buildmymcpserver/apps/web/app/(marketing)/privacy/page.tsx

export const metadata = { title: 'Privacy — BuildMyMCPServer' };

const SECTIONS = [
  {
    h: 'What we collect',
    p: [
      'Account: email, organization name, the IP address of your sign-in.',
      'Workspace: the prompts you send to the generator, the generated server specifications, build logs, server names and slugs you choose.',
      'Tool-call metrics: counts, latencies, status codes — never the request or response payloads. We only know that a tool was called, how long it took, and whether it succeeded.',
      'Billing: Stripe customer id + subscription metadata for paid plans. Card details never touch our servers.',
    ],
  },
  {
    h: 'What we do NOT collect',
    p: [
      'Plaintext credentials. Every secret you save is AES-256-GCM encrypted before it hits storage. We have no ability to read them; only your container at runtime can.',
      'Tool-call payloads. The arguments your AI client sends and the responses our server returns are not stored or logged.',
      'Browsing data, cross-site tracking, advertising identifiers.',
    ],
  },
  {
    h: 'Where it lives',
    p: [
      'EU region by default (Hetzner Falkenstein, Germany).',
      'Postgres + Redis + container hosts are all in the same region.',
      'Backups encrypted at rest in Backblaze B2 EU.',
    ],
  },
  {
    h: 'Subprocessors',
    p: [
      'Anthropic (generation) — only the prompt text you send. Anthropic\'s data-retention policy applies.',
      'Hetzner (compute).',
      'Backblaze (encrypted backups).',
      'Stripe (billing).',
      'Cloudflare (DNS + DDoS).',
    ],
  },
  {
    h: 'Retention',
    p: [
      'Active account: all workspace data kept while subscribed.',
      'Cancelled account: 30-day grace period, then full deletion (servers, builds, logs, audit).',
      'Audit log: 1 year on Team+, 30 days on Pro/Hobby.',
      'Tool-call metrics: 30 days, then aggregated to daily counts.',
    ],
  },
  {
    h: 'Your rights (GDPR)',
    p: [
      'Access — export everything in JSON via the settings page (Sprint 4) or by email.',
      'Deletion — delete your organization in settings; everything goes within 30 days.',
      'Rectification — change name and email yourself; everything else is editable on request.',
      'Portability — the generated TypeScript source of every server is yours, downloadable.',
    ],
  },
];

export default function Privacy() {
  return (
    <div className="mx-auto max-w-3xl px-6 py-16">
      <header className="mb-12">
        <div className="text-[11px] uppercase tracking-[0.16em] text-[--color-fg-subtle]">
          Privacy policy
        </div>
        <h1 className="mt-2 text-[32px] font-semibold tracking-tight">Privacy</h1>
        <p className="mt-3 text-[14px] leading-relaxed text-[--color-fg-muted]">
          Plain language. What we collect, where it lives, how to get it deleted. Last updated
          2026-05-19.
        </p>
      </header>

      <div className="space-y-9">
        {SECTIONS.map((s) => (
          <section key={s.h}>
            <h2 className="text-[16px] font-semibold tracking-tight">{s.h}</h2>
            <ul className="mt-3 space-y-1.5">
              {s.p.map((p) => (
                <li
                  key={p}
                  className="relative pl-4 text-[13.5px] leading-relaxed text-[--color-fg-muted] before:absolute before:left-0 before:top-2 before:size-1 before:rounded-full before:bg-[--color-fg-subtle]"
                >
                  {p}
                </li>
              ))}
            </ul>
          </section>
        ))}

        <section>
          <h2 className="text-[16px] font-semibold tracking-tight">Contact</h2>
          <p className="mt-3 text-[13.5px] leading-relaxed text-[--color-fg-muted]">
            Data controller: BuildMyMCPServer. Email{' '}
            <a className="text-[--color-accent] underline" href="mailto:privacy@buildmymcpserver.com">
              privacy@buildmymcpserver.com
            </a>{' '}
            for any of the above.
          </p>
        </section>
      </div>
    </div>
  );
}
feat(web): real 3-step wizard, settings, audit, docs, marketing pages Sprint 3.5: close every dead link and replace the single-step wizard with the spec-mandated 3-step flow. Wizard: - Step 1 collects prompt + name + slug, calls /v1/servers/preview. - Step 2 renders parsed tools (name, description, input schema as copyable JSON) + a credential field per requiredSecret Claude actually identified. Self-contained servers see 'No credentials needed' instead of generic Notion placeholders. - Step 3 streams the live build over WebSocket and shows install snippets. New dashboard pages: - /settings — org, plan/usage, members table, API keys + billing stubs (Sprint 4), encryption status. Reads /v1/me/org. - /audit — filterable table over /v1/audit with action pills, resource refs, IP, metadata JSON. Docs site (/docs + 6 sub-pages): - Sticky 240px sidebar, max-w-prose article column, shared DocsTitle/H2/Code primitives. - Quickstart, MCP concepts, OAuth 2.1 flow (full walkthrough with curl), Authoring tools, Self-hosting, API reference, FAQ. Marketing pages: - /changelog with tagged release timeline. - /security with 8 pillars + disclosure. - /privacy with GDPR-aware sections. - /terms (10 clauses). - /pricing full page (nav now points here instead of /#pricing anchor). - /status with live 10s probes against /api/health and /login. Footer 'system status' badge now links to /status. All 20 routes 200 OK in smoke crawl. Typecheck clean across packages. 2026-05-19 18:20:31 +02:00			`export const metadata = { title: 'Privacy — BuildMyMCPServer' };`

