legal: update privacy policy and terms for v1 consumer launch

2026-06-12 12:12:46 -04:00
parent 13350881e0
commit af084133fa
2 changed files with 94 additions and 68 deletions
--- a/product/site/privacy.html
+++ b/product/site/privacy.html
@@ -6,7 +6,7 @@
    <title>Privacy Policy — SquareMCP</title>
    <meta
      name="description"
-      content="SquareMCP privacy policy covering pilot requests, service data, and how customer environments are handled."
+      content="SquareMCP privacy policy — how we handle your account data, connected platform credentials, and content when you use SquareMCP with Claude or ChatGPT."
    />
    <link rel="stylesheet" href="./styles.css?v=20260505b" />
  </head>
@@ -28,94 +28,127 @@
      <article class="legal-card">
        <div class="legal-eyebrow">Legal</div>
        <h1 class="legal-title">Privacy Policy</h1>
-        <p class="legal-subhead">Last updated May 5, 2026</p>
+        <p class="legal-subhead">Last updated June 12, 2026</p>
        <section class="legal-section">
          <h2>Scope</h2>
          <p>
-            This Privacy Policy describes how SquareMCP collects, uses, and protects information
+            This Privacy Policy describes how SquareMCP (operated by HERONS LLC) collects, uses, and
-            when you visit squaremcp.com, contact us, or participate in a SquareMCP pilot or
+            protects information when you use squaremcp.com, app.squaremcp.com, or the SquareMCP MCP
-            managed deployment.
+            server at hermes.squaremcp.com. This includes when you connect SquareMCP to Claude,
            ChatGPT, or other AI systems.
          </p>
        </section>
        <section class="legal-section">
          <h2>Information we collect</h2>
-          <p>We may collect:</p>
+          <p>We collect:</p>
          <ul>
-            <li>contact details such as your name, work email, company, and role</li>
+            <li><strong>Account information</strong> — your email address and password when you create a SquareMCP account at app.squaremcp.com.</li>
-            <li>pilot intake details such as your use case, target systems, and security requirements</li>
+            <li><strong>Connected platform credentials</strong> — API keys, OAuth access tokens, app passwords, and account identifiers for platforms you choose to connect (Obsidian, email accounts, Facebook Pages, Instagram Business accounts, and others). These are stored encrypted and used only to execute the actions you request.</li>
-            <li>service and operational data needed to provision, secure, and support a deployment</li>
+            <li><strong>Request logs</strong> — records of tool calls made through SquareMCP, including which platform was called, timestamp, and outcome. We do not log the full content of emails, notes, or social media posts.</li>
-            <li>communications you send to us by email or through the pilot intake form</li>
+            <li><strong>Communications</strong> — emails or messages you send to info@squaremcp.com or through the site contact form.</li>
          </ul>
        </section>
        <section class="legal-section">
          <h2>How AI systems interact with your data</h2>
          <p>
            SquareMCP acts as a bridge between AI systems (such as Claude by Anthropic and ChatGPT by
            OpenAI) and your connected accounts. When you authorize SquareMCP from within an AI assistant:
          </p>
          <ul>
            <li>The AI system sends requests to SquareMCP describing what action to perform (e.g., "search notes for topic X", "post to Facebook page").</li>
            <li>SquareMCP uses your stored credentials to carry out the action on your behalf.</li>
            <li>Results are returned to the AI system so it can respond to you.</li>
          </ul>
          <p>
            SquareMCP does not train AI models on your data. SquareMCP does not share your connected
            platform content or credentials with AI providers — the AI system sends instructions to
            SquareMCP; SquareMCP sends results back to the AI system. What the AI provider does with
            those results is governed by that provider's own privacy policy (Anthropic's for Claude;
            OpenAI's for ChatGPT).
