Privacy notice — Curri MCP

This notice supplements Curri's main Privacy Policy with information specific to the Curri MCP (Model Context Protocol) server at mcp.curri.com. The main policy remains the controlling document; this page describes only what is different or additional when you use Curri through an MCP-enabled AI client.

Last updated: May 22, 2026

What the MCP server processes

The MCP server is a thin protocol bridge between an AI client (for example, Claude Desktop, Claude Code, or Cursor) and Curri's existing APIs. When you connect a client and invoke a tool, the server processes:

  • Your Curri account identity, obtained through the OAuth authorization you grant to the client
  • The tool arguments your AI client sends (for example, addresses, item descriptions, delivery filters)
  • The responses returned by the underlying Curri APIs (for example, quotes, delivery records, tracking data)
  • Standard request metadata (timestamp, client identifier, IP address) used for security monitoring and rate limiting

OAuth and access scopes

Access is granted via OAuth 2.1 with PKCE. You see and approve the scopes your client requests before any tool can run. You can revoke access at any time from your Curri account settings; once revoked, the client can no longer make MCP requests on your behalf.

AI clients as third-party processors

Heads up: The AI client you connect (Anthropic Claude, Cursor, or another MCP host) is operated by that vendor, not by Curri. Anything you type into the client, and anything the server returns to it, is subject to that vendor's privacy terms. Review them before connecting accounts that contain sensitive data.

Retention

Tool inputs and outputs are not stored on the MCP server beyond the lifetime of the request. Operational logs (request metadata, error traces) are retained on Curri's standard observability stack as described in the main Privacy Policy. Data written to Curri APIs through MCP tools (a booked delivery, for example) persists in Curri's primary systems under the standard retention rules.

Your rights and choices

All access, correction, deletion, and portability rights described in the main Privacy Policy apply unchanged. To exercise them in relation to MCP-mediated activity, or to request deletion of OAuth-issued credentials, contact [email protected].

Changes

We will update the “Last updated” date above whenever this notice changes. Material changes will also be called out in the main Privacy Policy's changelog at curri.com/privacy.