Privacy Policy

Last updated: July 5, 2026

Hoaster is a hosting service for AI agents: connect it to an AI assistant over the Model Context Protocol (MCP), and the assistant can publish content — an HTML page, image, or other web artifact — to a public URL that's yours. This policy explains what information we collect, how we use and store it, who we share it with, and the choices you have. It covers hoaster.app, the published-content domains (*.hoaster.page and any custom domains you attach), and the Hoaster MCP server at https://hoaster.app/api/mcp.

Who we are

Hoaster ("we", "us") operates the Hoaster service. For any privacy question or request, contact us at privacy@hoaster.app. We are the data controller for the account and usage data described below.

Information we collect

We collect only what we need to run the service:

  • Account information. Your name, email address, and a securely hashed password (we never store passwords in plain text). If you sign in through a provider, we store the identifiers that provider returns.
  • Content you publish. The artifacts you (or your AI assistant on your behalf) publish — their bytes, content type, URL slug, the space they belong to, and, if you protect a page, a hashed version of the page password. This content is stored so we can serve it at your public URL.
  • Custom domains. If you attach your own domain, we store the hostname and the verification records needed to route and secure it.
  • Billing information. If you subscribe to a paid plan, we store your plan, status, billing interval, and the customer/subscription identifiers from our payment processor. Your card details are handled by Polar, not by Hoaster.
  • Technical and session data. To keep you signed in and to secure your account, we store session tokens and may record the IP address and browser user-agent associated with a session. Our servers also generate standard logs.
  • AI client connections. When you connect an AI assistant to Hoaster, we act as an OAuth 2.1 authorization server: we store the authorization grant and access tokens that let that specific client publish on your behalf, until you disconnect it.

How AI assistants connect (MCP)

Hoaster is used through an AI assistant (such as Claude or ChatGPT) that connects to our MCP server. You authorize the connection once with a browser sign-in (OAuth 2.1) — there are no tokens to copy and paste. After that, the assistant can call two tools: publish (put content online at a URL) and list_spaces (list the spaces you can publish into).

We receive the content the assistant sends us to publish, plus the parameters of those tool calls. We do not receive your broader conversation with the assistant, and we do notuse your content or account data to train AI models — ours or anyone else's. You can revoke an assistant's access at any time from your AI client's connector settings.

Published content is public

Publishing is, by design, a public act: anything you publish becomes available at a public URL (*.hoaster.pageor your custom domain) to anyone who has the link, and may be crawled or cached by search engines and other services. Do not publish information you don't want to be public. Optional password protection adds a gate in front of a page, but you should still avoid publishing sensitive personal data. You remain responsible for the content you publish and for having the right to publish it.

How we use your information

  • To provide the service — store and serve the content you publish.
  • To authenticate you and secure your account and sessions.
  • To operate paid plans, enforce plan limits, and process billing.
  • To send essential service messages (e.g. password resets, billing notices, and — if you approach a soft limit — a heads-up to upgrade).
  • To monitor, debug, prevent abuse, and improve reliability and performance.
  • To comply with legal obligations.

We do not sell your personal information, and we do not use the content you publish to train AI models.

How we share information (sub-processors)

We share data only with the service providers we rely on to run Hoaster, each acting on our instructions:

ProviderPurposeLocation
Amazon Web Services (S3)Stores the content you publish (artifacts).EU (Frankfurt, eu-central-1)
VercelHosts the application and issues TLS certificates for custom domains.United States / global edge
PolarProcesses payments and manages subscriptions. Polar — not Hoaster — handles your card details.United States
Google AnalyticsAggregate, privacy-preserving usage analytics for our marketing site.United States
PostHogProduct analytics — records account and usage events (such as sign-ups, sign-ins, and when content is published) so we can understand and improve how the service is used.European Union (Frankfurt)
SentryError monitoring — when something breaks, records the error and the technical context around it (such as the page or request involved, your browser, and your IP address) so we can diagnose and fix it. It is configured not to record the contents of your requests.European Union (Germany)

We may also disclose information if required by law, to enforce our terms, or to protect the rights, safety, and security of Hoaster, our users, or the public. If Hoaster is involved in a merger or acquisition, data may transfer as part of that transaction, subject to this policy.

Cookies and analytics

We use strictly necessary cookies to keep you signed in. You can block cookies in your browser, but strictly necessary cookies are required to use your account.

On our marketing site we use Google Analytics to understand aggregate usage (such as which pages are visited), in a privacy-preserving, aggregate form.

Within the product we use PostHog for product analytics. We record events about how the service is used — for example, when you sign up, sign in, or publish content — associated with your account identifier, along with standard technical details such as device, browser, and approximate location (derived from your IP address). We use this to understand and improve the product, diagnose issues, and see whether features work. PostHog processes this data on our behalf and hosts it in the European Union. We do not use it for advertising, we do not sell it, and we do not use it to train AI models. To delete your analytics data, contact us (see Your rights and choices).

Data retention

We keep your account data and published content for as long as your account is active. When you delete your account, we delete your account data and the content you published, except where we must retain certain records to meet legal, tax, or accounting obligations, or for a short period in routine backups. Server logs are retained for a limited period and then deleted or anonymized.

Security

We protect your data with industry-standard measures: encryption in transit (HTTPS/TLS), hashed passwords, scoped access tokens, and access controls on our infrastructure. No system is perfectly secure, but we work to safeguard your information and to respond promptly to any incident.

Your rights and choices

Depending on where you live, you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. You can:

  • Update your account details from your dashboard.
  • Unpublish or delete content you've published.
  • Disconnect any AI assistant's access from that client's connector settings.
  • Ask us to delete your product-analytics data (see Cookies and analytics).
  • Delete your account, which removes your associated data.

To exercise any right, or if you have a complaint, email us at privacy@hoaster.app. You also have the right to lodge a complaint with your local data protection authority.

International data transfers

We operate globally, and your information may be processed in countries other than your own, including the United States and the European Union (we store published content in the EU, in Frankfurt). Where required, we rely on appropriate safeguards, such as standard contractual clauses, for these transfers.

Children's privacy

Hoaster is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you. Your continued use of Hoaster after a change means you accept the updated policy.

Contact us

Questions or requests about this policy or your data? Email privacy@hoaster.app.

See also our pricing.