Privacy Policy

Last updated: March 10, 2026

1. Data Controller

The data controller for the Health MCP Server ("Service") is:

Ivan Moiseev
Email: privacy@moiseev.ai
Website: health.moiseev.ai

Health MCP Server is a personal health data integration platform that connects wearable devices, cloud storage, and user-uploaded files to AI assistants via the Model Context Protocol (MCP).

Given the small scale of data processing operations, no Data Protection Officer (DPO) has been appointed pursuant to Art. 37 GDPR. The data controller serves as the primary contact for all data protection matters and can be reached at the email address above.

2. EU Representative

As the data controller is established outside the European Economic Area (EEA) and processes data of individuals within the EEA, a representative in the EU has been designated pursuant to Art. 27 GDPR:

Ivan Moiseev
Email: privacy@moiseev.ai

3. Legal Basis for Processing

We process your personal data on the following legal grounds under GDPR:

• Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)): Health data is a special category of personal data. We collect your explicit consent through a dedicated confirmation step each time you connect a wearable service, upload a health file, or link a health-related URL. Each consent action is recorded with a timestamp and the scope of data being authorized. You may withdraw your consent at any time (see Section 9).
• Performance of contract (Art. 6(1)(b)): Processing of account credentials and OAuth tokens is necessary to provide the Service you have registered for.
• Legitimate interest (Art. 6(1)(f)): Usage logs (tool name, timestamp) are processed for service monitoring, security, and abuse prevention.

4. Data We Collect

We collect and process the following categories of data:

• Account information: username and password (hashed with bcrypt) for authentication.
• OAuth tokens: access and refresh tokens for connected third-party services (Whoop, Oura, Withings, Garmin, Google Drive). These tokens are stored in our database and used solely to access your data on your behalf.
• Health data (special category): data retrieved from your connected wearable devices and cloud storage, including but not limited to sleep metrics, heart rate, HRV, activity data, body composition, recovery scores, and lab results. This data is relayed to your authorized MCP client on demand and is not permanently stored on our servers beyond the duration of the request.
• User-uploaded files: files you upload directly (lab results, medical records, health exports) or link via URL. These are stored on the server until you delete them.
• Usage logs: MCP tool invocation logs (tool name, timestamp, user ID) for service monitoring. No health data content is logged.
• Session cookies: a session cookie is used to maintain your authenticated session. It is strictly necessary for the Service to function and does not track you across other websites.

5. How We Use Your Data

Your data is used exclusively to:

• Retrieve and relay your health information to your authorized AI assistant (Claude, ChatGPT, Gemini, or other MCP-compatible clients) upon request.
• Maintain active connections to your linked services through token management and refresh.
• Store your uploaded files and URL references for on-demand access by your AI assistant.
• Monitor service health, detect abuse, and troubleshoot errors.

We do not use your health data for advertising, analytics, profiling, automated decision-making, or any purpose other than providing the Service to you.

6. Data Sharing and International Transfers

Your data is shared only with:

• Third-party APIs you have explicitly connected (Whoop, Oura, Withings, Garmin, Google Drive) — only to retrieve your own data.
• MCP clients (AI assistants) that you authorize using your personal OAuth credentials.

We do not sell, rent, or share your data with any other third parties.

International transfers: When you connect third-party services, your data may be transferred to servers located outside the European Economic Area (EEA), including the United States (Whoop, Oura, Garmin, Google). These transfers are safeguarded by the following mechanisms:

• EU-US Data Privacy Framework: US-based providers participating in the EU-US Data Privacy Framework (such as Google) provide an adequate level of data protection as recognized by the European Commission.
• Standard Contractual Clauses (SCCs): where the Data Privacy Framework does not apply, transfers rely on Standard Contractual Clauses adopted by the European Commission, as implemented in each provider's data processing terms.
• Your explicit consent (Art. 49(1)(a)): as a supplementary basis, you provide explicit consent to the transfer each time you connect a third-party service, after being informed of the potential risks.

Each provider maintains their own data protection measures as described in their privacy policies (see Section 10).

7. Data Storage and Security

• All data is stored on a private server with restricted access.
• Passwords are hashed using bcrypt with a cost factor of 12.
• All communications are encrypted via HTTPS/TLS.
• OAuth tokens are stored in a PostgreSQL database accessible only to the application.
• Uploaded files are stored on the server filesystem in user-isolated directories and accessible only to their owner.
• Health data retrieved from wearable APIs is transmitted directly to the MCP client and is not cached or stored on the server.

8. Data Retention

• Account data: retained for as long as your account exists.
• OAuth tokens: deleted immediately when you disconnect a service.
• Uploaded files and URLs: retained until you delete them or your account is deleted.
• Usage logs: retained for 24 months from the date of creation, after which they are automatically deleted. Logs contain only tool names, timestamps, and user IDs — no health data content.
• Session data: session cookies expire after 7 days of inactivity.
• Account deletion: when your account is deleted, all associated data (tokens, files, uploads, usage logs) is permanently removed.

9. Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights:

• Right of access (Art. 15): You can view your data through the dashboard and connected MCP clients. You may also request a complete copy of your personal data by contacting us.
• Right to rectification (Art. 16): You can update your password and account settings through the dashboard. For other corrections, contact us.
• Right to erasure (Art. 17): You can delete uploaded files and URL references at any time. You may request complete account deletion by contacting the administrator.
• Right to restriction of processing (Art. 18): You may request that we restrict the processing of your data. In practice, you can disconnect individual services to stop processing data from those sources.
• Right to data portability (Art. 20): You can download your uploaded files through the dashboard. You may request an export of your personal data in a machine-readable format by contacting us.
• Right to object (Art. 21): You may object to the processing of your data based on legitimate interest (usage logs). Contact us to exercise this right.
• Right to withdraw consent (Art. 7(3)): You may withdraw your consent to health data processing at any time by disconnecting services and deleting your files through the dashboard. Withdrawal does not affect the lawfulness of processing performed prior to withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with a data protection supervisory authority. The lead supervisory authority for this Service is the Autoriteit Persoonsgegevens (Dutch Data Protection Authority), PO Box 93374, 2509 AJ The Hague, Netherlands (autoriteitpersoonsgegevens.nl). You may also contact the supervisory authority in your own country of residence.

To exercise any of these rights, contact us at privacy@moiseev.ai. We will respond to your request within one month of receipt, in accordance with Art. 12(3) GDPR. If the request is complex or we receive a high volume of requests, this period may be extended by a further two months, in which case we will inform you of the extension within the initial one-month period.

10. Third-Party Services

When you connect third-party services, their respective privacy policies also apply:

• Whoop: whoop.com/privacy
• Oura: ouraring.com/privacy-policy
• Withings: withings.com/privacy
• Garmin: garmin.com/privacy
• Google: policies.google.com/privacy

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Art. 33 GDPR.
• Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, in accordance with Art. 34 GDPR, via the email address associated with their account or through the Service dashboard.

12. Automated Decision-Making

The Service does not perform automated decision-making or profiling as defined in GDPR Art. 22. Health data is relayed to AI assistants at your request, but no automated decisions with legal or similarly significant effects are made by this Service.

13. Children's Data

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. If we make material changes that affect how your health data is processed, we will notify you through the Service dashboard.

15. Contact

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about how your data is processed, please contact:

Ivan Moiseev
Email: privacy@moiseev.ai