Legal

Privacy Policy

Last updated June 12, 2026

Scope

This Privacy Policy describes how SquareMCP (operated by HERONS LLC) collects, uses, and protects information when you use squaremcp.com, app.squaremcp.com, or the SquareMCP MCP server at hermes.squaremcp.com. This includes when you connect SquareMCP to Claude, ChatGPT, or other AI systems.

Information we collect

We collect:

  • Account information — your email address and password when you create a SquareMCP account at app.squaremcp.com.
  • Connected platform credentials — API keys, OAuth access tokens, app passwords, and account identifiers for platforms you choose to connect (Obsidian, email accounts, Facebook Pages, Instagram Business accounts, and others). These are stored encrypted and used only to execute the actions you request.
  • Request logs — records of tool calls made through SquareMCP, including which platform was called, timestamp, and outcome. We do not log the full content of emails, notes, or social media posts.
  • Communications — emails or messages you send to info@squaremcp.com or through the site contact form.

How AI systems interact with your data

SquareMCP acts as a bridge between AI systems (such as Claude by Anthropic and ChatGPT by OpenAI) and your connected accounts. When you authorize SquareMCP from within an AI assistant:

  • The AI system sends requests to SquareMCP describing what action to perform (e.g., "search notes for topic X", "post to Facebook page").
  • SquareMCP uses your stored credentials to carry out the action on your behalf.
  • Results are returned to the AI system so it can respond to you.

SquareMCP does not train AI models on your data. SquareMCP does not share your connected platform content or credentials with AI providers — the AI system sends instructions to SquareMCP; SquareMCP sends results back to the AI system. What the AI provider does with those results is governed by that provider's own privacy policy (Anthropic's for Claude; OpenAI's for ChatGPT).

Connected platforms and what we access

When you connect a platform, SquareMCP accesses only what is needed to perform the actions you request:

  • Obsidian vault — note content, titles, and paths in your vault. SquareMCP can read, write, search, and append notes. Your vault is accessed via an API key you generate in your Obsidian configuration.
  • Email (Gmail, Yahoo, IMAP/SMTP) — inbox messages, message content, and the ability to send email from your configured accounts. SquareMCP connects via IMAP for reading and SMTP for sending using credentials you provide. We do not store email content beyond what is needed to respond to your current request.
  • Facebook Pages — your Facebook Business Page info, existing posts, and the ability to publish new posts and photos on your behalf. Access uses a Page access token you authorize via the Facebook Developer Console.
  • Instagram Business — your Instagram Business account profile, media, and the ability to publish photos and reels. Access is linked to your Facebook Page authorization.
  • Other platforms — LinkedIn, Twitter/X, TikTok, WhatsApp, Telegram, Discord, and Slack integrations follow the same principle: SquareMCP uses only the credentials and permissions you explicitly provide and performs only the actions you request.

You can disconnect any platform at any time from app.squaremcp.com. Disconnecting removes stored credentials for that platform.

How we use information

We use information to:

  • authenticate your account and authorize AI system access via OAuth
  • execute platform actions you request through connected AI assistants
  • maintain request logs for debugging, security, and operational purposes
  • communicate about your account, service changes, and support

Sharing

We do not sell personal information. We do not share your connected platform content or credentials with third parties except as required to operate the service (e.g., using a cloud hosting provider). We may disclose information if required by law or to protect the security of the service and its users.

OAuth and third-party authorization

SquareMCP uses OAuth 2.0 to authorize AI systems (Claude, ChatGPT) to access your SquareMCP account. When you complete an OAuth flow from an AI assistant, you are granting that AI system permission to call SquareMCP tools on your behalf. You can revoke this access at any time by disconnecting the AI system from app.squaremcp.com.

SquareMCP does not have access to your Anthropic or OpenAI account credentials.

Data retention

Account data and connected platform credentials are retained as long as your account is active. Request logs are retained for up to 90 days for operational and security purposes. You may request deletion of your account and associated data at any time by emailing info@squaremcp.com.

Security

Connected platform credentials are stored encrypted. We use HTTPS for all communications. Webhook endpoints use HMAC signature validation. OAuth tokens are stored server-side and not exposed to the browser. No system can guarantee absolute security.

Your rights and choices

You can:

  • disconnect any connected platform at any time from app.squaremcp.com
  • revoke AI system OAuth access from app.squaremcp.com
  • request deletion of your account and data by emailing info@squaremcp.com
  • request a copy of data we hold about you

Contact

Questions about this Privacy Policy can be sent to info@squaremcp.com.
HERONS LLC, 10704 NW 51 St, Coral Springs, FL 33076.