Privacy policy

McPortal is a service provided by Orche Strategies (“we”, “us”). For privacy questions or to exercise the rights described below, contact privacy@orchestrategies.com. For purposes of data-protection law, we act as a data controller for account information and as a processor for data you bring into the service through connected integrations.

• Account information. Name, email address, and the OAuth provider used to sign in (Google or email magic link).
• Organization information. Org name, slug, and membership / role assignments for users on your team.
• Integration credentials. Encrypted OAuth access and refresh tokens for third-party services you connect (Slack, GitHub, Jira, etc.). See our security page for how these are stored.
• Usage and audit data. Records of MCP tool calls — actor, server, tool, outcome, timestamp, and structured metadata.
• Billing data. Customer id and subscription status from Stripe. We do not store payment card numbers.
• Standard server logs. IP address, user agent, and timestamps for requests, used for abuse prevention and debugging.

• To operate the service: authenticating you, calling tools you have authorized, and surfacing audit logs to admins.
• To bill you and prevent abuse.
• To send transactional email — sign-in links, invites, billing receipts, and important account notices.
• To diagnose problems and improve the product.

We do not sell personal data. We do not use account or audit data to train machine learning models. We do not run third-party advertising or analytics scripts on the marketing site or the dashboard at this time.

• Account, organization, and integration data: until you delete your account or organization.
• Audit logs: retained for the lifetime of the related server, then deleted with it. Export available on request.
• Billing records: retained per applicable tax and accounting law, typically seven years.
• Server logs: rolling 30-day window.

We maintain a live, dated list of every third-party service provider we share data with at /trust/subprocessors. We give at least 30 days’ prior notice before adding a new subprocessor that materially changes how customer data is handled. Customers under our Data Processing Agreement may object during the notice period.

We set a single first-party session cookie used to keep you signed in. It is HttpOnly, Secure, and SameSite=Lax. We do not use advertising or cross-site tracking cookies.

Depending on where you live, you have rights to access, correct, export, or delete your personal data, and to object to certain processing. To exercise any of these:

• Most data is viewable and editable directly in your account.
• To export audit logs or delete your account and all associated data, email privacy@orchestrategies.com. We respond within 30 days.

Customer data is stored in the United States. If you access McPortal from outside the US, your information will be transferred to and processed in the US. By using the service you consent to this transfer.

McPortal is not directed at children under 16, and we do not knowingly collect their information.

See our security page for technical detail on how data is protected. No service can guarantee perfect security, but we follow current best practices and will notify affected customers promptly in the event of a breach involving their personal data.

When we change this policy in a material way, we will update the “last updated” date and, for significant changes, send an email to account owners. Continued use of the service after a change constitutes acceptance of the updated policy.

Orche Strategies, California, USA. privacy@orchestrategies.com.