Privacy Policy

Last updated: November 1, 2025

Summary 1. Information We Collect 2. How We Use Information 3. Sharing 4. Third-Party Integrations 5. Google User Data 6. Cookies & Tracking 7. Security 8. Data Retention 9. International Transfers 10. Your Rights 11. Children 12. Do Not Track 13. Changes 14. Contact

This Privacy Policy describes how Switchboard ("Switchboard," "we," "us," or "our") collects, uses, shares, and protects information in connection with our website at switchboard-mcp.com, the hosted application at app.switchboard-mcp.com, and any related products and services (collectively, the "Services"). This Policy applies to the hosted Services only; the open-source Switchboard module does not transmit data to us when self-hosted.

If you do not agree with the practices described in this Privacy Policy, please do not use the Services. By using the Services, you agree to this Privacy Policy. Capitalized terms not defined here have the meanings given in our Terms of Service.

Summary of Key Points

  • What we collect. Account information you provide (name, email, organization), integration credentials and OAuth tokens you choose to connect, usage and diagnostic data, and data retrieved from Third-Party Services on your behalf to fulfill MCP tool calls.
  • How we use it. To provide, secure, and improve the Services; to operate integrations you have enabled; to bill paying customers; to communicate with you; and to comply with the law.
  • Who we share with. Service providers that help us run the Services (such as our authentication, payment, hosting, error-monitoring, and analytics vendors), Third-Party Services you have connected, and authorities when legally required. We do not sell personal information.
  • Google user data. We comply with the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data to train generalized AI/ML models.
  • Your rights. Depending on your location, you may have rights to access, correct, delete, port, or restrict processing of your personal information.
  • Children. The Services are not directed to anyone under 18, and we do not knowingly collect data from minors.

1. Information We Collect

1.1 Information you provide to us

  • Account information. When you sign up, we collect your name, email address, password (managed by our identity provider Clerk), profile photo, organization name and slug, and role.
  • Billing information. If you subscribe to a paid plan, our payment processor (Stripe) collects payment-card or bank information on our behalf. Switchboard does not store full payment-card numbers; we receive only metadata such as the last four digits, card brand, expiration, billing email, and subscription identifiers.
  • Integration credentials and OAuth tokens. When you connect a Third-Party Service, we receive and store the credentials, API keys, or OAuth tokens (including access and refresh tokens) necessary to call that service on your behalf. These credentials are encrypted at rest using AES-256-GCM.
  • Policy and configuration data. Tool allow/deny policies, department assignments, role assignments, and other organization-level configuration you create in the Services.
  • Communications. If you contact us by email or other channels, we collect the content of your communications and any attachments you send.

1.2 Information collected automatically

  • Usage and diagnostic data. Request metadata for MCP tool calls (timestamp, organization, user, integration, tool name, response status, latency, and approximate token counts) and API requests (method, path, status code, IP address, user agent).
  • Audit logs. Security-relevant events such as logins, organization-membership changes, API-key creation and revocation, integration connections, and policy changes. Retention varies by plan.
  • Device and browser information. IP address, browser type, operating system, language preferences, and referring URLs.
  • Cookies and similar technologies. See "Cookies and Tracking" below.

1.3 Information received from Third-Party Services

When you connect a Third-Party Service (such as GitHub, Google Workspace, Slack, Linear, Notion, Datadog, Sentry, or others), the Services may receive and process data from that service on your behalf in order to fulfill the MCP tool calls you or your authorized users initiate. The categories of data depend on the Third-Party Service and the scopes you authorize, and may include profile information, email contents and metadata, calendar events, documents, source code, issues, messages, customer records, telemetry, and other data exposed by the underlying API.

Switchboard processes this data in transit as a conduit between the AI client and the Third-Party Service. We do not permanently store the body of tool responses except as needed for audit logging, debugging (transient, limited time), and the savings/usage analytics described below in aggregate form.

2. How We Use Information

We process information for the following purposes:

  • Provide and operate the Services, including authenticating users, routing MCP requests, executing integrations, and delivering responses to your AI client.
  • Maintain security, including detecting and preventing fraud, abuse, and unauthorized access; enforcing rate limits and plan quotas; and conducting audit logging.
  • Improve and develop the Services, including analyzing aggregated usage trends, debugging errors, and developing new features. Where data is used for product improvement beyond an individual customer, it is aggregated or de-identified.
  • Bill and collect payment from paying customers and to send invoices, receipts, and dunning notices.
  • Communicate with you, including transactional emails (account, billing, security), product updates, and responses to support inquiries. You may opt out of non-essential marketing communications at any time.
  • Comply with legal obligations and respond to lawful requests from authorities.

We do not sell personal information, and we do not use Customer Data or Google user data to train generalized AI/ML models. Aggregated, de-identified analytics may be used to improve internal models that power the Services (such as routing, ranking, or anomaly detection) and only in a form that cannot be linked back to an individual.

3. When and With Whom We Share Information

We share information only as described below. We do not sell or rent personal information.

  • Service providers. We use third-party vendors to help operate the Services, including: Clerk (authentication and user management), Stripe (payments and subscription billing), DigitalOcean (hosting and managed Postgres), Cloudflare (DNS, CDN, and edge security), and similar providers for error monitoring and email delivery. These providers process information on our behalf under contractual confidentiality and data-protection obligations.
  • Third-Party Services you connect. When you initiate an MCP tool call, we transmit the request to the relevant Third-Party Service using the credentials you provided. Your use of each Third-Party Service is also subject to its own privacy policy.
  • Within your organization. Audit logs, integration configurations, and member-management data are visible to authorized members of your organization based on their role and the policies you configure.
  • Legal and safety. We may disclose information if we believe in good faith that disclosure is required by law, regulation, legal process, or governmental request, or is necessary to enforce our Terms, protect the safety or rights of any person, or detect and prevent fraud or abuse.
  • Business transfers. If we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to confidentiality protections and applicable law. We will provide notice of any change in ownership or material change in how information is handled.

