OpenMaskit / privacy
What we send, what we don't, and how to opt out.
OpenMaskit is an open-source proxy that runs on your machine. The only data that ever leaves your machine is documented below — every claim on this page is verifiable against the open-source code. A formal Privacy Policy covering our backend infrastructure is being prepared with legal counsel and will be published here when ready.
What stays on your machine
The OpenMaskit OSS does its work locally. The following is created and held exclusively on your machine and is never transmitted to us:
- Tool-call arguments, tool-call responses, and any sensitive data they reference.
- Masking rules, alias mappings, and the contents of
~/.openmaskit/store.db. - The traffic audit log (
~/.openmaskit/traffic.db), encrypted at rest. - OAuth access and refresh tokens for upstream MCP servers (
~/.openmaskit/oauth/{server_id}.json), encrypted at rest. - The local encryption key (
~/.openmaskit/.key). - Your environment variables, host configuration, and the names of upstream MCP servers you have configured.
We have no way to read any of the above, because it never leaves your machine.
What is sent when you use the marketplace
OpenMaskit contacts our backend only when you use the marketplace — browse the catalog, view a server's details, or check for updates. When it does, the request carries:
- A
User-Agentof the formOpenMaskit/<version>, identifying the OSS version. - An
X-OpenMaskit-Installation-Idheader containing a random 25-character string generated on first run and stored at~/.openmaskit/.installation_id. The ID is opaque — it contains no personally identifiable information and is not derived from anything about you or your machine. You can rotate it at any time by deleting the file. - The minimum payload required to fulfill the specific request — for example, the catalog page number, the search query you typed, or the server ID you asked to install.
The endpoints that receive these requests are:
GET api.maskitmcp.com/api/marketplace/catalog
List available MCP servers.
GET api.maskitmcp.com/api/marketplace/servers/{id}
Fetch a server's install details.
GET api.maskitmcp.com/api/version_check
Check whether your OpenMaskit version is supported.
How to opt out
Set the environment variable OPENMASKIT_DISABLE_MARKETPLACE=1 before starting OpenMaskit. With this set, the catalog, server-detail, and version-check endpoints return empty results without contacting our backend at all. Custom (non-marketplace) servers — both stdio and HTTP — continue to work normally.
To rotate the installation ID without disabling anything else, delete ~/.openmaskit/.installation_id. The OSS generates a new one on the next run.
How to verify these claims
OpenMaskit is distributed under the Apache License 2.0. You can read the source at github.com/MaskitMCP/openmaskit to confirm exactly what is transmitted from your machine. The endpoints above are the complete set of network calls the OSS makes to our backend. You can also confirm empirically by inspecting traffic in your browser's developer tools, or by setting OPENMASKIT_DISABLE_MARKETPLACE=1 and observing that no requests reach our backend.
What this notice does not cover
This page describes the behavior of the OpenMaskit open-source client. A separate, formal Privacy Policy covering our backend infrastructure — logging, retention, jurisdiction, data subject rights under GDPR/CCPA, and similar topics — is being prepared with legal counsel and will be published at this URL when it is reviewed and ready. Until then, if you have questions about how we handle requests on the infrastructure side, please email privacy@maskitmcp.com.
Transparency notice — not a binding privacy policy. Updated 2026-06-02.