Last updated: July 1, 2026
VaultSage MCP Privacy Policy
This policy applies to the VaultSage MCP connector available at
mcp.vaultsage.ai, including its OAuth login flow, token
issuance, and MCP tool endpoints. It is separate from the broader NURIE
site terms and is intended to describe the data handling specific to this
connector.
1. What this service does
VaultSage MCP lets a user connect their VaultSage account to an MCP-capable
client such as ChatGPT, Claude, Cursor, or Claude Desktop. Once connected,
the client can search files, list directories, read file contents, upload
text files, create directories, create share links, delete files, view
dashboard metrics, and send chat prompts to VaultSage AI using the user's
own VaultSage account.
2. Data we collect and process
Depending on how the user connects and which tools they invoke, we process:
- Account identifiers such as email address and display name returned during sign-in.
- Authentication material needed to connect the service, including OAuth authorization codes, OAuth state values, MCP personal access tokens, and VaultSage personal API keys.
- Tool inputs sent by the MCP client, such as chat prompts, file IDs, directory IDs, filenames, uploaded text content, recipient email addresses for share links, optional messages, optional passwords, and optional expiry timestamps.
- Tool outputs returned from the VaultSage API, such as search results, file metadata, directory metadata, file contents, chat responses, dashboard metrics, share links, and operation results.
- Basic technical/request data such as HTTP headers, request timestamps, and error logs needed to operate, secure, and debug the service.
3. How we use the data
- To authenticate the user and complete the connector login flow.
- To issue and validate the user's MCP token and map it to the user's VaultSage API key.
- To execute requested MCP tools against the user's VaultSage account.
- To return requested results back to the MCP client.
- To maintain service reliability, prevent abuse, diagnose failures, and improve the connector.
4. Where the data comes from
- Directly from the user during Google sign-in or email/password sign-in on the connector portal.
- From the user's MCP client when it sends tool arguments to the connector.
- From the VaultSage API when the connector retrieves account, file, directory, chat, or dashboard data on the user's behalf.
5. Who receives the data
- VaultSage / NURIE-operated systems: The connector service, its Firestore-backed token/state storage, and internal logs.
- VaultSage API: Tool inputs needed to fulfill the user's requested action are sent to the VaultSage API using the user's VaultSage personal API key.
- The connected MCP client: Tool outputs are returned to the client that initiated the request.
- Share recipients: If the user creates a share link with recipient emails, those emails and the related share settings are sent to the VaultSage share API so the share can be created.
We do not sell personal data collected by this connector. We do not use
MCP tool inputs or outputs for advertising.
6. Retention
- OAuth handshake state and one-time authorization codes: stored temporarily in Firestore and intended to expire within about 10 minutes; expired entries are deleted automatically or on access.
- MCP personal access tokens and linked VaultSage API key records: stored in Firestore until the user regenerates the token, disconnects, or the record is otherwise removed by service operations.
- Portal session data in the browser: stored in the user's browser session storage on the connector site until the browser session ends or the user signs out.
- Operational logs: retained for a limited period as needed for security, troubleshooting, and service reliability.
7. User controls
- Users can choose not to connect the service.
- Users can regenerate their MCP token from the VaultSage MCP dashboard, which invalidates the previous token.
- Users control which tool calls to make and what content to send through those tools.
- Users can delete files, create or remove shares, and otherwise manage their content in VaultSage through VaultSage features and tools.
8. Security
We use bearer tokens, VaultSage personal API keys, and server-side token
validation to authenticate requests. OAuth flow state is stored server-side
rather than in client-visible URLs alone. As with any internet service, no
method of transmission or storage is guaranteed to be perfectly secure.
9. Scope and current behavior
This connector currently supports tools that search, list, read, upload,
organize, share, delete, and chat over content in the user's VaultSage
account. This policy is intended to reflect the current inputs and outputs
of those tools. If the tool set materially changes, this policy should be
updated before or at the time of release.
10. Contact
For privacy questions about the VaultSage MCP connector, contact
cs@nurie.ai.
11. Related policies
The broader NURIE / VaultSage website terms are available at
nurie.ai/terms.
This page is the connector-specific privacy disclosure for the MCP service.