Legal — Privacy Policy, Terms of Service & Security

Document 1 of 3

Privacy Policy

Summary: McpFOX does not operate a data relay server. Page content fetched through the extension never leaves your device. The only data McpFOX may access for billing purposes is your email address and payment status (via Stripe) — and only for paid-tier users.

This Privacy Policy describes how McpFOX ("we", "our", "the extension") collects, uses, and stores information when you use the McpFOX Chrome extension and website (mcpfox.com). By installing or using McpFOX, you agree to the practices described here.

1. Data collected

Extension: McpFOX collects no personal data during normal operation. When you use the extension to fetch web content, the following data is processed locally on your device only:

URLs you request to fetch (stored temporarily in L1 memory cache, persisted up to 7 days in L2 IndexedDB, deleted on cache expiry or uninstall)
Fetched page content (stored in L1/L2 cache on your device, never transmitted to McpFOX servers)
Extension configuration settings (stored in Chrome's local storage on your device)

Website (mcpfox.com): Standard server access logs (IP address, browser user-agent, requested page, timestamp) are retained for up to 30 days for security and abuse prevention. We do not use these logs for profiling or advertising.

Paid accounts: For Pro and Team subscribers, we collect your email address and billing information (processed and stored by Stripe; McpFOX does not store raw card data). We retain this for the duration of your subscription plus 90 days.

2. What McpFOX does NOT collect

Page content or URLs from your browsing sessions (we only process URLs you explicitly request via an MCP tool call)
Chrome passwords, autofill data, or payment methods
Full browsing history
Location data
Microphone or camera input
Keystrokes or clipboard content
Analytics or telemetry from free-tier users without explicit opt-in

3. Local storage and caching

Fetched content is stored in two local caches:

L1 cache (memory): In-process memory, cleared when Chrome is closed. Maximum ~50 MB. TTL: 5 minutes.
L2 cache (IndexedDB): Persistent browser storage, isolated to the McpFOX extension origin. Maximum configurable up to 500 MB. Default TTL: 24 hours; configurable up to 7 days.

All cached data is stored in your browser's profile on your local device. You can clear it at any time from the McpFOX Options panel (Settings → Cache → Clear All) or by uninstalling the extension.

4. Third-party services

McpFOX uses the following third parties:

Stripe — payment processing for Pro/Team/Enterprise plans. Stripe's privacy policy governs their handling of payment data.
Google Chrome Web Store — extension distribution. Google's privacy policy applies to the installation process.

We do not use advertising networks, behavioural tracking pixels, or data brokers.

5. Children's privacy

McpFOX is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child under 13 has provided personal data to McpFOX, contact us at privacy@mcpfox.space for prompt deletion.

6. Changes to this policy

We will notify registered users by email of material changes at least 14 days before they take effect. The "Last updated" date at the top of this document reflects the most recent revision. Continued use after the effective date constitutes acceptance.

Document 2 of 3

Terms of Service

Summary: Use McpFOX lawfully. Don't use it to harm others, violate third-party rights, or circumvent legal access controls. The free tier is provided as-is; paid tiers come with a 14-day refund guarantee.

These Terms of Service ("Terms") govern your use of the McpFOX Chrome extension and related services. By installing McpFOX, you agree to these Terms. If you do not agree, do not install or use McpFOX.

1. Eligibility

You must be at least 13 years old to use McpFOX. If you use McpFOX on behalf of an organisation, you represent that you have authority to bind that organisation to these Terms.

2. Acceptable use

You may use McpFOX to fetch and process web content for lawful purposes. You may not use McpFOX to:

Violate any applicable law or regulation, including laws governing copyright, data protection, computer access, and computer fraud
Circumvent technical access controls in a way that violates the Computer Fraud and Abuse Act (CFAA), GDPR, or equivalent legislation in your jurisdiction
Fetch content at a rate or volume that constitutes a denial-of-service attack on target servers
Harvest personally identifiable information at scale for purposes that require consent not obtained
Resell access to McpFOX's fetch capabilities as a competing service
Reverse-engineer proprietary commercial components of McpFOX beyond what is permitted by the MIT licence for open-core components

McpFOX is a tool. Users are solely responsible for ensuring their use of fetched content complies with the terms of service of target websites and applicable law. McpFOX does not review or control the content users fetch.

