Moonlit MCP Server: Privacy Policy

Last updated 6 May 2026.

This Privacy Policy describes how Moonlit Legal Technologies B.V. ("Moonlit", "we", "us") processes personal data when you connect to the Moonlit MCP server (the "MCP Server") at https://mcp.moonlit.ai/through Claude.ai, Claude Code, Claude Desktop, or any other Model Context Protocol ("MCP") compatible client.

This document is a product-specific supplement to the Moonlit Privacy Policy (available at trust.moonlit.ai). The general Privacy Policy and its addenda (the GenAI Addendum and the Information Security Addendum) continue to apply in full. Where this MCP-specific Privacy Policy is silent, the general Privacy Policy controls. Where this Policy provides additional or more specific information about MCP-related processing, this Policy controls for that processing.

1. Introduction and Scope

The MCP Server is one of two access modes within Moonlit Connect (the other being the Moonlit Data API). It exposes a curated subset of the Moonlit Data Layer to MCP-compatible AI assistants so that those assistants can search, retrieve, and reason over European legal sources during a user's session.

This Policy applies to natural persons who:

• connect an MCP-compatible client (such as Claude.ai) to the MCP Server;
• complete the OAuth 2.1 authorisation flow at https://mcp.moonlit.ai/; and
• subsequently invoke MCP tools through that client.

Moonlit Legal Technologies B.V., registered in the Netherlands under KvK (Chamber of Commerce) number 93559291, with its registered office at Westeinde 14, 1017 ZP Amsterdam, the Netherlands, acts as the data controller for the personal data described in this Policy.

This Policy is provided in fulfilment of Moonlit's obligations under Articles 13 and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the Dutch GDPR Implementation Act (UAVG), and the ePrivacy Directive 2002/58/EC.

2. Personal Data We Collect

When you connect to and use the MCP Server, we collect the following categories of personal data:

2.1 OAuth and authentication data

• Account email address associated with your Moonlit subscription, as supplied during the OAuth 2.1 authorisation flow.
• The Azure API Management ("APIM") subscription key that you paste into the Moonlit consent screen at the /authorizestep. The APIM key is the identity factor inside the standard OAuth handshake; the OAuth handshake then issues a Bearer token tied to that key's subscription.
• OAuth session metadata: the dynamically registered client identifier (the MCP host that registered itself with us under RFC 7591), redirect URIs supplied by that client, the PKCE code challenge (S256), and the issued access and refresh token identifiers.

2.2 Tool-call telemetry

For each MCP tool invocation served from your authenticated session we record:

• the tool name (one of the seven tools the server exposes: keyword_search, hybrid_search_reranked, reference_search, get_filters, retrieve_document, get_document_articles, convert_to_celex);
• the timestamp of the request;
• the HTTP response status (e.g., 200, 401, 429, 5xx);
• the latency in milliseconds;
• the MCP client identifier (for example, claude.ai, claude-desktop, claude-code, or another MCP-compatible client name reported by the host);
• the token subject identifier that allows us to attribute the call to your subscription for tier-based accounting; and
• the IP address of the originating MCP host, request metadata, and aggregated usage counts (consistent with §2.2 of the Moonlit Privacy Policy).

2.3 Query content

The substantive content of the queries you send to the MCP Server (the keyword expressions, natural-language prompts, filter values, and parameter payloads of each tool call) is not stored by Moonlit beyond the transient processing required to compute and return the response. Where operational logging or telemetry could otherwise capture query content, Moonlit applies explicit redaction so that the content is masked. This is consistent with the redaction posture described in the Information Security Addendum §6.4 and in the Moonlit MCP DPA §4.1.

2.4 Document content returned to you

The bodies of legal documents that the MCP Server returns to your MCP client in response to your queries are not stored beyond the operational cache that Moonlit uses to serve responses efficiently. The Moonlit Data Layer itself (Moonlit's database of publicly available European legal sources) is maintained independently of any individual MCP session; it is not a record of your interactions with the MCP Server.

2.5 What we do not collect

• We do not collect your full name, address, payment details, or any other profile attribute through the MCP Server itself. Subscription and billing data is collected separately when you sign up to Moonlit and is governed by the general Moonlit Privacy Policy.
• We do not intentionally collect special categories of personal data (Article 9 GDPR) through the MCP flow.

3. How Long We Keep It

We retain MCP-related personal data for no longer than is necessary.

• Tool-call telemetry and access logs: per the Information Security Addendum §6.2 (operational logs at least 30 days; user access logs up to 365 days; system access logs up to 180 days).
• OAuth tokens: lifetime of the session; revoked tokens purged on Moonlit's standard schedule.
• Account email and subscription metadata: while your account is active, then per the general Privacy Policy §8.

4. Why We Collect It (Legal Bases)

We process the personal data described in §2 on the following legal bases:

• Article 6(1)(b) GDPR. Performance of a contract. Authenticating your session, routing your tool calls, returning legal documents, enforcing your subscription's tier entitlements, and providing customer support are all necessary to perform the Moonlit subscription contract under which you access the MCP Server.
• Article 6(1)(f) GDPR. Legitimate interests. We rely on our legitimate interest in (i) preventing abuse of the MCP Server (including credential stuffing, scraping, and tier-limit circumvention); (ii) monitoring availability, latency, and error rates; (iii) maintaining audit trails for security incident investigation in line with our ISO/IEC 27001:2022 certified ISMS; and (iv) producing aggregated usage reporting for capacity planning and product improvement. We have assessed that these interests are not overridden by your data protection rights, given the limited categories of data involved, the redaction of query content, and EU-only hosting.
• Article 6(1)(c) GDPR. Compliance with legal obligations. Where required to comply with EU or Dutch law (for example, responses to lawful authority requests).

