Privacy Policy

Effective: March 2026 · Last updated: March 2026

Summary: Slack MCP Cloud proxies your Slack API calls through a hosted MCP server. We store only what's needed to authenticate your requests. We never read, log, or retain your Slack messages, files, or workspace data. Hosted web pages use Cloudflare Web Analytics and limited first-party funnel events for aggregate website measurement.

Buyer review: For the controls and procurement summary, use /security. This page remains the detailed privacy and data-handling reference.

1. Who We Are

Slack MCP Cloud is operated by Rêvasser Labs ("we", "us"). Contact: privacy@revasserlabs.com.

2. What We Collect

Account credentials: Your Slack session tokens (xoxc- and xoxd-) submitted during setup. These are encrypted at rest using AES-256-GCM when stored in persistent mode, or held in ephemeral memory only.
API key: Your bearer token (stmh_ prefix) used to authenticate MCP requests.
Billing data: Stripe handles all payment processing. We receive your Stripe customer ID, plan type, and subscription status. We never see or store credit card numbers.
Usage metrics: Request counts per billing period (month), stored for rate limiting and billing. No message content, channel names, or user data is included.
Website analytics: Cloudflare Web Analytics records aggregate page-view and visit metrics on the hosted website. This applies to the public web pages only and is separate from Slack MCP request handling.
Hosted funnel events: The hosted web pages record limited first-party funnel events such as pricing visits, deployment review clicks, checkout starts, checkout completes, setup starts, token-connect success, usage dashboard opens, billing portal opens, and Gemini configuration views. These events are used to understand product funnel performance, not Slack message content.

3. What We Do NOT Collect

Slack message content, files, or attachments
Channel names, user profiles, or workspace metadata
Search queries or search results
Ad-tech cookies or cross-site tracking identifiers that follow you across sites
Message analytics, prompt logging, or Slack-content telemetry outside the live request path

4. How Slack Data Flows

When you invoke an MCP tool (e.g., slack_list_conversations), the hosted worker:

Authenticates your bearer token against our tenant database
Retrieves your encrypted Slack credentials
Proxies the request to the Slack API on your behalf
Returns the Slack API response directly to your MCP client

At no point is Slack API response data logged, stored, cached, or inspected by our servers. Data flows through the worker in a single request-response cycle and is not retained.

5. Token Storage Modes

Ephemeral mode: Slack credentials are held in worker memory only. They are lost on worker restart or cold start. No database write occurs.
Persistent mode: Slack credentials are encrypted with AES-256-GCM using a key stored in Cloudflare environment secrets, then written to a Cloudflare D1 database. Requires explicit user consent (consent_persistent_storage: true).

6. Data Retention

Slack credentials: Stored until you disconnect them (via API) or delete your account. Ephemeral credentials are lost on worker restart.
Usage records: Retained for the current billing period plus one prior month for dispute resolution.
Billing data: Retained by Stripe per their privacy policy.
Hosted funnel events: Retained only for product analytics and conversion reporting, separate from Slack request traffic and message handling.

7. Data Sharing

We do not sell, rent, or share your data with third parties except:

Stripe: Payment processing only.
Cloudflare: Infrastructure provider (Workers, D1, AI, and Web Analytics for the hosted site). Subject to Cloudflare's privacy policy.
Slack: Your credentials are used to authenticate API requests to Slack on your behalf.
Law enforcement: Only if required by valid legal process.

8. AI-Augmented Tools

Three tools (slack_channel_summary, slack_extract_action_items, slack_find_decisions) use Cloudflare Workers AI to process Slack messages. This processing happens within Cloudflare's infrastructure during the request and is not retained. Cloudflare's Workers AI does not train on customer data.

9. Security

All traffic over HTTPS/TLS
Slack tokens encrypted at rest (AES-256-GCM)
Bearer tokens are cryptographically random, scoped per tenant
No plaintext credentials in logs or responses
Worker runs on Cloudflare's global edge network with DDoS protection
Cloudflare Web Analytics is limited to aggregate website metrics and does not change MCP token or message handling

10. Website Analytics and Funnel Measurement

The hosted marketing and account pages use two separate measurement layers:

Cloudflare Web Analytics: aggregate page-view and visit metrics for hosted pages.
First-party funnel events: product-site events such as pricing visits, deployment review clicks, checkout starts, checkout completes, setup starts, token-connect success, account views, billing portal opens, and Gemini CLI documentation/config views.

These measurements apply to the hosted web surfaces. They do not add Slack message retention, Slack-content telemetry, or prompt logging to the MCP request path.

11. Your Rights

Regardless of your location, you can at any time:

Disconnect credentials: Remove your Slack tokens via the setup page or API
Delete your account: Contact us to permanently delete all stored data
Export your data: Request a copy of all data we hold about you
Revoke access: Rotate your Slack session tokens to immediately invalidate stored credentials

For EU/EEA residents (GDPR): You have the right to access, rectify, erase, restrict processing, data portability, and object to processing of your personal data. We process data under legitimate interest (service delivery) and contract performance. To exercise these rights, contact privacy@revasserlabs.com. We respond within 30 days.

For California residents (CCPA): You have the right to know what personal information we collect, request deletion, and opt out of sale. We do not sell personal information. To exercise these rights, contact privacy@revasserlabs.com.

Data breach notification: In the event of a data breach affecting your personal data, we will notify affected users within 72 hours of discovery via the email address associated with your account or Stripe subscription.

12. Children's Privacy

Slack MCP Cloud is not directed at individuals under 18. We do not knowingly collect data from minors.

13. Changes

We may update this policy. Material changes will be posted here with an updated effective date. Continued use after changes constitutes acceptance.

14. Contact

Questions about this privacy policy: privacy@revasserlabs.com