← Back to Slack MCP Cloud

Privacy Policy

Effective: March 2026 · Last updated: March 2026

1. Who We Are

Slack MCP Cloud is operated by Revasser Labs ("we", "us"). Contact: james@revasser.nyc.

2. What We Collect

• Account credentials: Your Slack session tokens (xoxc- and xoxd-) submitted during setup. These are encrypted at rest using AES-256-GCM when stored in persistent mode, or held in ephemeral memory only.
• API key: Your bearer token (stmh_ prefix) used to authenticate MCP requests.
• Billing data: Stripe handles all payment processing. We receive your Stripe customer ID, plan type, and subscription status. We never see or store credit card numbers.
• Usage metrics: Request counts per billing period (month), stored for rate limiting and billing. No message content, channel names, or user data is included.

3. What We Do NOT Collect

• Slack message content, files, or attachments
• Channel names, user profiles, or workspace metadata
• Search queries or search results
• IP addresses or device fingerprints
• Cookies or tracking identifiers
• Analytics or telemetry beyond request counts

4. How Slack Data Flows

When you invoke an MCP tool (e.g., slack_list_conversations), the hosted worker:

1. Authenticates your bearer token against our tenant database
2. Retrieves your encrypted Slack credentials
3. Proxies the request to the Slack API on your behalf
4. Returns the Slack API response directly to your MCP client

At no point is Slack API response data logged, stored, cached, or inspected by our servers. Data flows through the worker in a single request-response cycle and is not retained.

5. Token Storage Modes

• Ephemeral mode: Slack credentials are held in worker memory only. They are lost on worker restart or cold start. No database write occurs.
• Persistent mode: Slack credentials are encrypted with AES-256-GCM using a key stored in Cloudflare environment secrets, then written to a Cloudflare D1 database. Requires explicit user consent (consent_persistent_storage: true).

6. Data Retention

• Slack credentials: Stored until you disconnect them (via API) or delete your account. Ephemeral credentials are lost on worker restart.
• Usage records: Retained for the current billing period plus one prior month for dispute resolution.
• Billing data: Retained by Stripe per their privacy policy.

7. Data Sharing

We do not sell, rent, or share your data with third parties except:

• Stripe: Payment processing only.
• Cloudflare: Infrastructure provider (Workers, D1, AI). Subject to Cloudflare's privacy policy.
• Slack: Your credentials are used to authenticate API requests to Slack on your behalf.
• Law enforcement: Only if required by valid legal process.

8. AI-Augmented Tools

Three tools (slack_channel_summary, slack_extract_action_items, slack_find_decisions) use Cloudflare Workers AI to process Slack messages. This processing happens within Cloudflare's infrastructure during the request and is not retained. Cloudflare's Workers AI does not train on customer data.

9. Security

• All traffic over HTTPS/TLS
• Slack tokens encrypted at rest (AES-256-GCM)
• Bearer tokens are cryptographically random, scoped per tenant
• No plaintext credentials in logs or responses
• Worker runs on Cloudflare's global edge network with DDoS protection

10. Your Rights

Regardless of your location, you can at any time:

• Disconnect credentials: Remove your Slack tokens via the setup page or API
• Delete your account: Contact us to permanently delete all stored data
• Export your data: Request a copy of all data we hold about you
• Revoke access: Rotate your Slack session tokens to immediately invalidate stored credentials

For EU/EEA residents (GDPR): You have the right to access, rectify, erase, restrict processing, data portability, and object to processing of your personal data. We process data under legitimate interest (service delivery) and contract performance. To exercise these rights, contact james@revasser.nyc. We respond within 30 days.

For California residents (CCPA): You have the right to know what personal information we collect, request deletion, and opt out of sale. We do not sell personal information. To exercise these rights, contact james@revasser.nyc.

Data breach notification: In the event of a data breach affecting your personal data, we will notify affected users within 72 hours of discovery via the email address associated with your account or Stripe subscription.

11. Children's Privacy

Slack MCP Cloud is not directed at individuals under 18. We do not knowingly collect data from minors.

12. Changes

We may update this policy. Material changes will be posted here with an updated effective date. Continued use after changes constitutes acceptance.

13. Contact

Questions about this privacy policy: james@revasser.nyc

---

Slack MCP Cloud is not affiliated with or endorsed by Slack Technologies, Inc. or Salesforce, Inc. "Slack" is a registered trademark of Slack Technologies, Inc.