Home page

Privacy Policy

The Company (Sleuth Enterprises, Inc.) ("us", "we", or "our") operates https://sleuth.io and https://skills.new, including the Model Context Protocol ("MCP") server hosted at https://app.skills.new/mcp/assets (collectively, the "Services"). This page informs you of our policies regarding the collection, use, disclosure, and retention of Personal Information we receive from users of the Services, including from AI clients (such as ChatGPT and Claude) that connect to our MCP server on your behalf. By using the Services, you agree to the collection and use of information in accordance with this policy.

Information Collection And Use

While using our Site, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to:

  • your name, company, email address, billing address
  • your Sleuth user ID and password
  • credit card information
  • any account-preference information you provide us
  • your computer's domain name and IP address, indicating where your computer is located on the Internet
  • session data for your login session
  • information provided to us about your Git/Hg repositories hosted on external sites
  • OAuth access and refresh tokens issued to AI clients (such as ChatGPT or Claude) that you authorize to connect to our MCP server on your behalf
  • MCP tool invocation data, including the name of the tool called, the arguments passed (for example, search queries, asset identifiers, and filter values), and the user or organization identity associated with the request
  • content returned by the MCP server in response to those tool calls (for example, skills, prompts, rules, hook configurations, and other asset content stored in your account)
  • usage telemetry such as which tools were called, timestamps, success/error status, and identifiers for your user and organization

If you do provide us with personally identifiable information we will:

  • not sell or rent it to a third party without your permission
  • take commercially reasonable precautions to protect the information from loss, misuse and unauthorized access, disclosure, alteration and destruction

Security

The security of your Personal Information is important to us, but remember that no method of transmission over the Internet, or method of electronic storage, is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.

Communications

We may use your Personal Information to contact you with newsletters, marketing or promotional materials. You'll have the ability to opt-out of any of these materials by unsubscribing.

MCP and AI Client Integrations

We operate a Model Context Protocol ("MCP") server at https://app.skills.new/mcp/assets that allows AI clients (such as OpenAI's ChatGPT and Anthropic's Claude) to access and retrieve assets you have stored in your account on your behalf. To use the MCP server, you authorize the AI client through an OAuth flow that issues an access token scoped to your user and organization.

When you invoke an MCP tool from within an AI client, the following information flows from the AI client to our MCP server: the name of the tool, the arguments you (or the AI client acting on your prompt) supply to the tool, and your authenticated identity. In response, our MCP server returns the requested asset metadata or content. The AI client then processes both your inputs and our responses on its own infrastructure under its own privacy policy. For ChatGPT, please refer to OpenAI's privacy policy; for Claude, please refer to Anthropic's privacy policy. We do not control how AI client operators handle data you submit through their products before it reaches our MCP server, or how they handle the responses we return.

You can revoke an AI client's access to our MCP server at any time from your account settings on skills.new, which will invalidate the OAuth tokens previously issued to that client.

Purposes of Processing

We process the categories of Personal Information described above for the following purposes:

  • Account information (name, email, company, billing address, password) — to create and administer your account, provide customer support, and bill you for paid plans.
  • OAuth tokens issued to AI clients — to authenticate requests from the AI client to our MCP server and to enforce organization-level access controls.
  • MCP tool inputs (tool name, arguments, queries) — to execute the requested operation (for example, searching or retrieving an asset).
  • MCP tool outputs (asset content returned to the AI client) — to fulfill the request you initiated from the AI client.
  • Usage telemetry and log data (IP address, timestamps, tool call success/error, user agent) — to operate, secure, debug, and improve the Services, to detect and prevent abuse, and to meet legal and contractual obligations.
  • Payment information — to process payments through our payment processor and to issue invoices and receipts.
  • Communications data — to send service notifications and, where you have not opted out, marketing communications.

