MCP Privacy Policy
Last updated: July 2026 · Version 1.0
This privacy policy applies to the MCP service (Model Context Protocol) provided by Schoolyland (“Schoolyland“, “we“, “us“) through schoolyland.com, and details how we collect, use, process, and protect personal data of Service users (“you“, “the Customer“).
It is written with the EU General Data Protection Regulation (GDPR) as its baseline and applies alongside the privacy laws of the State of Israel. It supplements the general Privacy Policy and should be read together with the MCP Terms of Service.
1. Definitions
- Personal data — any information relating to an identified or identifiable natural person, directly or indirectly, including by name, email address, online identifier, or any other datum.
- Processing — any operation performed on personal data, including collection, storage, copying, review, disclosure, transfer, delivery, or granting access.
- Data controller — Schoolyland, as the party determining the purposes of processing with respect to data of our customers (MCP service users). For data of your own clients (contacts, buyers, community members), see Section 2.8.
- The Service — the MCP service enabling connection of a WordPress platform to AI tools via the MCP protocol.
2. Data we collect
2.1 Data provided at provisioning
- WordPress platform address — your platform’s URL. For platforms provisioned by Schoolyland, the address is taken from your customer account.
- API username — the username on your WordPress platform used for API access; selected automatically from the platform’s administrator list where provisioning is automatic.
- Application Password — a dedicated password created in your WordPress system for API access (not your regular login password). Where provisioning is automatic, the password is created automatically through our central management system.
- Service tier — the selected tier (Free / Basic / Pro).
- Gemini API key (optional) — a personal Google Gemini API key, if you choose to provide your own for unlimited AI image generation. The key is encrypted, stored securely, and used solely to perform image-generation requests on your behalf.
Providing this data is not a legal obligation and depends on your consent; without it, we cannot provide the MCP service.
2.2 Data collected automatically (metadata only)
When you use the Service, we record technical metadata only:
- Tool name invoked (e.g., “list_posts”, “get_order”).
- Success/failure — whether the action succeeded.
- Execution duration — in milliseconds.
- Timestamp — when the action was performed.
- Partial token identifier — only the first 8 characters of the connection token, for technical identification.
- Client identification — the name and version of the client connecting to the Service (e.g., “Claude.ai”, “Claude Code”, or any other MCP-compatible AI client) and its technical capabilities, captured automatically at the start of each session for compatibility diagnostics. No personal information about the user is stored beyond the client name and version.
- Additional detail — for some tools, one further technical detail is stored: for generic API queries — the endpoint address and method (GET/POST); for snippets — the snippet’s name and type (see also Section 2.6).
- Monthly image counter — the number of images generated through the AI image-generation capability during the current month, for quota enforcement. The counter resets automatically once a month.
- Service-message interactions — if a personal service message was sent to you: how many times it was displayed and when last; CTA link clicks and when last; and a short reply if you sent one (up to 500 characters).
2.3 Operational account metadata
- Compatibility report — the list of plugins installed on your platform, their versions and status (active/inactive), for compatibility diagnostics; refreshed automatically every 7 days.
- MCP Helper version installed on your platform.
- Connection indicator — whether an AI tool has connected to the Service using your account (without detail of when or how often).
- Provisioning method — automatic or manual.
- Application password identifier — an internal identifier of the application password, used to delete it remotely upon cancellation (without the password itself).
Data we never collect: we do not record, store, or process the content of actions — not the data sent to the server, not the responses returned from it, and no business content, client names, order details, or personal data of your platform’s users. The MCP server is a pass-through communication pipe between the AI tool and your platform. Exception: during the launch period, names and descriptions of PHP code snippets are stored for safety (see Section 2.6).
2.4 Data from your Schoolyland account
As a registered Schoolyland customer, we may already hold data such as your full name and email address. This policy applies only to data collected within the MCP service; the rest is governed by the general Privacy Policy.
2.5 MCP Helper — a helper plugin on your platform
At provisioning, a small plugin called MCP Helper (an mu-plugin file) is installed on your WordPress platform. This plugin:
- Adds REST API endpoints missing from standard WordPress — e.g., access to SEO data, color palette, raw content, content backup and restore, automation management, page duplication, course access management, password reset, cache clearing, and email sending.
- Operates locally only — it does not send data out and does not communicate with external servers. It only enables local access through your platform’s own API.
- Automatically detects which plugins are installed on your platform and registers only relevant endpoints.
- Is updated from time to time — Schoolyland may update the plugin remotely to fix bugs, improve performance, or add support for new tools. The update does not collect, store, or transfer any additional personal data.
