What We Collect

When you connect to the hosted LegisMCP endpoint, we collect:

• A SHA-256 hash of your Congress.gov API key. This is a one-way cryptographic hash — your actual API key cannot be recovered from it.
• Timestamps of when your key was first seen and last used.

What We Do Not Collect

• Your actual Congress.gov API key (only the hash)
• Your name, email, or any personal information
• The content of your MCP tool requests or responses
• IP addresses or device information

How We Use This Data

The hashed API key and timestamps are used solely for:

• Tracking aggregate usage patterns
• Preventing abuse of the hosted service

Data Storage

Data is stored in Cloudflare D1 (SQLite), hosted on Cloudflare's global network. No data is shared with third parties.

Local Usage

When using LegisMCP locally via npx legismcp, no data is sent to our servers. Your API key is used directly to communicate with Congress.gov and never leaves your machine.

Contact

For privacy questions, open an issue on GitHub.