what this is

sklophome-mcp is a personal OAuth application registered in a Google Cloud Platform project of the same name. Its purpose is to let the operator (Shaun Klopfenstein) access his own Google Workspace data programmatically via a self-hosted Model Context Protocol (MCP) server reachable at workspace-mcp.sklophome.org.

This is not a commercial service. Authorized users are limited to a small set of personally-controlled accounts. The app operates under Google's personal-use exemption (fewer than 100 users, no public distribution).

data accessed

Once a user grants authorization, and depending on which scopes they consent to, the app may read and/or modify:

• Gmail — messages, threads, labels, drafts, filters, attachments
• Google Drive — files, folders, metadata, sharing permissions
• Google Docs, Sheets, Slides, Forms — content and structure
• Google Calendar — events, calendars, freebusy data
• Google Tasks, Contacts, Chat — items, lists, messages
• Google Apps Script — projects, source files, deployments

Scopes correspond to the operations implemented by the upstream open-source MCP server (taylorwilsdon/google_workspace_mcp). No scopes outside that set are requested.

how data flows

A typical request: LLM client (e.g. Claude) → sklophome-mcp server → Google API → response back through the chain. Data passes through the server in-memory per request.

The server does not log, store, or persist message contents, file contents, calendar data, or other user payload data. Refresh and access tokens issued by Google are stored at rest on the self-hosted server with file-system permissions restricted to the server's runtime user.

Operational logs (timestamps, request paths, response status codes, error messages) may be retained for troubleshooting purposes but do not include the contents of user data.

When data is returned to an LLM client, that client's provider processes it under their own terms (for example, Anthropic's terms of service for Claude).

who has access

• The operator of the sklophome-mcp app (Shaun Klopfenstein)
• The authenticated user, when issuing requests as themselves
• The LLM provider whose client is calling the MCP server, governed by that provider's terms

No third-party analytics, advertising, or sub-processors are used. Data is not sold, shared with marketers, or aggregated for any purpose.

retention & deletion

OAuth tokens persist until the user revokes access at myaccount.google.com/permissions or until they expire per Google's token-lifecycle rules. Revocation removes the token on Google's side; any locally cached copy becomes inert at the next refresh attempt and is removed from disk on next server restart or cleanup.

User content is not stored server-side, so there is no separate content-deletion process.

security

Transport is HTTPS-only, terminated by Cloudflare. The OAuth callback uses Google's standard authorization-code flow with PKCE. Tokens at rest are restricted to the server's runtime user via filesystem permissions.

This app is not subject to a third-party security assessment (CASA). Operating under the personal-use exemption, the operator accepts responsibility for the security posture of the self-hosted infrastructure.

children

This app is not directed at children under 13 (or the equivalent age in the user's jurisdiction) and is not used by any such children.

changes

This policy may be updated as the app's functionality evolves. Material changes are reflected by the date at the top of this page.

contact

Questions: shaun.c.klopfenstein@gmail.com