Privacy Policy for Quran MCP

Information we handle when you use the hosted MCP service

When an AI client calls Quran MCP, the hosted service may handle the information needed to answer that request.

• Tool inputs and search terms. We handle the verse references, search terms, and other parameters that your AI client sends so the service can return Quran text, translations, tafsir, and related results.
• Connection-scoped identifiers. We keep very short-lived, connection-scoped identifiers in memory only to track whether grounding guidance has already been sent during the current interaction. This supports the service's core purpose of helping AI stay grounded in retrieved sources, cite them clearly, and signal when an answer includes interpretation beyond what those sources explicitly say. We do not use these identifiers to uniquely identify users or track them across separate interactions.
• Failure metadata. If a request fails, the application may write limited error metadata such as tool name, status, duration, and error type to operational logs. In the hosted service described here, successful tool inputs and outputs are not logged by the application, and minimal-mode error logs omit request arguments.
• Connection and transport metadata. Like most internet services, our infrastructure may process technical metadata such as IP address, request path, timing, and transport details in order to deliver the service.

Scope note: this section describes the hosted public service at mcp.quran.ai, not every development or self-hosted setup.

How we use information

• To fulfill your request and return grounded Quran data to the AI client that called the service.
• To keep the hosted service working, including troubleshooting failures and monitoring reliability.
• To maintain session behavior, including short-lived grounding-acknowledgement state.
• To route requests through the service providers and infrastructure needed to deliver search, retrieval, and transport functionality.

We do not use the hosted public deployment described by this policy to build advertising profiles or to sell personal information.

Service providers and infrastructure

We use service providers and infrastructure to operate the hosted service.

• OpenAI and Google. Depending on the embedding model configured behind our self-hosted search infrastructure, search terms may be sent to OpenAI or Google to generate embeddings used for semantic search.
• Voyage AI. Voyage AI may process verse text and search terms when semantic search or reranking features use its models.
• Google Analytics. The public landing page loads Google's analytics script with measurement ID G-LDP10R3HVP. This applies to browser visits to the landing page, not to MCP tool calls.
• Google Fonts. Public website pages load web fonts from Google's CDN, which means your browser sends standard connection metadata to Google to retrieve those files.
• Cloudflare and hosting infrastructure. Cloudflare, our hosting provider, and container/runtime infrastructure may process standard connection and operational metadata to deliver the service.

These providers process information on their own systems subject to their own operational and retention practices.

Retention

• Connection-scoped identifiers. These identifiers are kept only in memory and expire after about three minutes.
• Application and container logs. Error logs are created only when a request fails. The application does not set a fixed retention period for host or container logs, so those logs remain until they are rotated or deleted by the operator or infrastructure layer.
• Provider-side retention. Edge, hosting, and provider logs may be retained under provider-managed policies that are outside direct application control.

Deletion requests and privacy choices

You can send privacy questions or deletion requests to [email protected] or use our public support page.

We will review requests and delete information we control where feasible. Because some information is intentionally short-lived in memory and some operational data is held in provider-managed edge or infrastructure logs, we cannot promise targeted deletion from every system once those records have been written.

The hosted public service does not require an account, so there is no account dashboard for managing or exporting data.

Website visitors

This section applies when you load public pages such as the landing page, docs, support page, or this privacy policy.

• The public landing page uses Google Analytics. This applies to browser visits to the landing page, not to MCP tool calls.
• Those public pages currently load Google Fonts, so your browser makes standard font-delivery requests to Google when the page renders.
• Website requests may still pass through Cloudflare and the hosting stack, which can process standard connection metadata such as IP address, request path, and timing.
• This website section is separate from MCP tool use. Visiting the site does not, by itself, submit MCP feedback or create stored tool-call records in the hosted public service.

Optional feedback-sharing features or self-hosted deployments

This section does not apply to the hosted public service at mcp.quran.ai unless we say otherwise.

If a maintainer or self-hosted operator enables optional feedback-sharing tools, that deployment may store tool-call metadata, AI reflections, explicit user feedback, and optional user quotations in PostgreSQL according to the operator's chosen configuration. In the current checked-in optional-feedback configuration, retention is 180 days.

Any self-hosted deployment is controlled by its own operator and may use different providers, logging, analytics, or retention settings. Those deployments should publish their own privacy disclosures.

Changes to this policy

We may update this policy as the hosted service changes. We will post the updated version at this URL and change the last-updated date at the top of the page.

Contact us

For privacy questions, deletion requests, or directory-review concerns, email [email protected] or use /support.