			`const SECTIONS = [`
			`{`
			`h: 'What we collect',`
			`p: [`
			`'Account: email, organization name, the IP address of your sign-in.',`
			`'Workspace: the prompts you send to the generator, the generated server specifications, build logs, server names and slugs you choose.',`
			`'Tool-call metrics: counts, latencies, status codes — never the request or response payloads. We only know that a tool was called, how long it took, and whether it succeeded.',`
			`'Billing: Stripe customer id + subscription metadata for paid plans. Card details never touch our servers.',`
			`],`
			`},`
			`{`
			`h: 'What we do NOT collect',`
			`p: [`
			`'Plaintext credentials. Every secret you save is AES-256-GCM encrypted before it hits storage. We have no ability to read them; only your container at runtime can.',`
			`'Tool-call payloads. The arguments your AI client sends and the responses our server returns are not stored or logged.',`
			`'Browsing data, cross-site tracking, advertising identifiers.',`
			`],`
			`},`
			`{`
			`h: 'Where it lives',`
			`p: [`
			`'EU region by default (Hetzner Falkenstein, Germany).',`
			`'Postgres + Redis + container hosts are all in the same region.',`
			`'Backups encrypted at rest in Backblaze B2 EU.',`
			`],`
			`},`
			`{`
			`h: 'Subprocessors',`
			`p: [`
			`'Anthropic (generation) — only the prompt text you send. Anthropic\'s data-retention policy applies.',`
			`'Hetzner (compute).',`
			`'Backblaze (encrypted backups).',`
			`'Stripe (billing).',`
			`'Cloudflare (DNS + DDoS).',`
			`],`
			`},`
			`{`
			`h: 'Retention',`
			`p: [`
			`'Active account: all workspace data kept while subscribed.',`
			`'Cancelled account: 30-day grace period, then full deletion (servers, builds, logs, audit).',`
			`'Audit log: 1 year on Team+, 30 days on Pro/Hobby.',`
			`'Tool-call metrics: 30 days, then aggregated to daily counts.',`
			`],`
			`},`
			`{`
			`h: 'Your rights (GDPR)',`
			`p: [`
			`'Access — export everything in JSON via the settings page (Sprint 4) or by email.',`
			`'Deletion — delete your organization in settings; everything goes within 30 days.',`
			`'Rectification — change name and email yourself; everything else is editable on request.',`
			`'Portability — the generated TypeScript source of every server is yours, downloadable.',`
			`],`
			`},`
			`];`

			`export default function Privacy() {`
			`return (`
			`<div className="mx-auto max-w-3xl px-6 py-16">`
			`<header className="mb-12">`
			`<div className="text-[11px] uppercase tracking-[0.16em] text-[--color-fg-subtle]">`
			`Privacy policy`
			`</div>`
			`<h1 className="mt-2 text-[32px] font-semibold tracking-tight">Privacy</h1>`
			`<p className="mt-3 text-[14px] leading-relaxed text-[--color-fg-muted]">`
			`Plain language. What we collect, where it lives, how to get it deleted. Last updated`
			`2026-05-19.`
			`</p>`
			`</header>`

			`<div className="space-y-9">`
			`{SECTIONS.map((s) => (`
			`<section key={s.h}>`
			`<h2 className="text-[16px] font-semibold tracking-tight">{s.h}</h2>`
			`<ul className="mt-3 space-y-1.5">`
			`{s.p.map((p) => (`
			`<li`
			`key={p}`
			`className="relative pl-4 text-[13.5px] leading-relaxed text-[--color-fg-muted] before:absolute before:left-0 before:top-2 before:size-1 before:rounded-full before:bg-[--color-fg-subtle]"`
			`>`
			`{p}`
			`</li>`
			`))}`
			`</ul>`
			`</section>`
			`))}`

			`<section>`
			`<h2 className="text-[16px] font-semibold tracking-tight">Contact</h2>`
			`<p className="mt-3 text-[13.5px] leading-relaxed text-[--color-fg-muted]">`
			`Data controller: BuildMyMCPServer. Email{' '}`
			`<a className="text-[--color-accent] underline" href="mailto:privacy@buildmymcpserver.com">`
			`privacy@buildmymcpserver.com`
			`</a>{' '}`
			`for any of the above.`
			`</p>`
			`</section>`
			`</div>`
			`</div>`
			`);`
			`}`