Privacy Policy (API, MCP & Connectors)

This policy covers data handled by the eWasl public API (/api/v1), the MCP server (/api/mcp), the CLI, and the OAuth connectors used by AI clients (Claude, ChatGPT, Cursor, and others). It complements the main eWasl Privacy Policy.

Contact: privacy@ewasl.com · Support: support@ewasl.com · Status: https://app.ewasl.com/status

Who is responsible

eWasl operates this API and the connected MCP server. When you connect an AI client or a third-party automation to your eWasl account, that data processing is governed by this policy and your agreement with eWasl.

What we collect

We collect only what is required to perform the action you request:

• Account & credentials — your eWasl user ID, the API keys you create, and the OAuth clients/tokens you authorize. API keys are stored hashed (SHA-256); we never store the plaintext key. OAuth access/refresh tokens are signed and the refresh-token registry stores only identifiers needed for revocation.
• Content you send — post text, media you upload, schedule times, and the social accounts you target, so we can publish or schedule on your behalf.
• Operational metadata — request timestamps, the scopes used, rate-limit counters, and a correlation ID per request, for security, abuse prevention, and debugging.

We do not request or store payment-card data, government identifiers, health data, or the contents of your AI chat transcripts. MCP tools operate only on the explicit arguments a client sends for a tool call.

How we use it

• To execute the API/MCP/CLI action you invoked (publish, schedule, fetch analytics, etc.).
• To enforce authentication, scopes, plan limits, and rate limits.
• To detect and prevent abuse, and to provide support when you ask for it.

We do not sell your data, and we do not use the content you publish through the API to train models.

Where and how long we store it

• Data is stored in our managed Postgres (Supabase) with row-level security keyed to your user ID; service-role access is restricted to eWasl's backend.
• Posts and analytics are retained for the lifetime of your account unless you delete them. Operational logs are retained for a limited window for security and debugging, then rotated.
• API keys default to a 90-day expiry and can be revoked at any time from Settings → API keys. Revoking a key or an OAuth token takes effect immediately.

Sharing with third parties

To publish on your behalf, content is transmitted to the social platforms you connect (Meta, X, LinkedIn, TikTok, YouTube, Pinterest, etc.) under their own terms. Sub-processors include our hosting (Vercel), database (Supabase), and error monitoring (Sentry, with token/PII scrubbing). We do not otherwise share your data.

Your controls

• Revoke access — delete an API key (Settings → API keys) or revoke an OAuth client (/api/oauth-server/revoke).
• Scope down — issue keys with only the scopes a given integration needs.
• Delete content — remove posts via the dashboard or DELETE /api/v1/posts/{id}.
• Export / deletion requests — email privacy@ewasl.com.

Connector-specific notes

• Claude / Anthropic Connectors and ChatGPT / OpenAI Apps connect via OAuth 2.0 (PKCE). You approve the exact scopes on the consent screen before any access is granted.
• The MCP server marks every tool as read-only or as a write/destructive action so the client can ask for confirmation before changes.

Changes

We will update this page when our practices change and reflect the date in the documentation history. Material changes affecting connected integrations will be communicated to account owners.