Privacy policy
Last updated April 27, 2026
Joshua's product architecture is the privacy policy: we provide auth context — pointers and schemes, not credentials. We never ask for, receive, store, or log the secrets that protect the APIs you register. This page describes the data we do hold and what we do with it.
Account data
When you register an account we store your email, a hashed password, and an API key that the MCP server uses to identify you. You can rotate the API key from your dashboard at any time.
Tool registrations
For each tool you register we store: a display name, a reference to a tool description (public or private), an auth_block (auth scheme and a pointer to where your credential lives — never the credential itself), and any user_context notes you wrote. Private tool descriptions you paste in are scoped to your account.
What we never collect
- Credentials of any kind — API keys, passwords, OAuth tokens, secrets.
- The contents of API requests or responses your agent makes. Joshua is not on the call path.
- Files, documents, or business data flowing through the APIs you've registered.
Logs and analytics
We log MCP tool invocations (which tool, when, by which account) for abuse prevention, rate limiting, and product analytics. We use Google Analytics on the marketing pages of usejoshua.com to understand traffic patterns. We do not sell or share these logs.
Third parties
Joshua runs on hosting and database providers (currently Vercel and Supabase) that process data on our behalf under their own security and privacy commitments. They store the same data described above — no credentials.
Your controls
- Rotate or revoke your API key from the dashboard.
- Delete individual tool registrations or your entire account at any time.
- Use the contact form for data access or deletion requests.
Changes
We'll update the date at the top of this page when this policy changes and announce material changes by email to active accounts.