Legal

Terms, privacy, and policies

Last updated 22 May 2026. Contact hello@munge.sh with questions.

Terms of service

By creating an account or using the munge.sh MCP server, you agree to these terms. munge.sh is operated by Munge Global, registered in Oslo, Norway.

Your account

You're responsible for the credentials issued to your account — API keys, OAuth refresh tokens, and your sign-in password. If you suspect a key is compromised, revoke it from your dashboard immediately.

Credits and billing

Every MCP tools/call request costs 1 credit. You get 100 credits free each month; the balance tops back up to 100 on the 1st. Purchased credits never expire. Refunds for unused purchased credits are available on request within 14 days.

Service availability

We target 99.9% uptime but make no contractual guarantee. Status is published at /health.

Privacy

We collect the minimum necessary to operate the service:

  • Your email address (for sign-in and account recovery)
  • Hashed password and OAuth tokens
  • API request metadata (timestamp, tool name, credit cost) — never request bodies
  • Stripe customer ID and payment receipts (we don't store card numbers)

We don't sell data, don't profile users, and don't use cookies beyond the session cookie needed to keep you signed in. Data is processed in the EU (Convex Frankfurt + Railway Amsterdam).

Your rights (GDPR)

Email privacy@munge.sh to access, export, or delete your data. We respond within 30 days.

Acceptable use

munge proxies public data sources. You agree to:

  • Respect upstream rate limits. Don't issue more requests than your credit balance allows or attempt to bypass our rate limiting.
  • No automated bulk scraping. munge is for AI agents asking targeted questions, not for mirroring an upstream source.
  • No reselling. You can't repackage our MCP endpoint as your own service.
  • No illegal use. Don't use munge to harass, defame, or violate any applicable law.

Violations may result in throttling, account suspension, or termination.

Security

munge is operated with security as a first-class concern.

  • Auth. OAuth 2.1 with PKCE, RFC 7591 dynamic client registration, RS256-signed JWTs.
  • Transport. TLS 1.3 enforced; HSTS preloaded.
  • Storage. API keys are stored as SHA-256 hashes; passwords use scrypt via Convex Auth.
  • Region. All data in the EU; no transfers outside the EEA.
  • Audit. Every authenticated MCP call is logged with user ID, tool name, and timestamp.

Reporting

Found a vulnerability? Email security@munge.sh with details. We acknowledge within 48 hours and publish fixes once patched.