Privacy Policy

Last updated: 2026-05-17

Overview

This service is a hosted Model Context Protocol (MCP) server for Oura Ring. It lets a user connect their Oura account to supported MCP clients (such as Claude) through OAuth.

Data We Access

When you authorize this service with Oura, we access only the data your granted OAuth scopes permit, which can include daily readiness, sleep, activity, stress, heart-rate series, workouts, mindfulness sessions, user-entered tags, SpO2, and ring/personal metadata.

How We Use Data

We use your Oura data exclusively to fulfil MCP tool requests you initiate through your connected client. We refresh OAuth access tokens when needed using your Oura refresh token, and operate and secure the hosted MCP service. We do not sell or share your Oura data with third parties.

Data Storage

This service runs on Cloudflare Workers. It does not maintain a long-term database of your Oura ring data. We store the minimum data required to operate the connector:

• Your Oura OAuth access token and refresh token, encrypted at rest using AES-GCM with a per-user key derived via HKDF-SHA256, in Cloudflare Workers KV.
• Short-lived OAuth state required to complete authentication (expires within 10 minutes).
• Short-lived response cache entries keyed to your Oura user ID, used to reduce Oura API load. Cache TTLs range from 5 minutes (today's data) to 24 hours (historical data) and expire automatically.

We do not log Oura ring data contents. Operational logs are limited to non-sensitive service metadata.

Data Retention

Stored OAuth credentials are retained only as long as needed to keep your connector working. When you remove the connector from your MCP client or revoke the Oura OAuth grant, your stored tokens become unreachable on next use.

Data Sharing

We do not share your Oura data with third parties except with Cloudflare, which provides the hosting infrastructure (Workers, Workers KV) required to operate the service, when required by law, or when necessary to protect the security, integrity, or operation of the service. Cloudflare is the only third-party infrastructure provider used by this service.

Security

We use OAuth-based delegated access rather than asking for your Oura credentials. Tokens are encrypted at rest. Secrets are stored as Cloudflare Worker secrets, not in source control. No system can guarantee absolute security, but reasonable technical measures are used to reduce unauthorized access risk.

Your Choices

You can stop using this service at any time by removing the connector in your MCP client's settings, or by revoking the Oura OAuth grant for this application from your Oura account.

Contact

Questions about this policy or requests related to stored OAuth credentials: ivan@smirnovlabs.com.