Privacy Policy

Last updated: May 9, 2026

Who this is for

This privacy policy covers tools and services operated by Lucian Daniliuc on daniliuc.com and its subdomains (including mcp-google.daniliuc.com).

These services are personal, single-operator tools. They are not offered to third parties and are not intended for public sign-up.

What data is processed

The services connect to Google Workspace accounts owned by the operator (Lucian Daniliuc) using the Google OAuth 2.0 authorization flow. With the operator’s explicit grant, they may access:

Gmail: read, compose, modify, label, and send messages on behalf of the authorizing account.
Google Calendar: read, create, and modify calendar events on behalf of the authorizing account.
Profile and email: the authorizing account’s email address and basic profile information, used to identify which account a request belongs to.

No data is accessed on behalf of any third party.

How data is used

Data is read and written exclusively to fulfill commands issued by the operator (or, where authorized, by an AI agent acting on the operator’s behalf). For example:

Drafting or sending a reply that the operator dictated.
Looking up calendar availability before suggesting a meeting time.
Triaging inbound mail and surfacing items the operator has flagged as important.

Data is not used for advertising, analytics, model training, or resale.

AI agent involvement

Some actions on these services are performed by an AI agent (“Ezri”, a Claude-based assistant configured by the operator) acting on the operator’s behalf. The agent operates against the operator’s own data only. Decisions of consequence (sending mail, modifying calendar entries shared with others, posting publicly) remain subject to the operator’s review.

Data retention

OAuth refresh tokens are stored on the operator’s own server (mcp-google.daniliuc.com) for the lifetime of the grant, encrypted at rest at the volume level. Tokens are revoked on demand via the standard Google account revocation flow at myaccount.google.com/permissions.

Message and event content is processed in-memory to fulfill the immediate command and is not durably stored on these services beyond logs needed for operational debugging (rotated within 30 days).

Data is not shared with third parties. The Anthropic Claude API is invoked to generate the agent’s responses; data sent to Anthropic is governed by the Anthropic Privacy Policy and is not used to train Anthropic’s models per Anthropic’s commercial terms.

Your rights

Since these services have a single user (the operator), the typical rights to access, correct, and delete data apply trivially. Token revocation is the cleanest off-switch and is available at any time via Google’s account permissions page.

Security

Hosts are managed by the operator on a hardened VPS. Transport is TLS 1.2+. OAuth uses PKCE. Credentials are kept out of source control and shell history.

Contact

For privacy questions, contact lucian@daniliuc.com.

Changes

This policy may change as the services evolve. Material changes will be reflected in the Last updated date at the top of this page.

Published May 9, 2026.