Legal
Privacy Policy
Effective date: June 5, 2026
1. Introduction
MC Squared Consulting Group(“MC Squared,” “we,” “our,” or “us”) respects your privacy. This policy describes what information we collect when you use our website, client portal, or AI-assisted tools; how we use and protect it; and what rights you have over it.
By using our services you agree to the practices described here. If you do not agree, please discontinue use and contact us to request deletion of any data we hold.
2. Information We Collect
Account Information
When you create a portal account or submit a contact form we collect your name, email address, company name, and any other information you voluntarily provide. Authentication is handled by Supabase and, where chosen, Google OAuth.
Usage Data
We collect standard server logs (IP address, browser type, pages visited, timestamps) and aggregated analytics via Vercel Analytics and Google Analytics. We use Google Ads conversion tracking to measure ad performance; no personal profile is built from this data.
Payment Information
Payments are processed by Stripe. We store only a Stripe customer ID and transaction records (amount, date, description) in our database. Full card numbers and CVV codes are never transmitted to or stored on our servers.
Gmail and Google Workspace Data
Certain MC Squared services allow you to authorize us to access your Gmail account via Google OAuth. We request only the minimum permissions required to deliver the specific feature you have enabled. See Section 5 for a full description of how Gmail data is handled.
Communications
If you contact us by email or through the site intake form we retain the content of that communication and your contact details in order to respond and keep a record.
3. How We Use Your Information
- To provide, operate, and improve our services and client portal.
- To deliver AI-assisted analysis and strategy reports you have requested.
- To process payments and maintain billing records.
- To respond to your inquiries and provide customer support.
- To send transactional emails (receipts, report delivery, security notices).
- To measure advertising effectiveness and improve site performance.
- To comply with legal obligations and enforce our terms of service.
We do not sell your personal information to third parties for their marketing purposes.
4. Data Sharing
We share your information only in the following circumstances:
- Service providers. Supabase (database and authentication), Stripe (payments), Vercel (hosting), Resend (transactional email), Sanity (content management), and Anthropic (AI inference). Each operates under its own privacy and data processing agreement.
- Legal requirements. If required by law, subpoena, or other legal process, or to protect the rights, property, or safety of MC Squared, our clients, or the public.
- Business transfers. In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your information becomes subject to a materially different privacy policy.
We never sell, rent, or trade your personal information or Gmail data to data brokers, advertisers, or any third party for their own purposes.
5. Gmail Data — Special Notice
This section provides full disclosure of how MC Squared handles Gmail and Google Workspace data in compliance with the Google API Services User Data Policy.
What We Access
When you connect Gmail to an MC Squared service, we request access to read, label, and organize your Gmail messages. We access only what is required to provide the specific inbox-management feature you have activated. We apply the principle of least privilege: if a feature requires only message metadata (sender, subject, date, labels), we request only metadata access.
Purpose of Access
Gmail data is accessed solely to provide the inbox-intelligence and organization features you have requested — for example, prioritizing client emails, surfacing action items, or applying labels. It is not used for advertising, profiling, training AI models, or any purpose unrelated to the feature you activated.
Storage and Processing
Gmail message content is processed in real time to generate insights or apply organization actions. Full message bodies are not written to our database. We may temporarily store message metadata (sender, subject, date, thread ID, labels) for up to 24 hours to deliver session-continuity features. No Gmail data is retained beyond 30 days from the last use of the Gmail integration feature on your account.
Human Access
MC Squared staff do not read or review your individual Gmail messages. The only access to Gmail content is automated and limited to what is necessary to deliver the requested feature. In exceptional circumstances (e.g., a security incident investigation), access may be reviewed in aggregate, anonymized form.
Token Storage
Your Google OAuth refresh token is encrypted at rest in our database (Supabase, AES-256 encryption) and transmitted only over TLS. We store the token only as long as your Gmail integration is active. You may revoke access at any time (see below) and the token is deleted immediately upon revocation.
Data Transfer and Sharing
Gmail data is never sold, rented, shared with advertisers, or disclosed to any third party except as required by law or to fulfill the service (e.g., forwarding an inbox summary to the Anthropic API to generate an analysis). Anthropic processes this data under its privacy policy and does not use customer data to train models.