Recipients and Sub-processors

We do not sell or rent your Personal Information. We share Personal Information only with the following categories of recipients, and only to the extent necessary for the purposes described above:

  • AI client operators that you authorize — when you connect an AI client (such as ChatGPT or Claude) to our MCP server, the operator of that AI client receives the responses our MCP server returns to fulfill your requests. The operator handles that data under its own privacy policy.
  • Stripe, Inc. (United States) — payment processing. Stripe receives the information necessary to process your payment. See Stripe's privacy policy.
  • Amazon Web Services, Inc. (United States) — cloud hosting and storage of Services data. See AWS's privacy notice.
  • Datadog, Inc. (United States) — application performance monitoring, logging, and observability. Datadog may receive log data, error traces, and usage telemetry. See Datadog's privacy policy.
  • Service providers assisting us with email delivery, customer support, analytics, and legal or accounting services, under written agreements that restrict their use of Personal Information to providing services to us.
  • Authorities, where required by law, valid legal process, or to protect the rights, property, or safety of Sleuth, our users, or others.
  • Acquirers, in connection with a merger, acquisition, financing, or sale of assets, subject to customary confidentiality obligations.

AI Model Training

We do not use your Personal Information, MCP tool inputs, MCP tool outputs, or asset content to train artificial intelligence or machine learning models. Where AI clients (such as ChatGPT or Claude) connect to our MCP server, the operator of that AI client may process the data it receives under its own terms and privacy policy. We encourage you to review the policies and training-data settings of any AI client you connect to our Services and to use any available opt-out controls offered by that client.

Data Retention

We retain Personal Information only for as long as needed for the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Specific retention periods include:

  • Account information — for the duration of your account, and for a reasonable period afterward to handle support, disputes, and legal obligations.
  • OAuth access and refresh tokens — until you revoke the AI client's access, the token is rotated, or your account is deleted.
  • MCP tool invocation logs and usage telemetry — up to 30 days, after which they are deleted or aggregated into non-identifying statistics.
  • Asset content you create — for the duration of your account, or until you delete it from your account.
  • Billing and tax records — for the period required by applicable tax and accounting law (typically up to 7 years).
  • Backups — encrypted backups are retained on a rolling basis and purged in line with the retention periods above.

Your Rights and Choices

Regardless of where you live, you can exercise the following controls over your Personal Information:

  • Access and export — request a copy of the Personal Information we hold about you.
  • Correction — ask us to correct inaccurate or incomplete information.
  • Deletion — request deletion of your account and associated Personal Information, subject to legal retention requirements.
  • Revoke MCP / AI client access — disconnect any AI client connected to our MCP server from your account settings on skills.new at any time.
  • Opt out of marketing emails — by using the unsubscribe link in any marketing email.
  • Manage cookies — through your browser settings.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you additionally have the rights of access, rectification, erasure, restriction of processing, data portability, objection to processing, and the right to lodge a complaint with your local supervisory authority. The legal bases on which we rely include performance of a contract (to provide the Services), our legitimate interests (to secure and improve the Services), compliance with legal obligations, and your consent where required.

To exercise any of these rights, contact us at support@sleuth.io.

International Data Transfers

We are based in the United States and our sub-processors process Personal Information primarily in the United States. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States and other jurisdictions where we or our sub-processors operate. Where required, we rely on appropriate transfer mechanisms (such as the European Commission's Standard Contractual Clauses) for transfers out of the European Economic Area, the United Kingdom, or Switzerland.

Children's Privacy

The Services are not directed to children under 16, and we do not knowingly collect Personal Information from children under 16. If you believe we have collected Personal Information from a child under 16, please contact us at support@sleuth.io and we will take steps to delete it.

Payments

We use Stripe, Inc. to process payments by credit card, bank transfer, or other means. We share with Stripe only the information necessary to execute the transaction. Stripe may send timed messages to you, such as emails containing invoices or notifications concerning the payment. Stripe processes Personal Data in the United States; see Stripe's privacy policy for details.

Cookies

Cookies are files with small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer's hard drive. Like many sites, we use "cookies" to collect information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Site.