          </p>
        </section>
        <section class="legal-section">
          <h2>Connected platforms and what we access</h2>
          <p>When you connect a platform, SquareMCP accesses only what is needed to perform the actions you request:</p>
          <ul>
            <li><strong>Obsidian vault</strong> — note content, titles, and paths in your vault. SquareMCP can read, write, search, and append notes. Your vault is accessed via an API key you generate in your Obsidian configuration.</li>
            <li><strong>Email (Gmail, Yahoo, IMAP/SMTP)</strong> — inbox messages, message content, and the ability to send email from your configured accounts. SquareMCP connects via IMAP for reading and SMTP for sending using credentials you provide. We do not store email content beyond what is needed to respond to your current request.</li>
            <li><strong>Facebook Pages</strong> — your Facebook Business Page info, existing posts, and the ability to publish new posts and photos on your behalf. Access uses a Page access token you authorize via the Facebook Developer Console.</li>
            <li><strong>Instagram Business</strong> — your Instagram Business account profile, media, and the ability to publish photos and reels. Access is linked to your Facebook Page authorization.</li>
            <li><strong>Other platforms</strong> — LinkedIn, Twitter/X, TikTok, WhatsApp, Telegram, Discord, and Slack integrations follow the same principle: SquareMCP uses only the credentials and permissions you explicitly provide and performs only the actions you request.</li>
          </ul>
          <p>
            You can disconnect any platform at any time from app.squaremcp.com. Disconnecting removes
            stored credentials for that platform.
          </p>
        </section>
        <section class="legal-section">
          <h2>How we use information</h2>
          <p>We use information to:</p>
          <ul>
-            <li>review and respond to pilot requests</li>
+            <li>authenticate your account and authorize AI system access via OAuth</li>
-            <li>configure and operate SquareMCP deployments</li>
+            <li>execute platform actions you request through connected AI assistants</li>
-            <li>authenticate access, troubleshoot issues, and maintain security controls</li>
+            <li>maintain request logs for debugging, security, and operational purposes</li>
-            <li>communicate about pilots, support, billing, and service changes</li>
+            <li>communicate about your account, service changes, and support</li>
          </ul>
        </section>
        <section class="legal-section">
          <h2>Customer data and connected systems</h2>
          <p>
            SquareMCP is designed to act as a managed MCP gateway for internal tools. Depending on
            the deployment, customer data may remain in a customer-controlled environment or may be
            processed in SquareMCP-managed infrastructure as part of the service. The exact data
            path depends on the deployment architecture and connector configuration.
          </p>
          <p>
            Pilot and production customers are responsible for evaluating which systems they choose
            to connect and which tool permissions they enable for their users and agents.
          </p>
        </section>
        <section class="legal-section">
          <h2>Authentication credentials and tokens</h2>
          <p>
            SquareMCP may process API keys, OAuth credentials, session metadata, audit records, and
            related access-control data needed to operate the service. We use these credentials only
            to authenticate approved integrations and support the configured deployment.
          </p>
        </section>
        <section class="legal-section">
          <h2>Sharing</h2>
          <p>
-            We do not sell personal information. We may share information with infrastructure,
+            We do not sell personal information. We do not share your connected platform content
-            hosting, email, or support providers only to the extent reasonably necessary to run the
+            or credentials with third parties except as required to operate the service (e.g., using
-            service, support customers, comply with law, or protect SquareMCP and its users.
+            a cloud hosting provider). We may disclose information if required by law or to protect
            the security of the service and its users.
          </p>
        </section>
        <section class="legal-section">
-          <h2>Retention</h2>
+          <h2>OAuth and third-party authorization</h2>
          <p>
-            We retain information for as long as reasonably necessary to evaluate pilots, deliver
+            SquareMCP uses OAuth 2.0 to authorize AI systems (Claude, ChatGPT) to access your
-            services, maintain records, and meet legal, operational, or security obligations.
+            SquareMCP account. When you complete an OAuth flow from an AI assistant, you are granting
            that AI system permission to call SquareMCP tools on your behalf. You can revoke this
            access at any time by disconnecting the AI system from app.squaremcp.com.
          </p>
          <p>
            SquareMCP does not have access to your Anthropic or OpenAI account credentials.
          </p>
        </section>
        <section class="legal-section">
          <h2>Data retention</h2>
          <p>
            Account data and connected platform credentials are retained as long as your account is
            active. Request logs are retained for up to 90 days for operational and security purposes.
            You may request deletion of your account and associated data at any time by emailing
            <a href="mailto:info@squaremcp.com">info@squaremcp.com</a>.