5. How We Use It

We use the personal data described in §2 only to:

• authenticate your MCP session and issue the Bearer token tied to your subscription;
• execute your tool calls against the Moonlit Data Layer and return the results to your MCP client;
• enforce subscription tier limits and other subscription terms;
• detect, investigate, and prevent abuse, fraud, and security incidents;
• monitor and improve the availability, latency, and accuracy of the MCP Server;
• comply with applicable legal obligations and respond to lawful authority requests; and
• communicate with you (or your administrator) about service-affecting events.

We do not use MCP tool-call telemetry, OAuth metadata, or any other MCP-related personal data to train generative AI models. Moonlit does not train models on your queries or on your tool-call content.

6. Sub-processors

When you use the MCP Server, the following sub-processors may process MCP-related personal data on Moonlit's behalf or, where indicated, on their own account:

Authentication is performed by Moonlit's own OAuth 2.1 authorisation server, hosted on Microsoft Azure in the EU. No third-party identity provider is used. User authentication is bound to an Azure API Management subscription key issued by Moonlit and exchanged for a Bearer token through the OAuth handshake.

If you connect through a non-Anthropic MCP-compatible client, the operator of that client is the controller for the data your client receives from the MCP Server. Their own privacy policy applies to that processing.

The MCP Server invokes Google Vertex AI for the query embedding step used in hybrid search and the reranking step inside hybrid_search_reranked. Other Moonlit GenAI sub-processors (Azure OpenAI, AWS Bedrock) are engaged for Platform features (Search, Luna, Workspaces, Monitors), not for the MCP tool surface. See the GenAI Addendum.

See also trust.moonlit.ai.

7. International Transfers

The MCP Server, its OAuth authorisation server, its API Management gateway, its database, and its operational logs are hosted exclusively in European Union regions of Microsoft Azure. We do not route MCP queries, MCP responses, OAuth tokens, or MCP telemetry outside the European Economic Area for storage or processing.

We do not rely on any "essential equivalence" mechanism with respect to United States data protection law. The infrastructure that processes your MCP-related personal data does not transfer that data to the United States or to any other third country, and is not subject to access requests under U.S. surveillance instruments such as FISA §702 or Executive Order 12333 (the data-transfer concerns identified by the Court of Justice of the European Union in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18, "Schrems II") do not arise for MCP processing under this Policy).

If you choose to connect through Anthropic's hosted Claude products (claude.ai, Claude Desktop, Claude Code), Anthropic processes your prompts and the MCP Server's responses under its own privacy policy and infrastructure. Moonlit does not control, and is not responsible for, Anthropic's processing of your data in that capacity.

8. Your GDPR Rights

You have the following rights with respect to the personal data we process about you under this Policy:

• the right of access (Article 15 GDPR);
• the right to rectification (Article 16 GDPR);
• the right to erasure (Article 17 GDPR);
• the right to restriction of processing (Article 18 GDPR);
• the right to data portability (Article 20 GDPR);
• the right to object to processing on the basis of legitimate interests (Article 21 GDPR); and
• the right to withdraw any consent you have given, without affecting the lawfulness of prior processing (Article 7(3) GDPR).

To exercise any of these rights, contact us at privacy@moonlit.ai. We will respond within one month of receipt, in line with Article 12(3) GDPR.

You also have the right to lodge a complaint with the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens (https://www.autoriteitpersoonsgegevens.nl/en/contact), or with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.

9. Security

The MCP Server is operated within Moonlit's ISO/IEC 27001:2022 certified Information Security Management System (Certificate No. 202506-107, issued 30 June 2025, valid until 30 June 2028). The technical and organisational measures described in the Moonlit Information Security Addendum apply in full to the MCP Server, including:

• HTTPS-only access with TLS 1.2 or higher in transit;
• AES-256 encryption at rest for all persistent storage;
• role-based access control with multi-factor authentication for administrative access;
• redaction of query content in operational logs;
• annual third-party penetration testing; and
• incident management procedures consistent with the Personal Data Breach notification obligation in the Moonlit MCP DPA §3.7.

10. Children

The MCP Server is a professional tool. It is not designed for or directed at children under the age of 16, and we do not knowingly process the personal data of children through the MCP Server.

11. Changes to This Policy

We may update this MCP-specific Privacy Policy from time to time. Material changes will be communicated by updating the "Last updated" date at the top of this document and, where appropriate, by direct notice to your account email address. We encourage you to review this Policy periodically.

12. Contact

For questions about this Policy, to exercise your GDPR rights, or to submit a privacy-related request, please contact:

This document supplements, and is incorporated into, the Moonlit Privacy Policy, the GenAI Addendum, and the Information Security Addendum. The general Privacy Policy and its addenda continue to apply in full.