Privacy Policy
Last updated: 30 April 2026
stream-estate-mcp is an independent, non-commercial open-source project that lets you reach the stream.estate property API from a Model Context Protocol client (e.g. Claude Desktop) using your own stream.estate API key. This page explains what data the service processes, why, and your rights under the EU General Data Protection Regulation (GDPR).
1. Who we are
- Controller: Stream Estate MCP, an independent personal project operated from France
- Source code: github.com/NikitasKotsolakos/stream-estate-mcp
- Affiliation: none. This is a personal hobby project; we are not affiliated with stream.estate.
The project is small enough that it is not required to appoint a Data Protection Officer under Art. 37 GDPR.
2. What data we process
| Data | How we get it | Where it lives |
|---|---|---|
| Username | You choose it on the login form | Server memory only |
| stream.estate API key | You enter it on the login form | Server memory only |
| OAuth client credentials | Auto-generated when your AI client registers itself | Server memory only |
| Access logs (IP, timestamp, path, status) | Generated automatically by the web server and the hosting provider | Operational logs, retained briefly |
| Session cookie | Set when you log in | Your browser, plus server memory during the OAuth flow |
We do not collect your real name, email address, payment information, search queries, marketing preferences, device fingerprints, or analytics data.
3. Why we process it
| Processing | Purpose | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Username + API key | Authenticate you and forward your MCP requests to stream.estate on your behalf | Consent — Art. 6(1)(a). You give it by submitting the login form and ticking the consent box. |
| OAuth client credentials | Allow your AI client to obtain access tokens and call the MCP server | Consent — Art. 6(1)(a) |
| Access logs | Operate the service, debug errors, detect abuse | Legitimate interest — Art. 6(1)(f) |
4. How long we keep it
- API key & username: in memory only. Erased on every server restart. There is no database, no disk persistence, no backup.
- OAuth client credentials: in memory only — also lost on restart (your AI client re-registers transparently).
- Access logs: retained briefly by the hosting provider for operational and security purposes — typically a few days, then rotated out.
- Session cookie: cleared when you sign out or when the cookie expires.
5. Who we share data with
- stream.estate — when you use any MCP tool, your API key and the parameters of your request (e.g. property search criteria) are sent to stream.estate so it can serve the response. stream.estate is an independent data controller for the data you submit through their API. Refer to their privacy policy for how they handle it.
- Hosting provider — the server runs on third-party infrastructure that processes web traffic and may briefly retain operational logs. The hosting provider acts as a processor under Art. 28 GDPR.
- Your AI client (e.g. Claude Desktop, Claude Code) — your prompts and responses pass through whatever client you choose to use. That relationship is between you and your AI client provider; this service has no part in it.
We do not sell, rent, or share data for marketing, advertising, or analytics purposes.
6. International transfers
The server is hosted on infrastructure located in the European Union. Calls you make to stream.estate are governed by stream.estate's own privacy practices and may involve transfers we have no control over.
7. How we protect your data
- The API key is held in memory only — never written to disk, logs, or any database.
- All traffic is served over HTTPS.
- Authentication uses OAuth 2.0 with PKCE; access tokens are short-lived signed JWTs.
- The full source code is open and auditable on GitHub.
- We do not log API keys, search parameters, or response bodies.
That said, this is a personal hobby project provided as-is. We make no guarantee of uptime, security, or fitness for any particular purpose.
8. Your rights under GDPR
You have the right to:
- Access the personal data we hold about you (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data (Art. 17)
- Restrict or object to processing (Art. 18, 21)
- Receive your data in a portable format (Art. 20)
- Withdraw consent at any time (Art. 7(3)). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, contact us on GitHub.
You also have the right to lodge a complaint with your supervisory authority. In France:
3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07
www.cnil.fr
9. Cookies
We use a single session cookie that is strictly necessary for the OAuth login flow to function. We do not use analytics cookies, tracking pixels, or third-party cookies. Because no non-essential cookies are set, no consent banner is required.
10. Automated decision-making
We do not perform automated decision-making or profiling within the meaning of Art. 22 GDPR.
11. Changes to this policy
We may update this policy from time to time. The "last updated" date at the top reflects the most recent version. Material changes will be communicated on the login page.