          </p>
        </section>
        <section class="legal-section">
          <h2>Security</h2>
          <p>
-            We use reasonable administrative, technical, and operational measures to protect
+            Connected platform credentials are stored encrypted. We use HTTPS for all communications.
-            information. No system can guarantee absolute security, and you should not submit
+            Webhook endpoints use HMAC signature validation. OAuth tokens are stored server-side and
-            information through the service unless you are comfortable with that risk profile.
+            not exposed to the browser. No system can guarantee absolute security.
          </p>
        </section>
        <section class="legal-section">
-          <h2>Your choices</h2>
+          <h2>Your rights and choices</h2>
-          <p>
+          <p>You can:</p>
-            You may contact us to request access, correction, or deletion of personal information we
+          <ul>
-            hold about you, subject to legal and operational limits.
+            <li>disconnect any connected platform at any time from app.squaremcp.com</li>
-          </p>
+            <li>revoke AI system OAuth access from app.squaremcp.com</li>
            <li>request deletion of your account and data by emailing info@squaremcp.com</li>
            <li>request a copy of data we hold about you</li>
          </ul>
        </section>
        <section class="legal-section">
@@ -123,13 +156,10 @@
          <p>
            Questions about this Privacy Policy can be sent to
            <a class="footer-link" href="mailto:info@squaremcp.com">info@squaremcp.com</a>.
            <br>
            HERONS LLC, 10704 NW 51 St, Coral Springs, FL 33076.
          </p>
        </section>
        <div class="legal-note">
          This page is a general website and pilot-stage privacy policy. It should be reviewed and
          adapted if SquareMCP moves into broader commercial availability or regulated deployments.
        </div>
      </article>
    </main>
  </body>
--- a/product/site/terms.html
+++ b/product/site/terms.html
@@ -28,22 +28,23 @@
      <article class="legal-card">
        <div class="legal-eyebrow">Legal</div>
        <h1 class="legal-title">Terms of Service</h1>
-        <p class="legal-subhead">Last updated May 5, 2026</p>
+        <p class="legal-subhead">Last updated June 12, 2026</p>
        <section class="legal-section">
          <h2>Agreement</h2>
          <p>
            These Terms of Service govern your access to and use of SquareMCP, including the
-            squaremcp.com website, pilot engagements, managed deployments, and related support.
+            squaremcp.com and app.squaremcp.com websites, the SquareMCP MCP server, and related
-            By using SquareMCP, you agree to these Terms.
+            support. By using SquareMCP, you agree to these Terms.
          </p>
        </section>
        <section class="legal-section">
          <h2>Service description</h2>
          <p>
-            SquareMCP provides managed MCP infrastructure and related services for connecting AI
+            SquareMCP provides an MCP server and related services that connect AI assistants
-            agents to customer-approved internal tools, systems, and data sources.
+            (such as Claude and ChatGPT) to your personal and business accounts, including email,
            social media platforms, and productivity tools like Obsidian.
          </p>
        </section>
@@ -60,8 +61,7 @@
          <h2>Customer responsibilities</h2>
          <p>You are responsible for:</p>
          <ul>
-            <li>providing accurate information during pilot intake and onboarding</li>
+            <li>ensuring you have authority to connect the accounts and platforms you link to SquareMCP</li>
            <li>ensuring you have authority to connect systems, accounts, and data sources</li>
            <li>configuring appropriate permissions, approvals, and internal safeguards</li>
            <li>reviewing agent behavior and tool outputs before relying on them in production workflows</li>
            <li>complying with applicable laws, regulations, and contractual obligations</li>
@@ -127,13 +127,9 @@
          <p>
            Questions about these Terms can be sent to
            <a class="footer-link" href="mailto:info@squaremcp.com">info@squaremcp.com</a>.
            <br>HERONS LLC, 10704 NW 51 St, Coral Springs, FL 33076.
          </p>
        </section>
        <div class="legal-note">
          These Terms are a practical baseline for the current SquareMCP pilot site. They should be
          reviewed by counsel before broad commercial rollout or regulated-enterprise contracting.
        </div>
      </article>
    </main>
  </body>