OpenMaskit / privacy

What we send, what we don't, and how to opt out.

OpenMaskit is an open-source proxy that runs on your machine. The only data that ever leaves your machine is documented below — every claim on this page is verifiable against the open-source code. A formal Privacy Policy covering our backend infrastructure is being prepared with legal counsel and will be published here when ready.

What stays on your machine

The OpenMaskit OSS does its work locally. The following is created and held exclusively on your machine and is never transmitted to us:

We have no way to read any of the above, because it never leaves your machine.

What is sent when you use the marketplace

OpenMaskit contacts our backend only when you use the marketplace — browse the catalog, view a server's details, or check for updates. When it does, the request carries:

The endpoints that receive these requests are:

GET api.maskitmcp.com/api/marketplace/catalog

List available MCP servers.

GET api.maskitmcp.com/api/marketplace/servers/{id}

Fetch a server's install details.

GET api.maskitmcp.com/api/version_check

Check whether your OpenMaskit version is supported.

How to opt out

Set the environment variable OPENMASKIT_DISABLE_MARKETPLACE=1 before starting OpenMaskit. With this set, the catalog, server-detail, and version-check endpoints return empty results without contacting our backend at all. Custom (non-marketplace) servers — both stdio and HTTP — continue to work normally.

To rotate the installation ID without disabling anything else, delete ~/.openmaskit/.installation_id. The OSS generates a new one on the next run.

How to verify these claims

OpenMaskit is distributed under the Apache License 2.0. You can read the source at github.com/MaskitMCP/openmaskit to confirm exactly what is transmitted from your machine. The endpoints above are the complete set of network calls the OSS makes to our backend. You can also confirm empirically by inspecting traffic in your browser's developer tools, or by setting OPENMASKIT_DISABLE_MARKETPLACE=1 and observing that no requests reach our backend.

What this notice does not cover

This page describes the behavior of the OpenMaskit open-source client. A separate, formal Privacy Policy covering our backend infrastructure — logging, retention, jurisdiction, data subject rights under GDPR/CCPA, and similar topics — is being prepared with legal counsel and will be published at this URL when it is reviewed and ready. Until then, if you have questions about how we handle requests on the infrastructure side, please email privacy@maskitmcp.com.

Transparency notice — not a binding privacy policy. Updated 2026-06-02.