information we hold about you.
- Delete personal information we have collected, subject to certain exceptions.
- Correct inaccurate personal information.
- Opt out of any “sale” or “sharing” of personal information. We do not sell or share your personal information for cross-context behavioural advertising.
- Limit the use of any sensitive personal information beyond the purposes permitted by the CPRA. We do not use sensitive personal information for purposes that would require such a limit.
- Non-discrimination for exercising these rights.
You may exercise these rights by emailing [email protected], with the subject line “California Privacy Request.” Authorized agents may submit requests on your behalf with verifiable written permission.
12Cookies and Similar Technologies
We use a small number of strictly necessary cookies and local-storage items to operate the Service, for example to keep you logged in and to protect against cross-site request forgery. We use Google reCAPTCHA on certain forms to protect against automated abuse; use of reCAPTCHA is subject to Google’s Privacy Policy and Terms of Service.
Where we use non-essential analytics cookies, we will ask for your consent (where required by applicable law) before loading them. You can clear or block cookies through your browser settings, though doing so may affect parts of the Service.
13Children
The Service is not directed to children under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact [email protected] and we will take reasonable steps to delete it.
14AI Training and Automated Decisions
We do not use your queries, prompts, or API parameters to train or fine-tune any machine-learning model or large language model, and we do not sell such data to any third party for model-training purposes. When you connect the Service to an AI assistant (such as Claude, ChatGPT, Cursor, or another MCP client), that client is a separate product governed by its own privacy policy. Please review that policy for how your inputs and the resulting Output may be handled by the AI provider.
We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects on you within the meaning of Article 22 GDPR.
15Third-Party Data Sources
Trends MCP aggregates and normalizes signals from publicly accessible third-party platforms. Those signals describe the popularity, ranking, or volume of public topics, keywords, and items — they are not intended to identify you or any other individual. If Output incidentally contains information that qualifies as personal data under applicable law, Trends MCP’s role with respect to that data is limited to the normalization, transformation, and delivery of signals, and we rely on the public nature of the source and on our legitimate interest in providing an analytics product.
16Do-Not-Track and Global Privacy Control
We recognize the Global Privacy Control (GPC) signal where legally required and, where we are able, configure our analytics accordingly. There is currently no industry consensus on how to respond to the legacy Do-Not-Track header, so we do not respond to it.
17Changes to This Policy
We may update this Policy from time to time. When we do, we will update the “Last updated” date at the top of this page and, for material changes, take reasonable steps to notify you (for example, by email, in-app banner, or changelog). Your continued use of the Service after the effective date of the revised Policy constitutes acknowledgement of the changes, to the extent permitted by law.
18Contact and Complaints
Questions, requests, and complaints about this Policy or our handling of your personal data should be addressed to:
- Email: [email protected]
- Web: trendsmcp.ai
Supervisory authority. If you are in the European Economic Area, you have the right to lodge a complaint with the data-protection authority of your country of habitual residence, your place of work, or the place of the alleged infringement. If you are in the United Kingdom, the relevant authority is the Information Commissioner’s Office (ico.org.uk). For other jurisdictions, contact your local data-protection authority.
This Policy is provided in English. If any provision is held unenforceable, the remainder shall remain in full force.
