LightCMS Privacy Policy

Last Updated: February 26, 2026

This Privacy Policy describes how Metavert LLC ("we," "us," or "our") collects, uses, and protects information in connection with LightCMS and the LightCMS MCP (Model Context Protocol) server (collectively, the "Service").

1. Overview

LightCMS is a lightweight, AI-native content management system. It can be used as a standalone web application with an admin panel, or through the LightCMS MCP server, which enables AI assistants (such as Claude Code, Claude Desktop, or other MCP-compatible clients) to manage website content programmatically.

2. Information We Collect

2.1 Content Data

When you use LightCMS, we store the content you create, including:

• Page titles, text content, and metadata
• Template definitions and HTML layouts
• Uploaded assets (images, documents, CSS, JavaScript files)
• Theme settings and site configuration
• Content version history
• URL redirect configurations

All content data is stored in your MongoDB Atlas database instance. You control the database, its location, and access credentials.

2.2 Authentication Data

For the admin panel, we store:

• Admin password (bcrypt-hashed; we never store plaintext passwords)
• Session tokens (encrypted, temporary)
• Login attempt records (for rate limiting)

2.3 MCP Server Data

When used via the MCP protocol, the LightCMS MCP server:

• Processes tool call parameters sent by the AI client (e.g., content to create, search queries, template data)
• Returns tool results containing content data from your database
• Does not log or store MCP interactions beyond the content changes that result from tool calls
• Does not transmit data to Metavert LLC or any third party — all data flows directly between the MCP client and your database

2.4 Information We Do NOT Collect

LightCMS does not collect:

• Personal identifying information (names, email addresses, phone numbers) unless you include it in your content
• Analytics or tracking data about site visitors
• Conversation data from AI assistants (the MCP server only sees the specific tool calls directed to it)
• Usage telemetry or crash reports
• IP addresses or geolocation data

3. How We Use Information

Content data is used solely to:

• Store and serve website content you create
• Generate static HTML pages for your public site
• Maintain content version history for rollback capability
• Authenticate admin access to the management interface

We do not use your content data for advertising, profiling, model training, or any purpose other than providing the CMS service.

4. Data Storage and Security

4.1 Self-Hosted Architecture

LightCMS follows a self-hosted architecture:

• Database: Your content is stored in a MongoDB Atlas instance that you provision and control. You choose the cloud provider, region, and access policies.
• Application: The LightCMS server runs on infrastructure you deploy (e.g., Fly.io, AWS, your own server). We do not host or have access to your running instances.
• MCP Server: Runs locally on your machine as a stdio process. No network connections are made except to your MongoDB database.

4.2 Security Measures

• Passwords are hashed using bcrypt with appropriate cost factors
• Sessions are encrypted and expire automatically
• CSRF protection on all admin panel forms
• Rate limiting on login attempts
• File upload validation (MIME type and extension checking)
• Security headers (Content-Security-Policy, X-Frame-Options, etc.)
• HTTPS enforced in production deployments

5. Third-Party Services

5.1 MongoDB Atlas

Your content data is stored in MongoDB Atlas, which is subject to MongoDB's Privacy Policy. You configure and control your own Atlas account.

5.2 MCP Client Providers

When using LightCMS through an MCP client (e.g., Claude Code by Anthropic), the MCP client may process tool call data according to its own privacy policy. LightCMS has no control over how MCP clients handle data. Please review the privacy policy of your MCP client provider:

• Anthropic Privacy Policy (for Claude Code, Claude Desktop)

Note: Anthropic collects tool call parameters and responses as telemetry when you use Claude with MCP servers. Refer to Anthropic's privacy policy for details on their data handling practices.

5.3 Hosting Providers

If you deploy LightCMS on a cloud platform (Fly.io, AWS, etc.), that provider's privacy policy governs their handling of your server infrastructure. LightCMS itself does not transmit data to any hosting provider beyond normal server operation.

6. Data Retention

• Content data: Retained in your database until you delete it. Soft-deleted content can be restored; permanently removing it requires direct database operations.
• Content versions: Retained indefinitely for rollback capability. You may delete versions directly from your database.
• Session data: Expires automatically and is cleared periodically.
• Login attempt records: Retained temporarily for rate limiting, then cleared automatically.

Since you control the database, you have full authority over data retention and deletion.

7. Data Sharing

We do not:

• Sell your data to third parties
• Share your content with advertisers
• Use your content for AI model training
• Access your database or deployed instances

Your content is shared only as you direct — by publishing pages on your public website.

8. Your Rights and Controls

Because LightCMS is self-hosted, you have direct control over your data:

• Access: Query your MongoDB database directly at any time
• Export: Use MongoDB tools (mongodump, mongoexport) to export all your data
• Delete: Remove content through the admin panel, MCP tools, or direct database operations
• Portability: Your MongoDB database is yours; migrate it at any time
• Modification: Update or correct any content through the admin panel or MCP tools

9. Children's Privacy

LightCMS is a website management tool intended for use by adults. We do not knowingly collect information from children under 13 years of age.

10. International Data

Since you choose your MongoDB Atlas region and hosting provider, you control where your data is stored geographically. LightCMS itself does not transfer data across borders.

11. Open Source

LightCMS is open-source software licensed under the MIT License. You can review the complete source code at github.com/jonradoff/lightcms to verify our data handling practices.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or LightCMS's data practices, please contact us:

• Email: privacy@metavert.io
• GitHub: github.com/jonradoff/lightcms/issues

---

Metavert LLC
This policy applies to LightCMS software and the LightCMS MCP server.