Privacy Policy

Last updated: March 5, 2026

Overview

Harbor is an open-source desktop application and CLI tool that manages MCP (Model Context Protocol) servers. It is maintained by Joshua Shunk. We are committed to protecting your privacy.

Data Controller

For the purposes of applicable data protection laws (including the EU General Data Protection Regulation), the data controller is:

Joshua Shunk
Email: privacy@harbormcp.ai

Information We Collect

Harbor runs entirely on your local machine. We do not operate backend servers that collect user data. Specifically:

• No telemetry: Harbor does not send usage data, analytics, or crash reports to any remote server.
• No accounts: Harbor does not require you to create an account or sign in to use the application.
• Local configuration: All configuration files, server settings, and preferences are stored locally on your device (typically at ~/.harbor/).

We do not collect any categories of personal information as defined by the California Consumer Privacy Act (CCPA).

Legal Basis for Processing

Harbor does not collect or process personal data on remote servers. For the limited network requests described below (OAuth redirects, marketplace queries, update checks), the legal basis under GDPR Article 6(1) is:

• Legitimate interest (Art. 6(1)(f)) — to provide core functionality such as OAuth authentication flows, marketplace search, and software updates.
• Contract performance (Art. 6(1)(b)) — to deliver the service you have chosen to use.

OAuth & Third-Party Services

When you connect Harbor to third-party MCP servers that require authentication (e.g., via OAuth), Harbor facilitates the authorization flow between your machine and the third-party provider. In this process:

• Authorization codes and tokens are handled locally on your device.
• Our domain (harbormcp.ai) serves only as an OAuth redirect endpoint that forwards the authorization code back to your local Harbor instance. No credentials are stored or logged on our servers.
• Secrets you store in the Harbor vault are kept in your operating system's native keychain (macOS Keychain, Windows Credential Manager, or Linux Secret Service).

Google User Data

If you use Harbor with MCP servers that connect to Google services via OAuth, Harbor may receive an OAuth access token on your behalf. Harbor does not access, store, or share Google user data on any remote server. Tokens are stored locally in your operating system's keychain. For compatibility with certain MCP servers, Harbor may also write credential files (containing tokens and client identifiers) to ~/.harbor/credentials/ on your local device. These files remain entirely on your machine and are used solely to authenticate requests made by the MCP server running on your device. Harbor's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Marketplace & Network Requests

Harbor's marketplace search feature queries the official MCP Server Registry (registry.modelcontextprotocol.io) to discover MCP servers. These requests include only the search query you provide. Harbor does not send any personally identifiable information or authentication credentials with these requests.

Software Updates

Harbor may check for new releases by contacting the GitHub API (api.github.com). These requests include a User-Agent header containing your current Harbor version (e.g., harbor-cli/0.4.6). No personally identifiable information is sent.

Cookies & Tracking

The Harbor website (harbormcp.ai) does not use cookies, tracking pixels, or any analytics services. The Harbor desktop application does not use cookies or tracking technologies.

Data Retention

All data created by Harbor (configuration files, cached tokens, vault secrets) is stored locally on your device and persists until you delete it or uninstall the Software. We do not retain any user data on remote servers.

Data Sharing & Sale

We do not sell, share, rent, or transfer any personal data to third parties. We do not sell personal information as defined by the California Consumer Privacy Act (CCPA). Harbor does not collect personal data in the first place.

Your Rights

Depending on your jurisdiction, you may have rights under data protection laws such as the GDPR or CCPA, including the right to access, correct, delete, or port your personal data, and the right to opt out of the sale of personal information. Since Harbor does not collect or store personal data on remote servers, there is no data for us to access, correct, delete, or provide. All data is stored locally on your device and is fully under your control.

If you believe we hold any personal data about you or wish to exercise your rights, please contact us at privacy@harbormcp.ai.

Children's Privacy

Harbor is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe that a child under 13 has provided us with personal information, please contact us at privacy@harbormcp.ai so we can take appropriate action.

Open Source

Harbor is open-source software. You can inspect the full source code at github.com/JoshuaShunk/Harbor to verify our privacy practices.

Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date. Material changes will be announced via GitHub releases. We will update this policy at least once every 12 months, even if no substantive changes are made, to reflect the current effective date.

Contact

If you have questions about this privacy policy, please email privacy@harbormcp.ai or open an issue on our GitHub repository.