Last updated: June 4, 2026

Isarud MCP Connector — Privacy Policy

This policy describes how the Isarud MCP Connector ("the Connector") processes data when integrated with Anthropic's Claude AI products.

1. Who we are

The Isarud MCP Connector is operated by Isarud, a B2B SaaS platform combining trade compliance (sanctions screening) and multi-tenant e-commerce. The platform is owned and operated by Seçkin Durası, sole founder, based in Istanbul, Türkiye. Contact: [email protected].

2. What the Connector does

The Connector exposes 23 tools to the Claude AI assistant via the Model Context Protocol (MCP). When a user authorizes the Connector through OAuth 2.0, Claude can call these tools on the user's behalf to manage their Isarud account: stores, products, orders, blog posts, and to screen parties against international sanctions lists (OFAC, EU, UN, UK).

3. Data we receive from Claude

  • Tool call arguments — the data the user supplies through Claude (e.g. a new product title, an order ID to fulfill, a name to screen). This is exactly what the user explicitly chooses to send.
  • OAuth access tokens — to authenticate the request and identify which Isarud account is involved.
  • IP address — of the originating MCP request, recorded for security and audit purposes.

We do not receive the user's Claude conversation history, message content outside of tool calls, or any other AI-derived content.

4. Data we store

  • OAuth tokens — encrypted at rest. Personal access tokens expire after 180 days; refresh tokens after 90 days; access tokens after 30 days.
  • MCP audit log — for every tool call, we record: user ID, MCP client ID, tool name, sanitized arguments (passwords, file URLs, tokens redacted), success/failure, duration, IP, timestamp. Retained for 90 days for security incident response, then deleted.
  • Tool side-effects — any data the tools create or modify in your Isarud account (products, orders, blog posts, screenings) is stored according to the main Isarud Privacy Policy.

5. Data we share

The Connector itself does not share data with third parties beyond what is necessary for tool execution:

  • Sanctions screening — when you use the screen_party tool, the queried name is matched against publicly available OFAC SDN, EU Consolidated, UN Consolidated, and UK HMT sanctions lists held within Isarud's own infrastructure. Queries are never sent to external AI providers or third parties.
  • Marketplace integrations — if you use marketplace tools to act on Trendyol, Etsy, Hepsiburada, N11, Amazon, or Pazarama, those platforms will receive the data necessary to perform the requested action (e.g. listing a product).
  • Anthropic — Claude receives the tool result (including any structured data we return). Anthropic's data retention practices apply; see Anthropic Privacy Policy.

6. Sensitive data — what we do not do

  • We do not accept payment card data, government IDs, or biometric data through the Connector.
  • We do not accept marketplace API credentials over MCP. The connect_marketplace tool only returns a setup URL; credentials must be entered through the web panel.
  • We do not train AI models on your data.
  • We do not sell user data to third parties.

7. Rate limiting and abuse prevention

To prevent abuse, the Connector enforces a default rate limit of 120 requests per minute per MCP client. Excessive failures or suspected misuse may result in token revocation.

8. Your rights

  • Revoke access at any time from your Isarud account → Settings → Authorized Applications. This immediately invalidates the OAuth token; no further tool calls succeed.
  • Export your data — contact [email protected].
  • Delete your data — deleting your Isarud account also deletes all MCP audit logs after the standard 90-day retention period.
  • GDPR/KVKK — if you are an EU or Türkiye resident, you have additional rights under GDPR (Regulation (EU) 2016/679) and KVKK (Kişisel Verilerin Korunması Kanunu). To exercise these rights, contact [email protected].

9. Security

  • All MCP traffic is served exclusively over TLS 1.3 (HTTPS).
  • OAuth tokens are JWT (RSA-4096 signed).
  • Audit logs are sanitized: passwords, secrets, API keys, file URLs, and download links are redacted before persistence.
  • Suspicious activity triggers automatic Slack alerts to our security channel.

10. Changes to this policy

We may update this policy from time to time. Material changes will be announced via the main Isarud changelog and, where required by law, by direct email to affected users.

11. Contact

Privacy questions: [email protected]
General support: [email protected]
Operator: Seçkin Durası, Isarud — Istanbul, Türkiye