Privacy Policy — MCP Products Addendum

Effective date: 2026-04-21

What MCP products are

NeuralConfig MCP products provide bridges between large-language-model agents (like Claude) and network-management platforms. To function, they authenticate to your own third-party account (Cloudpath, SmartZone, RUCKUS One, etc.) on your behalf and execute operations you authorize via the agent.

Data collected

MCP products handle three categories of data that warrant careful disclosure:

1. Third-party credentials

To connect to your third-party platform, MCP products store:

• API credentials (API keys, OAuth tokens, or client IDs/secrets, depending on the platform)
• Tenant identifiers for multi-tenant platforms
• Refresh tokens where the platform uses them

Credentials are stored encrypted at rest in Cloudflare D1 (or equivalent managed database), bound to your NeuralConfig MCP account, and used only to execute operations you initiate through the MCP interface. Credentials are never shared with other NeuralConfig users, never used for any purpose other than the operation you requested, and can be revoked at any time by you.

2. Platform data you request through the MCP

When you use the MCP to query your third-party platform (for example, "list all APs" on RUCKUS One), the MCP retrieves data from that platform and relays it to the requesting agent. This data may include:

• Network device information (APs, switches, controllers)
• Configuration details
• Usage statistics
• Client device information (including potentially MAC addresses, usernames, session data, depending on the query)

This data is your data, stored in your third-party account. NeuralConfig relays it to the requesting agent and does not retain it in persistent storage beyond what is necessary to complete the request. Standard request/response logging (metadata only, not full bodies) is retained for operational debugging.

3. Usage data

• MCP call history (method, endpoint, timestamp, success/failure, duration)
• Aggregated metrics per account (calls per day, error rates)
• Error logs (retained short-term for debugging)

How MCP products use this data

• To execute the operations you request
• To authenticate and authorize access to your third-party accounts
• To bill (where applicable — currently MCP products are free)
• To debug errors and prevent abuse
• To rate-limit to prevent quota exhaustion on your third-party accounts

MCP products do not access your third-party platforms for any purpose you did not authorize. MCP products do not share your credentials or platform data with other NeuralConfig users or with third parties (other than the third-party platform itself, which is the intended destination of your requests).

Sharing

• Third-party platforms (Cloudpath, SmartZone, RUCKUS One): we relay your requests to these platforms as you direct. Those platforms have their own privacy policies; review them.
• AI providers (Claude via Anthropic): your instructions to the MCP (e.g., prompts) flow through Claude. Data returned from the third-party platform may be included in context sent to Claude. Anthropic's data-use terms govern this.
• No other third parties except as described in the Master Privacy Policy (hosting infrastructure, legal process).

Retention

• Credentials: retained as long as your MCP account is active; deleted within 30 days of account deletion
• Call metadata (method/endpoint/timestamp/status): up to 90 days
• Error logs with body excerpts: up to 14 days, then metadata-only
• Backups: standard backup propagation up to 30 days after deletion

Security of credentials

Credential storage is specifically protected:

• Encrypted at rest
• Accessible only to the MCP process servicing your account
• Never exposed in log output, error messages, or API responses
• Cross-tenant isolation enforced at the database level

You are responsible for maintaining the security of the bearer tokens we issue to your MCP client. Treat them as secrets.

Your rights

• Revoke credentials: revoke any stored third-party credentials at any time via the MCP management interface. Revocation is immediate in the live system.
• Delete MCP account: request deletion of your MCP account; all credentials and associated data deleted within 30 days, propagating through backups.
• Export call history: request export of your MCP call metadata.
• Standard rights from the Master Privacy Policy (access, correction, etc.) apply where relevant.

Contact

privacy@neuralconfig.com

← Back to the Master Privacy Policy