Privacy Policy
Last updated: January 1, 2026
YNAB MCP ("we", "our", or "the service") connects your YNAB budget data to AI assistants using the Model Context Protocol. This policy explains how we handle your data.
Data We Collect
When you authenticate with YNAB MCP, we receive:
- OAuth tokens from YNAB (access token and refresh token)
- Budget data synced from your YNAB account (accounts, categories, transactions, payees)
- Usage analytics (which tools you use, anonymized)
We do not collect your YNAB password or any financial institution credentials.
How We Store Your Data
- OAuth tokens are encrypted using AES-256-GCM and stored in MongoDB
- Budget data is stored in an encrypted SQLite database unique to your account, using a key derived from your refresh token
- All data is encrypted at rest and in transit
Data Retention
- Budget data is automatically deleted after 48 hours of inactivity
- OAuth tokens are deleted when you disconnect your account or upon your request
- You can request immediate deletion at any time
Third-Party Sharing
We do not sell, share, or pass your data to any third party. Your budget data is only accessed by the AI assistant you connect to YNAB MCP.
Your Rights
You can:
- View your data through the MCP tools
- Delete your data by emailing [email protected]
- Revoke access at any time from your YNAB Developer Settings
We will process deletion requests within 48 hours.
Security
- All connections use HTTPS/TLS
- Tokens are encrypted with AES-256-GCM
- Database encryption keys are derived from your OAuth tokens and never stored
- We follow security best practices for handling financial data
Changes to This Policy
We may update this policy. Changes will be posted here with an updated "Last updated" date.
Contact
Questions about this policy? Email [email protected].
We are not affiliated, associated, or in any way officially connected with YNAB or any of its subsidiaries or affiliates.