MCP Trap← Back
Privacy

Privacy Policy

Effective: 2026-05-06

This site is a personal side project operated by Lyubomir Atanasov (the "Operator"). It is not affiliated with any employer, past or present. The site collects the minimum data needed to run and rate-limit the service. This page explains what is collected and why.

What we store and for how long

Concrete per-key list. Everything below auto-expires through Redis TTL; there is no manual deletion path.

Cookies
  • mt_fp: random per-browser identifier, HTTP-only, sameSite=lax. Lifetime 400 days. Hashed with HMAC-SHA256 before persistence; the raw cookie value never reaches Redis or logs.
  • mt_tos_v1 (localStorage, not a cookie): records whether you ticked the "I agree to Terms" checkbox. Two values: 1 (agreed) or 0 (disagreed).
IP addresses

Hashed with a daily salt that rotates at UTC midnight. Only the salted hash is stored, scoped to the UTC day, so yesterday's hash is not comparable to today's. The raw IP is never written to long-term storage.

Saved audits

Redis key mt:audit:<slug>. TTL: 30 days. Contains the normalized tool list (names, descriptions, input schemas) inferred from what you pasted, the deterministic and LLM-derived findings, the citations referenced, the slug, and your fp HMAC as an ownership token (server-only, never returned to clients). The raw text you pasted is NOT stored; only the canonical normalized form and a SHA256 hash of the input.

LLM cache

Redis key mt:llm:cache:<inputHash>. TTL: 24 hours. Stores the LLM-derived findings keyed by a hash of the defanged tool array, so re-auditing the same schema does not re-spend on the same OpenRouter calls.

Rate limit counters

Redis keys mt:rl:<surface>:ip:<ipHash>:<day> and mt:rl:<surface>:fp:<fpHmac>:<day>. TTL: 26 hours. A single integer per surface, per IP-hash, per fp HMAC, per UTC day. Cleared automatically.

Daily salt

Redis key mt:salt:current. TTL: 72 hours. The random hex used to salt IP hashes. Rotated daily by a cron job at UTC midnight.

Server logs

Standard request logs at our hosting provider (Vercel). Retained for operational purposes only. We do not write custom logs of pasted schemas or generated findings.

What we do not collect

  • No accounts, email addresses, or login credentials.
  • No analytics, tracking pixels, or third-party advertising.
  • No raw IP addresses persisted to long-term storage; only the daily-salted hash.
  • No outbound network calls from our infrastructure to URLs you provide. The mcptrap-probe CLI runs on your machine and posts results back to us; we never fetch from your servers.

Third-party processors

The following processors handle data on our behalf:

  • Vercel: hosting and edge runtime.
  • Cloudflare: TLS termination, optional bot challenge.
  • Upstash: Redis storage for audits and rate limit counters.
  • OpenRouter: LLM gateway used by the LLM-derived rules and the plain-English explainer. Routes are configured with data_collection: deny so upstream providers do not use prompts for training.

Your choices

You can clear the mt_fp cookie in your browser at any time; this resets your rate limit and severs continuity between future sessions. You can avoid IP collection entirely by accessing the service through a VPN or anonymizing network.

Saved audit slugs auto-expire after 30 days. There is no account, so there is nothing further to delete.

Contact

For privacy questions, contact the Operator via lyuata.com.

Changes

This policy may be updated. The effective date at the top will change when it does. There is no mailing list to notify; check this page if you depend on its contents.