PM33 MCP Server - Privacy Policy

Effective Date: March 2, 2026 | Last Updated: March 2, 2026

1. Overview

This privacy policy describes how PM33 ("we", "us", "our") collects, uses, and protects data when you interact with the PM33 MCP (Model Context Protocol) Server. The MCP Server provides AI-powered product management tools accessible via the MCP protocol.

2. Data Collected via MCP

When you use PM33's MCP tools, the following data is processed:

• Tool Inputs: Parameters you send when invoking tools (e.g., workspace IDs, filter criteria, prompts for PRD generation). Inputs are validated via Zod schemas and sanitized before processing.
• Workspace Data Accessed: Tools query your tenant's workspace data (backlog items, velocity metrics, competitive intelligence, strategic objectives) as authorized by your API key scopes.
• API Key Metadata: Your API key ID, associated tenant ID, user ID, and granted scopes are used for authentication, authorization, and audit logging.
• Request Metadata: Correlation IDs, timestamps, IP addresses, and user agent strings are logged for debugging and security monitoring.

3. How We Use Your Data

• Tool Execution: To process your MCP tool requests and return results.
• Billing: AI-powered tools (PRD generation, alignment scoring) track token usage for credit billing.
• Security: Rate limiting, scope validation, and audit logging to protect your data.
• Service Improvement: Aggregated, anonymized usage metrics to improve tool performance.

4. Data Retention

• MCP Sessions: Session data expires after 30 minutes of inactivity (configurable per tenant).
• Audit Logs: Tool invocation logs are retained per your organization's data retention policy.
• Generated Content: PRDs and other AI-generated outputs are stored in your workspace and governed by your PM33 subscription terms.

5. Data Sharing

We do not sell or share your data with third parties. Data is processed only within PM33's infrastructure with the following exceptions:

• AI Model Providers: When using AI-powered tools (PRD generation, alignment scoring), prompts and workspace context are sent to the configured AI provider (Anthropic or OpenAI) for processing. These providers process data per their respective data processing agreements.
• Legal Requirements: We may disclose data if required by law or to protect our legal rights.

6. Data Security

• All MCP communication occurs over HTTPS.
• API key authentication with scope-based access control.
• Tenant isolation ensures your data is never accessible to other organizations.
• Input sanitization protects against prompt injection and other attacks.
• Rate limiting prevents abuse (per-key and per-tenant limits).

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Request deletion of your data.
• Restrict or object to processing.
• Data portability.

8. GDPR / CCPA Compliance

PM33 processes data in accordance with GDPR and CCPA requirements. For EU/EEA users, the legal basis for processing is legitimate interest (service delivery) and contract performance. California residents have the right to know what personal information is collected and to request its deletion.

9. Contact

For privacy inquiries, data access requests, or concerns:

• Email: privacy@pm-33.io
• Website: https://pm-33.io

10. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted at this URL with an updated effective date.