Skip links

Save time and automate your Cloud images to Wordpress + Shopify

14-Day Free Trial of Pro
Get Started
scroll
LightSync Pro

Last updated: March 2, 2026

This privacy policy describes how LightSync Pro (“we,” “us,” “our”) collects, uses, and protects information when you connect to our service through an AI assistant (such as Claude, ChatGPT, or Cursor) using the Model Context Protocol (MCP). This policy supplements our general Privacy Policy.

What We Collect

Authentication Data. When you connect through an AI assistant, we collect the email address and license key you provide during the OAuth login flow. We use this solely to verify your identity and license status.

OAuth Tokens. We issue short-lived access tokens (24 hours) and refresh tokens (30 days) to maintain your connection. Token hashes are stored on our servers to support refresh and revocation. We do not store the full token values.

Site Selection. During the consent flow, you choose which WordPress site to connect. We store this selection to scope your AI assistant’s access to that specific site.

Tool Usage Logs. We log which MCP tools are invoked, timestamps, and response status codes for debugging, abuse prevention, and service improvement. These logs do not include the content of your prompts, conversations, or the full content of tool responses.

What We Do NOT Collect

  • Conversation data. We never see, store, or have access to your conversations with Claude or any other AI assistant.
  • Prompt content. We do not receive or log the prompts you send to the AI assistant.
  • Extraneous user data. We do not collect browser fingerprints, IP-based geolocation profiles, or behavioral analytics beyond basic request logging.

How We Use Your Data

We use the data we collect exclusively to:

  • Authenticate your identity and verify your license
  • Route tool requests to the correct WordPress site
  • Enforce plan-based capabilities (which tools are available)
  • Maintain and refresh your connection session
  • Debug errors and monitor service health
  • Prevent abuse and enforce rate limits

Data Sharing

We do not sell, rent, or share your personal data with third parties for marketing purposes.

Data may be shared in these limited circumstances:

  • Your WordPress site. Tool requests are forwarded to the WordPress site you selected during the consent flow. Your site receives the tool request and an access token that identifies the connection.
  • Third-party source APIs. When you use tools that access connected sources (Lightroom, Figma, Canva, etc.), we forward requests to those APIs using the OAuth credentials you previously authorized through those services. We act as a secure broker — your source credentials are never exposed to the AI assistant or your WordPress site.
  • AI generation providers. When you use AI image or text generation tools, prompts are forwarded to OpenRouter, which routes them to the selected AI model provider. OpenRouter’s privacy policy applies to that data.
  • Legal requirements. We may disclose data if required by law, regulation, or legal process.

Data Security

We protect your data through:

  • RS256 JWT tokens — Access tokens are cryptographically signed with RSA keys. Your WordPress site validates tokens using our public JWKS endpoint without any shared secrets.
  • PKCE (S256) — The OAuth flow uses Proof Key for Code Exchange to prevent authorization code interception.
  • Token rotation — Refresh tokens are single-use. Each refresh issues a new token pair and revokes the previous one.
  • Encrypted storage — OAuth credentials for third-party sources are encrypted at rest on our broker server.
  • HTTPS everywhere — All communication uses TLS encryption.

Data Retention

  • Access tokens: Expire after 24 hours and are not stored (only validated via signature).
  • Refresh tokens: Expire after 30 days. Revoked tokens are purged within 7 days.
  • Authorization codes: Expire after 10 minutes and are deleted after use.
  • OAuth client registrations: Retained while the client is active. Unused registrations may be purged after 90 days.
  • Request logs: Retained for 30 days, then automatically deleted.

Your Rights

You can:

  • Disconnect at any time — Remove the connector from Claude’s settings or your AI assistant’s configuration. This immediately stops new requests.
  • Revoke access — Contact us to explicitly revoke all tokens associated with your account.
  • Request data deletion — Email support@lightsyncpro.com to request deletion of your OAuth data and request logs.
  • Access your data — Request a copy of the data we hold about your MCP connections.

Children’s Privacy

LightSync Pro is not intended for use by children under the age of 13 (or applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children.

Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated through our website or email. Continued use of the MCP connection after changes constitutes acceptance.

Contact

For privacy questions or data requests:

Try the Live Sync Demo Explore the LightSync architecture