Overview
mcpcleaner.com ("we", "us", the "service") provides a free, client-side utility for validating Model Context Protocol (MCP) configuration files. This document describes how the service handles your information and — importantly — the limits of our responsibility.
We've tried to write this in plain language. Legal documents aren't usually pleasant reading, but this one is short, and the sections that matter most are Disclaimer & liability and The checker, specifically.
Disclaimer & limitation of liability.
The mcpcleaner checker is provided "as-is" and "as-available", without warranties of any kind, express or implied. We do not guarantee accuracy, completeness, correctness, or fitness for any particular purpose.
The validator uses heuristics and pattern matching — not a formal schema, not a security audit. It may:
- Miss real problems. A config that scores 100 can still be wrong, insecure, or malicious. A clean score is not a certification.
- Flag safe patterns as unsafe. False positives are a normal part of heuristic tooling. Always use judgment.
- Produce results that change over time. We update the rules. The same config may score differently next week.
You are solely responsible for reviewing, testing, and deploying your MCP configuration — and for any consequences arising from doing so.
To the maximum extent permitted by applicable law, we are not liable for any direct, indirect, incidental, consequential, special, or exemplary damages arising from (a) your use of or inability to use the service; (b) actions you take based on the service's output; (c) any errors, omissions, inaccuracies, or bugs in the service; (d) security incidents, data exposure, or credential compromise involving configurations analyzed by or referenced in the service; (e) unavailability, downtime, or termination of the service.
This limitation applies whether the claim is based on warranty, contract, tort (including negligence), statute, or any other legal theory, and whether or not we have been advised of the possibility of such damages.
Some jurisdictions do not allow the exclusion of certain warranties or limitations on liability; in those places, the limitations above apply only to the extent permitted by law.
What we collect.
Almost nothing. Specifically:
- We do not run analytics (no third-party analytics, no custom beacon).
- We do not run trackers or advertising pixels.
- We do not set identifying cookies.
- We do not have user accounts. There's nothing to sign up for.
- We do not sell data. We don't have data to sell.
Our web host may keep short-lived server access logs (IP address, user-agent, requested path, timestamp) for operational and security purposes. These are not linked to any identity on our side and are not used for profiling.
The checker, specifically.
When you paste, type, or upload JSON into the checker on the homepage:
- The JSON is processed entirely in your browser by JavaScript loaded from this site.
- Nothing is uploaded to our servers. Nothing is transmitted anywhere. Nothing is stored.
- Closing the tab discards the content. Refreshing the page discards it.
You can verify this by opening your browser's developer tools, switching to the Network tab, and running the checker. You will not see any XHR / fetch requests carrying your configuration.
Even though we don't receive your data, we'd still recommend you redact real secrets before pasting anywhere online — your browser, extensions, clipboard history, or a screenshot you forget you took can all create exposure outside our control.
Contact form.
The contact form on /contact.html delivers your message to the site operators through a private message-handling endpoint. We collect only what you enter into the form (name, email, reason, message) and the timestamp of submission. A basic math-based human check and a hidden honeypot field are used to reduce automated abuse — neither collects additional information.
Once you submit, your message is routed privately to the site operators through a message-handling endpoint. We use the email address you provide solely to reply; we do not add it to any mailing list or share it with third parties. We store received messages only for as long as needed to respond and for reasonable record-keeping — typically less than 24 months.
Third parties.
The site may load fonts from a public font-hosting service. When your browser fetches those fonts, that service receives your IP address and user-agent in accordance with its own policies. We do not send any additional information.
Our site is hosted with a standard commercial web host. We do not embed social media widgets, share buttons, or other third-party content beyond the fonts noted above.
Your rights.
Because we collect almost no personal information, there's very little to exercise rights over. If you've contacted us via the form and would like us to delete that correspondence, submit a new message through the contact form with "Delete my messages" in the subject line and we'll do so within 30 days.
Depending on where you live (e.g. EU/EEA, UK, California), you may have additional legal rights. Those rights apply to us only insofar as we actually hold data about you — in practice, that means your emails and nothing else.
Security.
We serve the site over HTTPS. We do not operate a database of user data, which sharply limits our attack surface. That said, no system is perfectly secure. If you believe you've found a vulnerability, please write to us directly and we'll respond promptly.
Children.
The service is a developer tool and is not directed at children under 13. We do not knowingly collect information from children.
Changes to this policy.
We may update this document as the product evolves. Material changes will be reflected by bumping the version and effective date at the top. Continued use of the service after changes take effect constitutes acceptance.
Questions?
Write to us through the contact form. We'll try to answer promptly.
End of document. Thank you for reading.