Privacy Policy

1. Data We Collect

We collect the following categories of information when you use MCP360:

• Account information: Your name, email address, and a securely hashed password when you register. If you sign in with Google, we receive your name, email, and profile photo from Google.
• Organization information: Your company name, workspace settings, team member details (name and email), and role assignments.
• OAuth tokens: When you connect a third-party platform (Meta Ads, Google Ads, Stripe, etc.), we store the resulting OAuth access and refresh tokens. These tokens are encrypted at rest using AES-256-GCM with per-organization derived keys and are never stored in plain text.
• Usage logs: MCP tool call names, timestamps, the platform accessed, the AI client identifier, and whether the call succeeded or failed. We do not log the content of your ad data, campaign details, or financial information in our usage logs.
• Billing information: Payment processing is handled entirely by Stripe. We store your Stripe customer ID and subscription status but never store raw credit card numbers, CVVs, or bank account details on our servers.

We do not collect information from children under 16. The Service is not intended for use by minors.

2. How We Use Your Data

We use the information we collect to:

• Provide and operate the Service, including executing MCP tool calls on your behalf by decrypting OAuth tokens in-memory
• Authenticate your identity and enforce role-based access controls
• Process payments and manage your subscription through Stripe
• Send transactional emails including invoices, security alerts, and reports you configure
• Send product update emails about new features and services (you may unsubscribe at any time)
• Analyze aggregated, anonymized usage patterns to improve service reliability and performance
• Detect and prevent fraud, abuse, and security incidents
• Comply with applicable legal obligations

We do not use your data to train AI models. We do not sell or rent your data to third parties.

3. Data Sharing

We share your data only with the following categories of recipients, and only as necessary to provide the Service:

• Connected Platforms: When you execute an MCP tool call, we pass the necessary API requests to the Connected Platform (e.g., Meta Ads API, Google Ads API) using your encrypted OAuth token. Only the data required for that specific tool call is transmitted.
• Stripe: For payment processing. Stripe processes your payment information under their own privacy policy.
• Cloud infrastructure providers: Our hosting and storage providers process data under strict confidentiality agreements and do not have access to decrypted OAuth tokens.
• Law enforcement: We will disclose data only when legally required by valid court order, subpoena, or government request. We will notify you of such requests unless prohibited by law.

We do not share your ad account data, campaign performance metrics, API keys, or financial information with any unauthorized party.

4. Third-Party Services

MCP360 integrates with third-party services that have their own privacy policies. When you connect a platform via OAuth, your use of that platform is governed by their privacy policy and terms of service. We encourage you to review the privacy practices of each platform you connect.

Key third-party services we integrate with include ad platforms (Meta, Google, TikTok, Microsoft, Pinterest, Snap, Reddit, LinkedIn, Amazon), payment processors (Stripe), authentication providers (Google OAuth), and cloud infrastructure providers.

5. Data Retention

• Account data: Retained for the lifetime of your account plus 90 days after account deletion to allow for reactivation, then permanently purged.
• OAuth tokens: Deleted immediately when you disconnect a platform. All tokens are deleted within 48 hours of account termination.
• Usage logs: Retained for 12 months for audit and security purposes, then permanently deleted.
• Billing records: Retained for 7 years as required by applicable tax and accounting regulations.
• Encrypted backups: May persist for up to 30 days after deletion in encrypted form before being purged from backup systems.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of your account and all associated personal data.
• Export: Request an export of your data in a machine-readable format.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Objection: Object to processing of your data for direct marketing purposes.
• Withdrawal: Withdraw consent for non-essential data processing at any time.

To exercise any of these rights, contact us at privacy@mcp360.net. We will respond within 30 days.

7. Cookies

We use the following cookies:

• Essential session cookies: Required for authentication and maintaining your login session. These are strictly necessary and cannot be disabled.
• Preference cookies: Store your dashboard settings and display preferences. These are functional and improve your experience.

We do not use third-party tracking cookies, advertising cookies, or cross-site tracking pixels. Our analytics are performed server-side using anonymized, aggregated data.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 14 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised. Your continued use of the Service after changes take effect constitutes acceptance of the revised policy.

9. Contact

If you have questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@mcp360.net
• Security concerns: security@mcp360.net
• General inquiries: Contact page