- Keeps local backups — for quick restore after a change, the plugin stores on your platform up to 3 recent versions per edited page (post_meta) and up to 3 previous versions per edited snippet (wp_options). These backups are stored on your platform only and are not sent to Schoolyland’s servers.
- Can be removed at any time, by deleting the file
schoolyland-mcp-helper.php from the mu-plugins folder.
MCP Helper does not collect, store, or transfer personal data to Schoolyland. It serves solely as a technical access layer extending the actions available through your platform’s existing API.
2.6 Snippet monitoring during the launch period
During the Service’s launch period, when an AI tool creates a PHP code snippet on your platform (via the create_snippet tool), we store the snippet’s name and description — for safety and to prevent disruption to your platform.
- Why — snippets are PHP code running on your platform. Monitoring names and descriptions lets us identify potential problems without accessing the code itself.
- What is stored — the snippet’s name, short description, scope type, and numeric identifier. An internal alert is also sent to the Schoolyland team.
- Anomaly alert — if more than 20 snippets are created within 24 hours from the same customer, a summary alert with the last 10 titles is sent to the Schoolyland team, to identify potentially problematic usage patterns early.
- What is not stored — the PHP code itself is not stored, read, or monitored by us.
- Limited period — this extended monitoring is active during the launch period only; afterwards, monitoring will be reduced to metadata only (tool name only, like all other tools).
2.7 Personal service messages
Schoolyland may send you service messages displayed in your conversation with your AI tool. In this context we store: the message content (title, body, CTA link — written by Schoolyland); display data (times displayed per recipient and last display, for display-limit enforcement); click data (CTA clicks and last click, via a temporary redirect address on a Schoolyland domain); and your replies (free text up to 500 characters sent via submit_message_response, delivered to Schoolyland by email and kept in an internal message log).
What is not stored: the surrounding conversation content, other actions you performed in the conversation, or any interaction outside the submit_message_response tool.
2.8 Your clients’ data (Schoolyland as data processor)
When an AI tool sends a request through the Service (e.g., list_contacts, wc_get_order, community_list_members), the server passes the request to your WordPress platform and returns the response to the AI tool. That response may include personal data of your own clients — e.g., names and addresses of CRM contacts, order details, course enrollees, community members.
With respect to this data, Schoolyland acts as a data processor only. You are the data controller and bear full responsibility for: the lawful basis to process your clients’ data; providing proper disclosure and obtaining consents as required by the law that applies to you; answering your clients’ access, rectification, and erasure requests; and notifying your clients of a security event concerning their data.
On our side, we commit: not to store, copy, use, or transfer content passing through the Service for any purpose other than providing the Service to you; to transfer data only as defined in Section 4; to protect it with the security measures in Section 5; and — because the server does not store business content — content passes through the server only for the duration of the request and is not retained afterwards.
This section is not a substitute for a formal Data Processing Agreement (DPA) you may wish to sign with us for your own compliance (e.g., GDPR). DPA inquiries: [email protected].
3. Purposes of processing
The collected data is used solely for the following purposes:
- Providing the Service — authenticating you, connecting AI tools to your WordPress platform, and passing API requests.
- Account management — managing the tier, token renewal, and handling service requests.
- Security and abuse prevention — rate limiting, anomaly detection, and blocking unauthorized use.
- Service improvement and maintenance — aggregate (non-identifying) statistical analysis of usage patterns, for capacity planning and performance improvement.
- Communicating with you — service-related updates such as tier changes, planned maintenance, security notices, or compatibility reports.
- Compatibility checking — periodic checks (every 7 days) of plugin versions on your platform, to diagnose issues that may affect the Service.
- Service communication — personal messages delivered through your conversation with the AI tool (service updates, surveys, event invitations, renewal reminders), with opt-out available by cancelling the Service.
We will not process your data for any purpose not listed above.
4. Transfers to third parties
We do not sell, rent, or transfer your personal data to third parties, except in the following cases:
- AI tool providers (Anthropic and others) — the MCP service is accessible to any AI client supporting the MCP protocol. Depending on the client you chose: Claude.ai (web/desktop) — API requests pass through Anthropic’s servers as part of the MCP protocol; Claude Code (CLI) — connects directly from your device to the MCP service, without Anthropic server mediation at the request level; other clients — the request path depends on the specific client and is subject to its privacy policy. In all cases: the AI provider receives no identifying personal data from us — the connection is made with an anonymous token, and your WordPress credentials are never exposed to the provider. You are responsible for reading the privacy policy of your chosen AI provider and complying with its terms.
- Google (Gemini API) — the AI image-generation capability is based on the Google Gemini API. When an image is created, the image description (prompt) is sent to Google’s servers to generate it. Google receives no identifying information about you from us — the request is made with an API key only (Schoolyland’s or yours, per configuration). The generated image is uploaded directly to your platform. Google’s privacy policy: policies.google.com/privacy.
