Privacy Policy · Substack Notes MCP
On this page
1. About this policy
This product-specific Privacy Policy describes how the Substack Notes MCP (at substackmcp.genaiunplugged.com) handles your data. It is supplemental to the GenAI Unplugged Privacy Policy (the "Master Privacy Policy"), which covers your data-subject rights (access, correction, deletion, opt-out, portability, CCPA, GDPR), children's privacy, data security standards, and the company-wide contact for privacy requests. In the event of any conflict, the Master Privacy Policy controls.
2. Data controller
GENAI UNPLUGGED LLC (Pennsylvania, USA) is the sole data controller for the Substack Notes MCP. There is no co-brand partner, no revenue-share partner, and no joint controller. Cloudflare, Oracle Cloud, and the other services listed in Section 6 act as data processors under our instructions; they are not independent controllers of your MCP data. This product is not affiliated with Substack, Inc.; Substack is not a data controller or processor for this service.
3. What we collect from you
We collect the minimum data needed to operate the subscriber gate, OAuth authentication, MCP tool dispatch, and the audit log.
From the sign-in flow (OAuth magic link)
- Your Substack email address. Provided by you at login. Used to verify GenAI Unplugged subscriber status, mint OAuth tokens, and send the magic link. Not used for marketing unless you have separately opted into GenAI Unplugged marketing.
- Your GenAI Unplugged subscriber tier (free or paid). Resolved from our local subscriber database via the subs-validator microservice. We do not receive your Substack password.
From the OAuth token lifecycle
- OAuth client registration metadata (client ID, redirect URI). Created at first connect by your MCP client via RFC 7591 dynamic client registration.
- Short-lived authorization codes, access tokens, and refresh tokens. Generated by us, stored server-side in Cloudflare KV. These are opaque random strings that contain no personally sensitive payload beyond email and tier.
- A reverse index of email → token IDs, used to support one-click disconnect and instant tier revocation.
From tool calls (audit log)
- Your email address, the tool name called, the outcome (ok / rate_limited / tier_locked / error), and a Unix millisecond timestamp. Stored in Cloudflare D1.
- We do not log tool input arguments (the content of your Substack Notes, post IDs you query, or any publication data).
- We do not log your Substack session cookie value.
- Audit rows auto-purge after 90 days.
4. What we do NOT collect or store
We explicitly do not collect, store, or process the following:
- Your Substack session cookie. The
substack.sidvalue you provide via theX-BYOK-Substack-Cookieheader is forwarded to Substack's endpoints in the same request lifecycle and immediately dropped from memory. It is never written to logs, databases, Cloudflare KV, or any other persistent storage. - The content of your Substack Notes, posts, or publication data. We proxy your requests to Substack's API and return the response to your AI client. We do not retain, index, or analyse your publication content.
- Analytics data retrieved from Substack. Statistics returned by tools such as
dashboard_statsorsubscriber_statsare passed directly to your AI client and not stored by us. - Payment information. We do not process payments. Subscription billing occurs on Substack.
- Your Substack password or full account credentials. We access Substack only with the session cookie you provide.
5. How we use your data
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Email address | Subscriber verification, OAuth token minting, magic link delivery | Contract performance |
| Subscriber tier | Access control — free vs PluggedIn tool gating | Contract performance |
| OAuth tokens (KV) | Authenticate tool calls, enable one-click disconnect | Contract performance |
| Audit log (email + tool + status) | Rate-limit enforcement, abuse detection, dispute resolution | Legitimate interest |
We do not sell, license, or share your data with third parties for marketing purposes. We do not use your data to train AI models.
6. Third-party processors
| Processor | Role | Data processed |
|---|---|---|
| Cloudflare (Workers, KV, D1) | Hosting, KV storage (tokens), D1 (audit log) | All request traffic; tokens; audit rows |
| Oracle Cloud (OCI) | OAuth sign-in flows, subscriber validation, magic link email | Email address, subscriber tier |
| AWS SES / Resend (email) | Magic link delivery | Email address, magic link token |
| Substack, Inc. | Destination of API calls made with your session cookie | Your session cookie + request payloads (proxied, not stored by us) |
Substack, Inc. is the destination of requests we proxy on your behalf. Their handling of your session cookie and request data is governed by Substack's Privacy Policy, not ours.
7. Data retention
- OAuth tokens (KV): access tokens expire after 1 hour; refresh tokens expire after 90 days. Both are deleted immediately upon expiry or upon your request.
- Audit log (D1): rows auto-purge 90 days after creation via a daily scheduled job.
- Email address: retained in token records until expiry. Not retained elsewhere unless you are on our Substack subscriber list (managed by Substack).
- Substack session cookie: never persisted. Dropped from memory at the end of each request.
8. Your rights
Your full data-subject rights (access, correction, erasure, portability, restriction, objection, CCPA opt-out) are described in the GenAI Unplugged Master Privacy Policy. To exercise any right, contact support@genaiunplugged.com. We will respond within 30 days.
To immediately revoke all OAuth access for the Substack MCP, send a deletion request to support@genaiunplugged.com. We will delete all KV token records, client registrations, and audit rows within 30 days.
9. Conflict with Master Privacy
Nothing in this product Privacy Policy reduces the protections described in the GenAI Unplugged Master Privacy Policy. If any provision here conflicts with the Master Privacy Policy, the Master Privacy Policy controls.