Privacy Policy

Last updated: 2026-05-11 Effective date: TODO Operator: TODO legal entity Contact: privacy@xataco.com

Service operator: TODO: legal entity name, e.g. "PlayLife OÜ" or "Xata & Co LLC" ("we", "us", "the Service")

MCP endpoint: https://mcp.xataco.com/mcp

Contact: privacy@xataco.com (general inbox: general@xataco.com)

1. Who we are

Co-Founder: Strategy Layer Engine is a remote MCP (Model Context Protocol) service that runs MBB-style strategic-consulting engagements inside the AI client of your choice (Claude, ChatGPT, Cursor, Codex, VS Code, and any other MCP-compatible client). We are operated by TODO: legal entity, registered address, jurisdiction.

For GDPR purposes, we act as the data controller for account data and as a data processor for the analysis inputs you submit through tool calls.

2. What data we collect and store

2.1 Account data (when you register or sign in)

We collect and store the following data in our user database (hosted on Google Cloud Platform) for the lifetime of your account:

Data	Source	Why we need it	Stored where
Email address	You (registration form or Google sign-in)	Account identity, transactional emails	User database (GCP)
Password hash (bcrypt, salted)	You — we never store plaintext	Email/password sign-in	User database (GCP)
Google account identifier (`google_sub`)	Google OAuth	"Continue with Google" sign-in	User database (GCP)
Email verification status & timestamp	System	Block unverified accounts	User database (GCP)
Subscription tier (free / paid / subscription)	System	Rate limiting and billing	User database (GCP)

The user database is encrypted at rest. Access is restricted to authorised personnel listed in §8. Your email address is the only personally-identifying piece of data we require to operate the Service — we do not ask for your full name, phone number, address, payment card directly (payment is delegated to TODO: Stripe / billing provider when launched), or any government identifier.

2.2 Engagement data (what you submit to tools)

When you call a tool, you supply business context — for example a company name, an investment thesis, a person's bio, a LinkedIn URL, or financial data you've copied in. This content is:

Forwarded to the AI processing sub-processor (Anthropic's Claude API) to run the analysis;
Stored in a per-engagement folder on our server (research/<run_id>/ or strategies/<run_id>/) for the duration described in §6;
Optionally exported to a Notion page if you have configured Notion export (controlled by you).

We do not train any model on your engagement data.

2.3 Operational logs

Data	Retention	Purpose
`runs.db` — run_id, tool name, timestamps, status, client_id	TODO 90 days	Engagement history & rate limiting
`actions.db` — Daily Loop tracking	TODO 90 days	Subscription-tier feature
Web server access logs (IP, user agent, path, status)	30 days	Security, abuse detection
OAuth tokens & session cookies	Session lifetime + grace period	Authentication

2.4 Information we do NOT collect

We do not use third-party analytics or ad-tracking cookies.
We do not fingerprint your device.
We do not sell or share data with marketers.

3. Lawful bases (GDPR, Art. 6)

Processing	Lawful basis
Running engagements you request	Contract performance (Art. 6(1)(b))
Verification emails	Contract performance
Security logs, abuse detection	Legitimate interest (Art. 6(1)(f))
Marketing emails (only if you opt in)	Consent (Art. 6(1)(a))

4. Sub-processors

We share data with the following sub-processors only to the minimum extent required to deliver the Service:

Sub-processor	Data shared	Purpose	Region
Anthropic, PBC (Claude API)	Engagement inputs + intermediate prompts	LLM inference	US
Google Cloud Platform	All hosted data (server, databases)	Hosting & compute	TODO region
Resend, Inc.	Email address, verification token	Transactional email	US
Google LLC (OAuth)	OAuth `sub` identifier, email	"Continue with Google" sign-in	US
Notion Labs, Inc.	Engagement output files (only if you enable Notion export)	Public-page export	US

A current list is maintained on this page. We will give 30 days' notice in this document before adding a new sub-processor.

5. International transfers

Data may be transferred outside the European Economic Area (primarily to the United States). We rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework adequacy decision.

6. Retention

Data	Retention
Account record (email, password hash, tier)	Until you delete your account, plus 30 days for backups
Engagement data (`research/<run_id>/`, `strategies/<run_id>/`)	TODO 90 days after engagement completion, then permanently deleted
Engagement metadata in `runs.db`	TODO 12 months for analytics & support, then anonymised
Server logs	30 days
Notion exports	Until you delete the Notion page; we no longer hold the content after Notion has it

7. Your rights (GDPR / UK GDPR / CCPA)

You have the right to:

Access — request a copy of personal data we hold about you;
Rectification — correct inaccurate data;
Erasure ("right to be forgotten") — delete your account and engagement data;
Portability — receive your data in a machine-readable format (JSON);
Object to processing for legitimate-interest grounds;
Restrict processing while a complaint is investigated;
Withdraw consent at any time (where consent is the basis);
Lodge a complaint with your supervisory authority (e.g. the Estonian Data Protection Inspectorate, the UK ICO, or your local DPA).

To exercise any right, email privacy@xataco.com. We respond within 30 days.

8. Security

Passwords are hashed with bcrypt (cost factor ≥ 12) before storage; we never log or transmit plaintext passwords.
All data in transit uses TLS 1.2+. The MCP endpoint requires HTTPS.
OAuth follows OAuth 2.1 with PKCE. Bearer tokens are stored hashed.
Server access is restricted to TODO authorised personnel list and logged.
We follow least-privilege principles for sub-processor API keys.
We notify affected users within 72 hours of confirming any personal-data breach, as required by GDPR Art. 33.

9. Cookies

We use only strictly necessary cookies:

Cookie	Purpose	Duration
Session cookie (OAuth flow)	Keep you logged in during sign-in	Session
CSRF token	Protect against cross-site request forgery	Session

We do not use advertising, analytics, or third-party tracking cookies on the marketing site or the MCP server.

10. Children

The Service is not intended for children under 16. We do not knowingly collect data from children under 16. If you believe a child has registered, contact privacy@xataco.com and we will delete the account.

11. Automated decision-making

The Service uses LLM-generated analysis as the core product. The output is advisory — it is not legally binding and should not be the sole basis of decisions with legal or significant similar effects on you. You always retain human oversight over actions taken on the analysis.

12. Changes to this policy

We will update this document when the data we collect, the sub-processors we use, or the retention periods change. The "Last updated" date at the top reflects the most recent revision. Material changes will be announced by:

An in-app notice the next time you sign in,
An email to your registered address (for material reductions in user rights or new sub-processor categories).

13. Contact

Reason	Contact
Privacy questions, data requests	privacy@xataco.com
General support	support@xataco.com
Security disclosures	security@xataco.com
Postal	TODO registered legal address