- Central management system — for automatic provisioning, MCP Helper installation and updates, and compatibility checks, Schoolyland uses a central management system hosted on Schoolyland’s own infrastructure. It is not an external third party — it is part of Schoolyland’s infrastructure and is used solely for technical management of the Service.
- Hosting infrastructure provider (devim.cloud, Germany) — our servers are physically hosted in a data center in Germany. The provider supplies servers only and does not access data content. Germany is an EU member state subject to GDPR.
- Legal requirement — where required by law, court order, or a demand of a competent authority.
5. Security
We apply multi-layered security measures, including:
- Encryption in transit — all communication over encrypted HTTPS (TLS).
- Encryption at rest — sensitive credentials (application password and Gemini API key) encrypted in the database with AES-256-CBC.
- Multi-layer authentication — access via a unique UUID token bound to an authenticated session; MCP servers protected by an additional Bearer Token layer; security comparisons performed with timing-safe methods.
- Data isolation — each user’s data is fully separated; no user can access another user’s data.
- Access control — MCP servers restrict access to authorized origins (CORS); SSRF protection blocks access to internal addresses.
- Prompt-injection protection — a scanning mechanism identifies suspicious content in WordPress responses and warns the AI tool accordingly.
- Error sanitization — error messages are filtered and do not expose sensitive technical information (file paths, stack traces, database details).
- Rate limiting — protection against excessive use or attacks.
- Metadata only — audit logs contain technical metadata only, no business content.
- Limited retention — audit logs are kept for 30 days only and then deleted automatically.
- Automatic monitoring — a multi-layer monitoring system checks Service availability (heartbeat every 5 minutes) and server health (memory, error rates, response times — every 30 minutes), and produces internal daily and weekly reports with per-customer metrics (success rate, average response times, error counts) for early problem detection.
While we take reasonable measures to protect the data, no absolute security can be guaranteed against every threat.
6. Data retention and deletion
| Data type |
Retention period |
| Connection details (URL, username, application password) |
While the account is active; deleted upon cancellation |
| Audit logs |
30 days — automatic deletion |
| Tier and account-state metadata |
While the account is active; deleted upon cancellation |
| Compatibility reports (plugin versions) |
While the account is active; deleted upon cancellation |
| Gemini API key (if provided) |
While the account is active; deleted upon cancellation |
| Monthly image counter |
Resets monthly; deleted upon cancellation |
| Snippet monitoring (names and descriptions) |
Up to the most recent 1,000 records; launch period only |
| Service-message content (title, body, CTA) |
Most recent 100 messages; deleted upon cancellation |
| Message display and click data |
Kept with the message; deleted upon cancellation |
| Customer replies to messages |
Most recent 100 records; deleted upon cancellation |
| Monitoring metrics (server availability) |
7 days — automatic deletion |
| Automatic content backups (on your platform) |
Up to 3 backups per page; stored on your platform only |
Upon cancellation of the Service, your MCP account is deleted. An automatically created application password is deleted both from our system and remotely from your WordPress platform; a manually entered password is deleted from our system but remains on your WordPress platform until you delete it yourself.
7. Your rights
If you are in the EU/EEA or UK, you have the GDPR rights set out in the general Privacy Policy (access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and complaint to a supervisory authority); equivalent rights exist under Israeli privacy law. Specifically for the MCP service:
- Access — you may ask to review the personal data we hold about you in connection with the Service. We respond within 30 days.
- Rectification or erasure — if you find the data inaccurate, incomplete, or outdated, you may request its correction or deletion. If we refuse, we will notify you in writing with reasons.
- Cancellation and data deletion — you may cancel the MCP service at any time (in writing or through the customer portal). Upon cancellation, your credentials and MCP data are deleted from our system.
To exercise your rights: email [email protected].
8. Storage and processing
The data is stored on physical servers in Germany (EU), via the infrastructure provider devim.cloud. Schoolyland is established in Israel, which benefits from an EU adequacy decision — transfers between the EU/EEA and Israel are permitted under GDPR without additional safeguards. We do not transfer personal data outside the EEA/Israel except as described in Section 4 (requests to the AI services of Anthropic and Google, performed in a manner that does not expose your identity).
9. Changes to this policy
We may update this policy from time to time. In the event of a material change, we will notify you by email or through your account. Continued use of the Service after publication of the changes constitutes acceptance of the updated policy.
10. Supervisory authorities
If you believe your privacy has been violated, you may contact your local EU data-protection authority, or the Israeli Privacy Protection Authority (Ministry of Justice).
11. Contact