ParaLeagle MCP Connector — Privacy Policy
ParaLeagle Inc. ("ParaLeagle", "we") operates a Model Context Protocol (MCP) connector that exposes a curated set of US-immigration-practice tools to Anthropic's Claude assistant (claude.ai, Claude Desktop, Claude Cowork). This policy describes what we collect when you connect Claude to ParaLeagle, how we use and store that data, and what your rights are. It applies only to the MCP connector. The privacy practices of the broader ParaLeagle web application (platform.paraleagle.ai) are governed by our main privacy policy.
1. What we collect
1.1 Identity and authentication data
When you authorize Claude to connect to ParaLeagle, we receive a federated identity from your existing ParaLeagle account that includes:
- Your email address (as the user identifier)
- A ParaLeagle user identifier linking your Claude session to your existing ParaLeagle account
- Standard OAuth 2.1 tokens (access token, refresh token), encrypted at rest in our PostgreSQL database under the
mcpschema
1.2 Tool-invocation logs
Every time Claude calls a tool through the connector, we log:
- The tool name (e.g.
search_aao_decisions,determine_soc_code) - The timestamp and request ID
- The authenticated user identifier (Firebase UID)
- The HTTP response status and tool latency
We do not log the raw tool arguments or response bodies by default. PII redaction (Social Security Numbers, USCIS A-numbers, credit card numbers, API keys) is applied at the logging layer.
1.3 Tool-specific inputs and outputs
Some tools, by their nature, process sensitive data inside the request to deliver a result. These are:
- Document extraction (
extract_document): operates on a document the user has already uploaded to ParaLeagle's S3 bucket through the web application. Claude never uploads files directly via the connector. - Form generation (
generate_form_pdf,fill_form_standalone): produces filled USCIS PDFs from your case data, watermarked DRAFT, stored in ParaLeagle's S3 bucket and accessed via 1-hour presigned URLs. - Intake (
submit_intake_answers): writes case data into a specific ParaLeagle case the user already has access to. ACL enforced server-side.
1.4 What we do not collect
- We do not access or store your Claude conversation history.
- We do not collect data about your use of other Claude connectors.
- We do not run analytics scripts in the consent screen beyond Firebase Authentication's own session tracking.
- We do not sell or rent user data to any third party.
2. How we use the data
The data described above is used solely to:
- Authenticate you and authorize your access to ParaLeagle resources (case data, document extraction, form generation)
- Enforce per-user rate limits and the 5-fills-per-month standalone form quota (free tier)
- Detect and respond to abuse, security incidents, and policy violations
- Bill paid usage (case-bound tools) against your existing ParaLeagle subscription
- Generate aggregate, non-identifying usage metrics to inform product decisions
We do not use your data to train AI models — neither ours nor Anthropic's. Tool-invocation logs are not shared with Anthropic.
3. Third-party sub-processors
The ParaLeagle MCP connector depends on the following sub-processors:
| Sub-processor | Purpose | Data accessed |
|---|---|---|
| Anthropic (Claude.ai / Claude.com) | Brokers the user OAuth flow and routes tool calls from Claude to ParaLeagle | OAuth tokens at rest in Anthropic's encrypted storage; tool requests and responses in transit only |
| Render | Hosting provider for the MCP server and its PostgreSQL database | All MCP application data at rest, encrypted with AWS KMS |
| Google Gemini (text-embedding-001, gemini-embedding-001) | Generates embeddings for AAO decision search and reasoning for SOC-code classification | Anonymous query strings only; never PII or identifying case fields |
| Amazon S3 (us-east-1) | Stores generated PDFs and uploaded documents linked to ParaLeagle cases | User-uploaded documents and ParaLeagle-generated PDFs, server-side encrypted |
None of these sub-processors are used to display ads or for non-essential analytics.
4. Retention
- OAuth refresh tokens: retained until you revoke the connector at
claude.ai/settings/connectorsor until your ParaLeagle account is deleted, whichever comes first. - Tool invocation logs: retained for 90 days for security and abuse-investigation purposes, then automatically purged.
- Generated PDFs: follow the retention rules of your ParaLeagle case and ParaLeagle's main S3 lifecycle policy.
- Anonymous query strings sent to Gemini: not retained by ParaLeagle. Subject to Google's own retention policy for the Vertex AI / Gemini API.
5. Your rights
If you are in the European Economic Area, the United Kingdom, or California, you have the right to:
- Access the data we hold about you
- Correct inaccurate data
- Request deletion of your data (subject to legal and contractual retention requirements your firm may have)
- Object to certain processing
- Receive a copy of your data in a portable format
To exercise these rights, email team@paraleagle.ai. You can revoke the connector at any time from claude.ai/settings/connectors; doing so immediately invalidates the OAuth refresh token and cuts off Claude's access to ParaLeagle on your behalf.
6. Security
- All connections to the MCP server are TLS 1.2+ with certificates issued by a publicly trusted CA
- OAuth flows use PKCE (S256) per the OAuth 2.1 specification
- Refresh tokens are stored encrypted at rest in our PostgreSQL database
- JWTs issued to Claude are signed with RS256 and the public key is published at
mcp.paraleagle.ai/.well-known/jwks.json - Tool calls touching case data are server-side ACL-enforced against the existing ParaLeagle case-permission system; the MCP connector cannot escalate beyond what the user can access in the web app
- Origin header validation guards against DNS-rebinding attacks per the MCP specification
7. AI-specific disclosures
Tools exposed through this connector return data and computed results — they do not provide legal advice. Where a tool's output is computed by an underlying language model (such as determine_soc_code, which uses Google Gemini against DOL SOC reference data, or search_aao_decisions, which uses Gemini embeddings for semantic search), the response includes a source field disclosing the underlying model and corpus. Users should independently verify any tool output before relying on it for filings or attorney advice. ParaLeagle does not generate legal opinions or render legal advice through the connector.
8. Children
The connector is not directed to children. We do not knowingly collect data from anyone under 18. If you believe a minor has registered an account, contact team@paraleagle.ai and we will delete the account.
9. Changes to this policy
If we make material changes to this policy, we will update the effective date at the top, post a notice on this page, and (where required) notify connected users by email. Continued use of the connector after changes constitutes acceptance of the updated terms.
10. Contact
Privacy questions and data-rights requests: team@paraleagle.ai
Security disclosures: team@paraleagle.ai
General support: team@paraleagle.ai
Mailing address available on request.