4. Third-Party Integrations

The Services are designed to access Third-Party Services on your behalf. When you connect a Third-Party Service via OAuth, we receive the access scopes you grant and store the resulting tokens encrypted at rest. You may revoke integration access at any time from within the Services or directly from the Third-Party Service's settings; revocation will cause Switchboard to lose the ability to call that integration on your behalf.

Switchboard is not responsible for the privacy practices, content, accuracy, or availability of any Third-Party Service. Please review the privacy policy of each Third-Party Service you connect.

5. Google User Data and Limited Use

Switchboard's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only request the minimum Google OAuth scopes required to provide the integration features you have explicitly enabled (for example, reading Gmail messages, listing Drive files, retrieving Calendar events).
  • We use Google user data solely to provide and improve the Services' user-facing features that are explicitly invoked by you or by an authorized user of your organization via an AI client.
  • We do not use Google user data to develop, train, or improve generalized or non-personalized AI/ML models.
  • We do not sell Google user data or transfer it for advertising, market research, credit-worthiness, or any unrelated purpose.
  • We do not allow humans to read Google user data, except (a) with the affirmative agreement of the affected user (for example, to provide hands-on support you have requested), (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized and is used solely for internal operations.
  • Google user data is encrypted in transit (TLS) and at rest (AES-256-GCM for credentials) and is retained only as long as your integration remains connected. You may disconnect at any time, which will result in deletion of stored Google tokens and any cached integration data.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Services. The cookies we use fall into the following categories:

  • Strictly necessary. Required for authentication (for example, Clerk's __session cookie), CSRF protection, and basic site functionality. These cannot be disabled.
  • Functional. Remember preferences such as your selected organization or UI state.
  • Analytics. Help us understand aggregate usage of the Services so we can improve them. Where required by law, we obtain consent before setting non-essential cookies.

You can control cookies through your browser settings. Disabling strictly necessary cookies may prevent you from using parts of the Services.

7. Security

We implement administrative, technical, and physical safeguards designed to protect personal information against loss, theft, and unauthorized access, use, or modification. Highlights include:

  • TLS for all data in transit, including between the AI client, Switchboard, and Third-Party Services.
  • AES-256-GCM encryption at rest for integration credentials and OAuth tokens.
  • Role-based access control and attribute-based authorization (ABAC) enforced on every request.
  • Audit logging of security-relevant events.
  • Regular dependency updates, vulnerability scanning, and code review.
  • Production infrastructure isolated from development environments, with access limited to authorized personnel.

No security measures are perfect. If you believe your account has been compromised, please contact us immediately at security@switchboard-mcp.com.

8. Data Retention

We retain personal information for as long as necessary to provide the Services and for the legitimate business purposes described in this Policy, including legal, accounting, and security requirements. In particular:

  • Account data is retained for the life of your account. When you delete your account, we delete or de-identify account data within 30 days, except where we are required to retain it (for example, to comply with tax or accounting obligations).
  • Integration credentials are deleted promptly when you disconnect an integration or close your account.
  • Audit logs are retained for a period that varies by plan (typically 7 to 365 days).
  • Billing records are retained for the period required by applicable tax and accounting laws.
  • Backups are retained for a limited period and are overwritten on a rolling basis; deletion requests may take effect on backups within the next backup rotation.

9. International Data Transfers

Switchboard's primary infrastructure is hosted in the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the United States, which may have data-protection laws that differ from those in your country. By using the Services, you consent to the transfer of your information to the United States and other countries where our service providers operate.

10. Your Privacy Rights

Depending on where you reside, you may have rights under applicable data-protection laws (including the GDPR, UK GDPR, and U.S. state privacy laws such as the CCPA/CPRA, VCDPA, CPA, and others), including the right to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate or incomplete information.
  • Request deletion of personal information, subject to legal exceptions.
  • Request portability of your information in a structured, machine-readable format.
  • Object to or restrict certain processing.
  • Withdraw consent where processing is based on consent (this does not affect the lawfulness of processing before withdrawal).
  • Opt out of the "sale" or "sharing" of personal information for targeted advertising — we do not engage in either, but you may exercise this right.
  • Lodge a complaint with a supervisory authority.

To exercise these rights, please email privacy@switchboard-mcp.com. We will respond within the timeframe required by applicable law. We may need to verify your identity before fulfilling a request. We will not discriminate against you for exercising your privacy rights.

If you are an end user whose data is processed through the Services by a customer organization (the "Controller"), the Controller is responsible for responding to your requests. We will assist Controllers in fulfilling such requests as required by law.

11. Children's Privacy

The Services are intended for use by businesses and their authorized personnel and are not directed to children under the age of 18. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a child under 18 without parental consent, we will delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@switchboard-mcp.com.

12. Do Not Track

No uniform standard for responding to "Do Not Track" signals has been finalized, and we do not currently respond to DNT browser signals. If a standard is adopted that we are required to follow, we will update this Policy accordingly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by a revised "Last updated" date at the top of this page. If we make material changes, we will provide notice by email or in-product notification before the changes take effect. We encourage you to review this Policy periodically.

14. How to Contact Us

If you have questions or concerns about this Privacy Policy or our privacy practices, please contact us at:

Switchboard
General: hello@switchboard-mcp.com
Privacy: privacy@switchboard-mcp.com
Security: security@switchboard-mcp.com