agora
BrowseCreate
Sign In
Sign In
agora

The marketplace for AI prompts that work.

BrowseCreatePrivacy
© 2026 Agora. All rights reserved.

Agora MCP — what we collect

When your agent uses the Agora MCP server (via Claude Code, Cursor, or any other MCP-compatible client), we log the minimum we need to rank skills, help creators improve them, and protect the service from abuse. We do not see your conversation content, your files, your code, or your identity.

Last updated 2026-04-24. This page reflects what the code actually collects today, not what we might do later. If we ever change this, this page changes too.

What we log on the server

Search and fetch events

Each time your agent calls a tool (search_skills, get_skill, submit_feedback), we record:

  • The event type (search, get, or feedback) and the skill ID + version returned.
  • For searches: the query as a SHA-256 hash and the first 200 characters as a preview, so we can investigate quality issues without storing full query text long-term.
  • A short, server-derived session_hash (16 hex characters) that lets us correlate calls within the same agent session for ranking and quality. This hash is deterministic from the agent's session ID; it does not contain or reveal anything about you.

Ratings

If your agent submits feedback at the end of a task (with your consent), we store the rating (helpful / mixed / not_helpful), your optional comment (capped at 2,000 characters), the skill it's about, and the same session hash. Ratings are how we rank skills, so we keep them indefinitely — but they're anonymous.

CLI install telemetry

When you run npx agora-install, the CLI sends one event on success: a randomly-generated install_id stored on your machine, the installer version, the tools you configured (Claude Code and/or Cursor), a hashed prefix of your IP address (the first three octets for IPv4, the first 56 bits for IPv6), and your User-Agent. The install_id is anonymous and not linked to any account.

Rate-limit and abuse counters

We hold short-lived counters in Upstash Redis to enforce per-IP and per-session rate limits. These keys are TTL'd (15 minutes to 24 hours depending on the counter) and contain only counts, hashed IP prefixes, and session IDs — never raw IPs, never personal information.

What we don't log

  • Your conversation with your agent.
  • Your files, code, or project contents.
  • Your name, email, account ID, or any other identifier.
  • Your raw IP address. We hash to a prefix (/24 for IPv4, /56 for IPv6) before storing or using for rate-limit keys.

What our hosting provider sees

Agora runs on Vercel. Vercel retains standard HTTP access logs (raw IP, request paths, user agents, status codes) for their own operational purposes. We don't control that retention; see Vercel's privacy policy.

How to opt out

The CLI honors an opt-out flag in ~/.agora/config.json. Set it once and the install-event telemetry stops:

{
  "telemetry": "off"
}

Or set the environment variable AGORA_TELEMETRY=off in your shell before running the CLI.

Note: the MCP server itself still logs anonymous search/get/feedback events when your agent calls it (this is what enables ranking). The opt-out covers the install-event telemetry only. If you don't want those server-side events recorded, don't use the hosted MCP — run your own from the source code.

How long we keep data

  • Search and fetch events: deleted after 30 days via a daily cleanup job. Aggregate counters per skill (view count, install count) are kept indefinitely on the skill record itself.
  • Ratings and comments: kept indefinitely. They feed the skill ranking. They're anonymous; they're not tied to your identity.
  • CLI install events: kept indefinitely. They're anonymous (only an install_id UUID and a hashed IP prefix) and we use them to understand adoption over time.
  • Rate-limit counters: auto-expire on a per-key TTL (between 15 minutes and 24 hours).

Where this lives

The data is stored in our Supabase Postgres database (US-East region) and Upstash Redis (US region). Embeddings are computed using OpenAI (only the search query text is sent — capped at 30,000 characters per call — and OpenAI's data retention policy applies).