Revoking Gmail Access
You can disconnect Gmail at any time from your portal account settings. You may also revoke access directly in your Google Account under Security → Third-party apps with account access. Upon revocation, we delete your refresh token and any cached Gmail metadata within 7 days.
6. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy or as required by law. The table below shows our standard retention periods by data category.
| Data Category | Retention Period | Basis |
|---|---|---|
| Portal account data | Duration of account + 2 years after deletion request | Dispute resolution, legal compliance |
| Strategy reports and AI outputs | Duration of account; deleted within 30 days of account deletion | Service delivery, client reference |
| Payment and billing records | 7 years | Tax and financial regulatory requirements |
| Contact form submissions | 2 years from submission | Business correspondence |
| Gmail OAuth refresh token | Until revocation; deleted within 7 days of revocation | Active service authorization |
| Gmail message metadata (cached) | Up to 24 hours per session; maximum 30 days from last use | Session continuity |
| Gmail message content | Not stored (processed in real time only) | Minimal data principle |
| Server logs and analytics | 26 months | Security, performance analysis |
| Security incident records | 5 years | Legal compliance |
When data reaches the end of its retention period, it is deleted or irreversibly anonymized. Deletion requests are honored within 30 days except where retention is required by law (e.g., financial records).
7. Security
We implement appropriate technical and organizational measures to protect your data, including:
- TLS encryption for all data in transit.
- AES-256 encryption at rest for database records including OAuth tokens.
- Role-based access controls limiting staff access to production data.
- HTTP security headers (HSTS, CSP, X-Frame-Options) on all responses.
- Annual third-party security assessments aligned with OWASP ASVS standards.
- Dependency and vulnerability monitoring.
No system is perfectly secure. In the event of a data breach that poses a risk to your rights, we will notify affected users and relevant authorities as required by applicable law.
8. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access — request a copy of the personal data we hold about you.
- Correction — request correction of inaccurate or incomplete data.
- Deletion — request deletion of your data, subject to legal retention requirements.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Revocation — withdraw consent for Gmail or other third-party integrations at any time without affecting prior processing.
To exercise any of these rights, email [email protected]. We will respond within 30 days.
9. Cookies
We use the categories of cookies described below. Strictly necessary and payment-function cookies are always active. Analytics and advertising cookies are only set after you click “Accept all” in our cookie banner. You can withdraw consent at any time by clearing your browser cookies or adjusting your browser settings; this will not affect authentication or core site functionality.
| Cookie | Set by | Purpose | Duration | Category |
|---|---|---|---|---|
| sb-*-auth-token | MC Squared (Supabase) | Keeps you signed in to the portal and admin areas. Contains an encrypted JWT; HttpOnly and Secure so it is not readable by JavaScript. | Session / until sign-out | Strictly necessary |
| __stripe_mid | Stripe | Fraud detection. Helps Stripe identify the device across payment sessions to reduce fraudulent transactions. Only set when a payment element is loaded. | 1 year | Strictly necessary (payment function) |
| __stripe_sid | Stripe | Fraud detection. Short-lived session identifier used by Stripe alongside __stripe_mid during the active payment flow. | 30 minutes | Strictly necessary (payment function) |
| _ga | Google Analytics | Distinguishes unique visitors. Used to generate aggregate statistics on how people use the site. | 2 years | Analytics (consent required) |
| _ga_* | Google Analytics | Maintains session state for Google Analytics 4. | 2 years | Analytics (consent required) |
| _gcl_au | Google Ads | Stores and tracks ad conversion events (e.g. contact form submission after clicking a Google Ad). | 90 days | Advertising (consent required) |
10. Third-Party Links
Our site may contain links to third-party websites. We are not responsible for the privacy practices of those sites. We encourage you to read their privacy policies before providing any personal information.
11. Children’s Privacy
Our services are directed at businesses and professionals. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected such information, please contact us immediately.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated by updating the effective date at the top of this page and, for registered portal users, by email notification. Continued use of our services after a change constitutes acceptance of the updated policy.
13. Contact
Questions or requests regarding this privacy policy should be directed to:
MC Squared Consulting Group