3. Intellectual property

The open-core fetch engine is licensed under the MIT License. You may use, copy, modify, and distribute it subject to the MIT licence terms. Proprietary components (cloud sync, team features, enterprise integrations) are owned by Arobai and may not be copied, modified, or redistributed without written permission.

McpFOX, the Fox logo, and associated trademarks are owned by Arobai. You may not use them without written permission except as necessary to describe your use of McpFOX in a factually accurate manner.

4. Disclaimer and limitation of liability

McpFOX is provided "as is" and "as available". To the maximum extent permitted by law, we disclaim all warranties, express or implied, including merchantability, fitness for a particular purpose, and non-infringement.

To the maximum extent permitted by law, McpFOX and Arobai are not liable for any indirect, incidental, special, consequential, or punitive damages arising from your use of McpFOX, including but not limited to: loss of data, loss of revenue, violation of a third-party website's terms of service, or legal consequences of fetching protected content.

Paid plans: Our liability to paid subscribers shall not exceed the total fees you paid in the 12 months preceding the claim.

5. Termination

You may stop using McpFOX at any time by uninstalling the extension. We may suspend or terminate your access to paid services if you materially breach these Terms, with 7 days' written notice where practicable (immediate termination for illegal activity). Upon termination, the MIT licence for open-source components remains in effect.

6. Governing law and dispute resolution

These Terms are governed by the laws of Singapore, without regard to conflict-of-law principles. Disputes shall first be submitted to good-faith negotiation. If unresolved within 30 days, disputes shall be settled by binding arbitration under SIAC rules, conducted in English in Singapore. This clause does not prevent either party from seeking urgent injunctive relief from any court of competent jurisdiction.

Document 3 of 3

Security Practices

Architecture note: McpFOX's primary security property is that it has no network path to McpFOX servers during normal fetch operations. The attack surface is your local machine and your Chrome profile.

Extension architecture

McpFOX operates as a Chrome MV3 (Manifest V3) extension. Key security properties:

No remote code execution: MV3 prohibits remotely-hosted scripts. All extension JavaScript is bundled at build time and reviewed during Chrome Web Store publication.
Minimal permissions: The extension requests only activeTab, storage, and nativeMessaging. No <all_urls> host permission is requested.
Local-only MCP server: The HTTP server listens only on localhost:7431 and binds to the loopback interface. It is not accessible from external networks.
Content Security Policy: A strict CSP is applied to all extension pages.
IndexedDB isolation: Cached content is stored in an IndexedDB database scoped to the McpFOX extension origin, inaccessible to other extensions or web pages.

Data in transit

Fetches to target websites use Chrome's native TLS stack — the same as normal browser traffic.
Communication between the extension and your local MCP client (Claude Desktop, Cursor, etc.) travels only over localhost. This traffic is not encrypted because it never leaves your machine.
Billing API calls to Stripe use HTTPS/TLS 1.3.

Supply chain

The open-core fetch engine uses minimal third-party dependencies (Mozilla Readability, no analytics libraries).
Dependency hashes are locked in package-lock.json.
Automated dependency audit runs on every pull request via GitHub Actions.

Responsible disclosure

We operate a responsible disclosure programme. If you discover a security vulnerability in McpFOX:

Email security@mcpfox.space with a detailed description. PGP key available on request.
Allow us 90 days to investigate and patch before public disclosure.
Do not exploit the vulnerability beyond what is necessary to demonstrate it.

We acknowledge all valid reports within 72 hours. We do not currently operate a paid bug-bounty programme but recognise researchers publicly (with permission) for significant findings.

Contact

General support	support@mcpfox.space
Privacy enquiries	privacy@mcpfox.space
Billing & refunds	billing@mcpfox.space
Security disclosure	security@mcpfox.space
Enterprise sales	sales@mcpfox.space
Legal / trademark	legal@mcpfox.space

Response time: support 24h · privacy/legal 5 business days · security 72h

Privacy, Terms& Security