Log Data

Like many site operators, we collect information that your browser or AI client sends whenever you visit our Services or invoke our MCP server ("Log Data"). This Log Data may include information such as your computer's Internet Protocol ("IP") address, user agent, the pages of our Site that you visit or the MCP tools you invoke, the time and date of the request, request duration, and response status. We use Log Data through our observability sub-processor (Datadog) to operate, secure, and debug the Services as described in the "Recipients and Sub-processors" section above.

California Residents

California Civil Code Section 1798.83 requires certain businesses that share customer Personal Information with third parties for the third parties' direct marketing purposes to respond to requests from California customers asking about the businesses' practices related to such information-sharing. We currently do not share or disclose your Personal Information to third parties for the third parties' direct marketing purposes. If we change our practices in the future, we will implement an opt-out policy as required under California laws.

Furthermore, subject to certain exemptions, California residents have the following rights with respect to Personal Information we may have collected about them:

Requests to Know

You have the right to request that we disclose:

  • The categories of Personal Information we have collected about you;
  • The categories of Personal Information about you we have sold or disclosed for a business purpose;
  • The categories of sources from which we have collected Personal Information about you;
  • The business or commercial purposes for selling or collecting Personal Information about you;
  • The categories of Personal Information sold or shared, if any, about you, as well as the categories of third parties to whom the Personal Information was sold, by category of Personal Information for each party to whom Personal Information was sold; and
  • The specific pieces of Personal Information collected.

You may submit a request to know via our Personal Information request form. The delivery of our response may take place electronically or by mail. We are not required to respond to requests to know more than twice in a 12-month period.

We do not sell, and have not in the prior 12 months sold, Personal Information about California residents. Therefore, we have not included a “Do Not Sell My Personal Info” link on our Site. If our practices change, we will update this Privacy Policy and take any other necessary action to comply with applicable law. We do, however, disclose Personal Information for business purposes as described in the “Third Parties We Share Personal Information With” section above.

Requests to Delete

You have the right to request that we delete any Personal Information about you that we have collected. Upon receiving a verified request to delete Personal Information, we will do so unless otherwise required or authorized by law. You may submit a request to delete Personal Information via our Personal Information request form.

Authorized Agents

You may designate an authorized agent to make requests on your behalf. You must provide an authorized agent written permission to submit a request on your behalf, and we may require that you verify your identity directly with us. Alternatively, an authorized agent that has been provided power of attorney pursuant to Probate Code sections 4000-4465 may submit a request on your behalf.

Methods for Submitting Consumer Requests and Our Response to Requests

You may submit a request for access and requests to delete Personal Information about you via:

Upon receipt of a request, we may ask you for additional information to verify your identity. Any additional information you provide will be used only to verify your identity and not for any other purpose.

We will acknowledge the receipt of your request within 10 days of receipt. Subject to our ability to verify your identity, we will respond to your request within 45 days of receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. In order to protect your privacy and the security of Personal Information about you, we may need to verify your identity before processing your request. In some cases we may need to collect additional information to verify your identity, such as a government issued ID.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

The Right to Non-Discrimination

You have the right not to be discriminated against for the exercise of your California privacy rights described above. Unless permitted by the CCPA, we will not:

  • Deny you goods or services;
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
  • Provide you a different level or quality of goods or services; or
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Changes To This Privacy Policy

This Privacy Policy was last updated on May 19, 2026, and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page. We reserve the right to update or change our Privacy Policy at any time and you should check this Privacy Policy periodically. Your continued use of the Service after we post any modifications to the Privacy Policy on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Privacy Policy. If we make any material changes to this Privacy Policy, we will notify you either through the email address you have provided us, or by placing a prominent notice on our website.

Contact Us

If you have any questions about this Privacy Policy, or wish to exercise any of the rights described above, please contact us at support@sleuth.io. For general support inquiries, you can also reach us at support@sleuth.io.