Privacy Policy
1. Purpose
This Privacy Policy explains how MCP4.ai (“we”, “our”, “us”) collects, uses, discloses, and protects personal information processed through our technologies — Fusion, Voxe, and NeuroSwitch.
We are committed to privacy-first AI and operate in compliance with ISO 27701, GDPR, CCPA/CPRA, LGPD, POPIA, FADP, and the EU Digital Markets Act (DMA).
2. Who We Are
MCP4.ai is an AI systems company that builds compliant, privacy-preserving technologies:
- Fusion — AI orchestration and cost-optimization platform.
- Voxe — Customer engagement and automation hub.
- NeuroSwitch — Intelligent routing and model-governance engine.
Our Data Protection Officer (DPO) can be reached at [email protected].
3. Data We Collect
We collect and process limited data necessary to operate our services securely and efficiently.
| Category | Examples | Purpose / Lawful Basis |
|---|---|---|
| Account Data | Name, email, organization | Service delivery (Contract) |
| Authentication Data | Login credentials, session tokens, 2FA secrets | Security & access control (Legitimate interest) |
| Usage Data | Logs, API metrics, feature usage | Service improvement (Consent / Legitimate interest) |
| Payment Data | Transaction IDs, invoice records | Billing (Contract) |
| Communication Data | Support tickets, chat transcripts | Customer support (Contract / Consent) |
| Device / IP Data | IP, browser type, time zone | Fraud prevention (Legitimate interest) |
| AI Interaction Data | Prompts, model responses, metadata | AI operations (Consent / Legitimate interest) |
We do not collect or store raw credit-card details; all payments are processed by Stripe under its own PCI-DSS-certified systems.
4. How We Use Personal Data
- To create and manage user accounts.
- To deliver and improve our AI-powered services.
- To communicate about updates, incidents, or support requests.
- To comply with legal obligations and resolve disputes.
- To perform anonymized analytics for performance and reliability.
We never sell personal data or use it for behavioral advertising.
5. Legal Bases for Processing
| Region | Lawful Bases |
|---|---|
| GDPR / FADP / POPIA / LGPD | Contract performance, Legitimate interest, Consent, Legal obligation |
| CCPA / CPRA (California) | Contract necessity, Legitimate business purpose, Opt-out of sale/sharing |
| DMA (EU) | Transparency in AI-assisted decision-making |
Users may withdraw consent or object to processing at any time.
6. Cookies and Tracking
MCP4.ai uses CookieYes to manage cookie consent across subdomains.
See our Cookie & Tracking Policy for details.
Essential cookies are required for functionality; analytics cookies require explicit consent.
7. Data Retention
| Data Type | Retention Period | Disposal Method |
|---|---|---|
| Account & Billing Data | 7 years (legal retention) | Secure deletion after term |
| Logs / Analytics | 90 days – 12 months | Automated purge |
| Backups | 30 days rolling | Encrypted overwrite |
| AI Interaction Data | ≤ 30 days unless anonymized | Secure deletion |
Retention periods follow MCP4.ai’s Data Retention Policy.
8. Data Sharing and Sub-Processors
We only share data with trusted providers under Data Processing Agreements (DPAs):
| Provider | Purpose | Region | Certification |
|---|---|---|---|
| Stripe | Payments | US / EU | PCI-DSS, ISO 27001 |
| Vercel / DigitalOcean | Hosting, CDN | EU / US | ISO 27001 |
| Chatwoot | Support system | EU | GDPR-compliant |
| CookieYes | Consent management | EU | GDPR-compliant |
All third-party access is limited to the minimum data required for their services.
9. International Transfers
- Cross-border transfers rely on Standard Contractual Clauses (SCCs) or equivalent mechanisms.
- Data hosted in EU or US regions according to customer preference.
- Encryption applied end-to-end during all transfers.
10. Data Subject Rights
You may exercise the following rights (subject to applicable law):
- Access, correction, or deletion of your personal data.
- Portability (receive your data in structured format).
- Restriction or objection to processing.
- Withdrawal of consent.
- Complaint to a supervisory authority.
Requests may be submitted to [email protected] and are handled within 30 days.
11. Security Controls
- Encryption at rest (AES-256) and in transit (TLS 1.2+).
- MFA for administrative access.
- Role-based access control (RBAC).
- Regular vulnerability and penetration testing.
- Incident management per Incident Response Procedure.
12. Automated Decision-Making and AI Transparency
Some MCP4.ai services use AI to generate or route responses (e.g., Voxe chatbots).
- AI outputs are supervised by humans for quality and safety.
- No fully automated decisions with legal or significant personal effects are made.
- Users are informed whenever AI is involved in interactions.
13. Children’s Privacy
Our services are intended for business use and not directed at individuals under 16 years of age.
We do not knowingly collect data from minors; such data will be deleted upon discovery.
14. Data Breach Notification
In the event of a data breach involving personal information:
- Affected users will be notified without undue delay (≤ 72 hours where required).
- Regulatory authorities will be informed in accordance with applicable law.
- All breaches documented in the Data Breach Register.
15. Contact & Complaints
Data Protection Officer (DPO)
Email: [email protected]
Mailing Address: MCP4.ai — Data Protection, [Insert business address]
You may also contact your local supervisory authority if unsatisfied with our response.
16. Updates to This Policy
We may update this policy periodically.
The latest version and revision date will always appear at the top of this page.
Material changes will be communicated via email or product notifications.