RefBridgeMCP · A product of PersonAIlized, LLC
Privacy Policy
Last updated: July 4, 2026
This Privacy Policy describes our privacy practices with respect to RefBridgeMCP (the "Service"), a hosted Model Context Protocol bridge that connects third-party AI clients to your Zotero library.
In this policy, "we," "us," and "our" refer to PersonAIlized, LLC, a North Carolina (US) limited liability company. "You" and "your" refer to users of the Service. Zotero MCP is not affiliated with, sponsored by, or endorsed by the Corporation for Digital Scholarship or the Zotero project.
We may update this policy from time to time. When we do, we will change the "Last Updated" date above.
1. Information We Collect
1.1 Information you provide via Zotero OAuth
- Your Zotero user ID and username
- An OAuth access token scoped to your Zotero library
- An email address, if and when you choose to provide one for account recovery or Pro billing
1.2 Information from MCP requests
When an AI client you have authorized makes a request to your MCP endpoint, the request transits our servers so that we can call the Zotero API on your behalf. We do not persistently store the content of your library beyond short-lived caches needed to fulfill the request.
1.3 Automatically collected information
- Session and pending-session cookies (see §5)
- IP addresses (used transiently for security, rate limiting, and abuse prevention)
- Usage logs (request counts, latency, error rates) for billing, auditing, and abuse prevention
1.4 Payment information
Payment information is processed by Stripe. We do not store full payment details. We receive from Stripe only the subscription status and metadata needed to grant Pro access.
2. How We Use Information
We use your personal information to provide and operate the Service, to authenticate you, to fulfill MCP requests from AI clients you have authorized, to enforce usage limits, to bill for paid features, and to communicate with you about the Service. Aggregated, de-identified usage data, such as request counts and error rates, may be used to understand how the Service is used and to improve it. We may use personal information to comply with legal obligations. We do not sell your personal information, and we do not use your Content to train AI models.
3. AI Clients and Content Flow
The Service does not itself operate a large language model. When you connect an AI client (Claude, ChatGPT, another MCP client, etc.), that client will send prompts and receive Zotero data via your MCP endpoint. The AI client's provider processes that data under its own terms and privacy policy. You are responsible for reviewing those documents before connecting a client.
4. Subprocessors
We rely on the following third-party subprocessors to operate the Service. Each is contractually bound to protect your information and to use it only as needed to provide their service to us.
| Subprocessor | Purpose | Data |
|---|---|---|
| Lovable Cloud / Supabase | Application hosting, database, background jobs | Zotero user ID, encrypted OAuth tokens, session records, usage logs |
| Cloudflare | Edge network, TLS termination, DDoS and bot mitigation | Request metadata (IP, headers), strictly-necessary security cookie __cf_bm |
| Stripe | Payment processing, subscription management | Billing email, payment method (held by Stripe), subscription status |
| Zotero (Corporation for Digital Scholarship) | Source of your library data via authorized OAuth | Your library items, notes, tags, and attachments — retrieved on request |
| Transactional email provider | Account recovery and verification emails | Email address, delivery status |
5. Cookies
RefBridgeMCP uses strictly-necessary cookies only. We do not use advertising, behavioral, or analytics cookies, and no consent banner is required for current use.
zmcp_session— encrypted first-party session cookie (AES-256-GCM) that identifies you to the dashboard. HttpOnly, Secure, SameSite=Lax. Lifetime set by you in your dashboard (session-only up to a configured number of days).zmcp_pending— short-lived first-party cookie used during the email verification step. HttpOnly, Secure, SameSite=Lax. Lifetime approximately 30 minutes.__cf_bm— strictly-necessary bot-management cookie set by Cloudflare on our behalf.
Third-party services (Stripe, Zotero) set their own cookies on their own domains when you interact with them; those cookies are governed by their respective policies.
6. Information Sharing
We share information with:
- Subprocessors listed in §4, to operate the Service.
- Legal authorities when required by law or when we believe that providing the information is reasonable to protect the life, health, safety, or property of any party.
- Successors in the event of a business transaction.
We do not sell your personal information.
7. Personal Information of Children
The Service is not directed at children under the age of 13, and we do not knowingly collect personal information from them. If you believe that we have been provided with such information, please contact us using the address below.
8. Data Retention and Deletion
We retain your account records (Zotero user ID, encrypted tokens, subscription status) for as long as your account is active. Usage logs are retained for a rolling window sufficient for billing, security, and abuse prevention.
You can disconnect Zotero at any time from your dashboard, which revokes stored OAuth tokens and terminates active MCP sessions. Deletion of remaining account records can be requested by emailing legal@personailized.com. Backups may retain data for a limited additional period consistent with normal backup rotation.
9. Contact
If you have any questions or concerns about our privacy practices, contact us at:
PersonAIlized, LLC
Email: legal@personailized.com