Consent and authorization evidence

Users who install or connect MailSenpai MCP accept the terms and privacy notice in the AI client/marketplace and during MailSenpai OAuth. To prove acceptance later, the server records technical consent evidence.

How consent is collected

1. Marketplace or AI client: the user approves installation through the AI provider flow.
2. MailSenpai OAuth: the authorization page shows terms, privacy notice, requested scope and a mandatory checkbox.
3. Access token: the token is issued only after valid authentication and consent.

What is stored

Evidence is stored as JSON Lines in data/oauth_consents.log and includes: timestamp, policy_version, terms_url, privacy_url, client_id, redirect host, scope, resource, customer/user id where available, hashed email, hashed IP, hashed user-agent and hashed PKCE/state.

How to prove it later

Upon request, an administrator can export the entries related to the user/customer and present them together with the privacy/terms version published at that date. Raw IP addresses or email addresses do not need to be disclosed because they are hashed.

Retention

Default retention: 24 months, unless contractual or legal obligations require otherwise.

{
  "schema_version": "1.0.26",
  "policy_version": "2026-05-13",
  "terms_url": "https://mcp-claude.mailsenpai.com/terms",
  "privacy_url": "https://mcp-claude.mailsenpai.com/privacy",
  "retention_months": 24,
  "evidence_file": "data/oauth_consents.log",
  "evidence_format": "JSON Lines",
  "event_name": "oauth_authorization_consent"
}