Privacy Policy

April 21, 2026 | Version 2.1

This Privacy Policy describes how Gains Insights LLC (“we,” “us,” “our”) collects, uses, shares, and protects your information when you use our platform and services. Our primary product is AskMCP (askmcp.ai). Our broader product family — all operated by Gains Insights LLC — also includes the Gains Enterprise Platform (app.gainsinsights.com), AskMCP Live (recorded video calls with real-time AI coaching and post-call summaries), Gains LifeStyle Optimized, FitCheck, and PetCheck. This Privacy Policy applies to all of them, along with their APIs, mobile apps, and associated tools.

1. Information We Collect

1.1 Account Information

Name, email address, and organization name
Authentication credentials (managed by Firebase Authentication)
Billing information (processed by Stripe — we do not store credit card numbers)
Organization settings and preferences

1.2 Content You Create

Marketing content (text, images, videos) generated or uploaded through our platform
Brand assets, logos, and brand kit configurations
Campaign configurations and scheduling data
Legal documents created through our legal assistant
Knowledge base documents uploaded for AI agent training

1.3 Social Media Data (when you connect integrations)

Instagram: Profile info, posts, comments, engagement metrics, story data, follower demographics
Twitter/X: Profile info, tweets, engagement data, follower information
TikTok: Profile info, video data, engagement metrics
Pinterest: Profile info, boards, pins, engagement data
Google Analytics (GA4): Website traffic, user behavior, conversion data
Google Search Console: Search queries, impressions, click data, page performance

We only access data you explicitly authorize through OAuth consent screens. We do not access private messages unless specifically authorized for customer service features.

1.4 Voice, Phone Call, and AskMCP Live Data

When you use Voice AI features or AskMCP Live (recorded video calls):

Call recordings: Video and/or audio stored encrypted in Google Cloud Storage. Default retention window is 90 days; organization admins can shorten the window in settings.
Transcripts: Generated in real time via Deepgram from the in-call audio and stored in your organization’s database. Transcripts are speaker-attributed.
Call metadata: Duration, timestamps, participant identities, host + guest join events, caller ID (where available), agent or Personify configuration.
Personify real-time coaching: When enabled by the host, finalized transcript lines are classified and enriched by Claude (Anthropic) to surface in-call coaching cards (objections, pricing, competitor mentions, next actions). Insights are stored per-call and visible only to the host.
Post-call summaries: After a call ends, the transcript is sent to Claude to generate a summary, key points, action items, objections, and scorecards. The generated summary is stored in your organization’s database.
Guest invitations: When you invite a guest by email, we mint a single-use join token and send the invite via our transactional email provider (notifications@gainsinsights.com). If the guest clicks “Email me the summary” on the call-ended page, their email is stored on the call record and used exactly once to deliver the summary.
Consent: In two-party-consent jurisdictions, every participant must confirm recording consent in the lobby before media capture begins. Consent events are logged with timestamp and IP.
Contact information: Names, phone numbers, and email addresses collected during voice calls or submitted through call action-tools (Book Appointment, Contact Form, etc.) are stored per-organization.

1.5 AI Agent Activity Data

Agent conversation logs and chat history
Autonomous agent actions and decisions
Memory entries created by AI agents (stored per-organization)
Content ideas, drafts, and publications generated by agents
Tool usage and execution logs

1.6 Brand Intelligence Data

Our brand intelligence system collects and analyzes:

RSS feed content from sources you subscribe to
Public social media mentions and sentiment
Competitor data from public sources
Website analytics data (via your connected GA4/GSC accounts)

1.7 Usage and Technical Data

IP addresses (hashed for analytics, not stored in raw form)
Browser type, device information, and operating system
Pages visited, features used, and interaction patterns
Error logs and performance data (via Sentry)
API usage patterns and rate limit data

1.8 MCP (Model Context Protocol) Interaction Data

When personas are accessed through AskMCP.ai or MCP clients (e.g. Claude Desktop, ChatGPT, any RFC 7591 MCP client):

Conversation content between users and AI personas
Usage metrics per persona (conversation count, topic distribution)
Abuse reports and safety event logs
OAuth tokens and client registration data (per RFC 7591 Dynamic Client Registration)
Action-tool submissions (Book Appointment topic + timezone, Contact Form fields, Share Email submissions) captured into the persona creator’s CRM lead pipeline
Share-Email disclosures: emails collected via the Share_Email tool are used solely by AskMCP administrators for security, support, and product improvement. They are never shared with third parties. If an AskMCP client (an MCP link deployed by a tenant) provided you the link, that client is bound by these Terms and has its own relationship with the data captured through its personas.

2. How We Use Your Information

We use collected information to:

Provide, maintain, and improve our platform and services
Process transactions and manage your account
Generate AI-powered content, analytics, and recommendations
Train and improve AI agent performance within your organization
Send service-related communications and notifications
Monitor for security threats and enforce our Terms of Service
Comply with legal obligations
Provide customer support

We do NOT use your data to:

Train general-purpose AI models (your data stays within your organization's context)
Sell to third parties for advertising
Profile you for purposes unrelated to our services

Important: All AI-powered features are experimental. AI-generated content, analytics, and recommendations do not constitute legal, financial, medical, or any other professional advice. See our Terms of Service Section 4.1 and Section 12 for full disclaimers.

3. AI Model Providers

Our platform uses third-party AI services to power features. Your data is shared with these providers as necessary to deliver the service:

Provider	What They Process	Their Data Policy
Anthropic (Claude)	Chat messages, agent conversations, content generation prompts	Data not used for training per API terms
Anthropic (Claude)	Persona conversations, Personify real-time coaching, post-call summaries, MCP tool responses	Data not used for training per Anthropic commercial API terms
OpenAI (GPT)	Content generation, brand analysis, image generation prompts	Data not used for training per API terms
Google (Gemini & Imagen)	Image generation, content analysis, voice (Gemini Flash Live)	Subject to Google Cloud data processing terms
Deepgram	Real-time speech-to-text for AskMCP Live call transcription	Subject to Deepgram API terms; data not retained for model training
LiveKit	Real-time video/audio transport for AskMCP Live calls; recording egress to our GCS bucket	Subject to LiveKit Cloud data processing terms
ElevenLabs	Voice synthesis, voice-agent call transcription	Subject to ElevenLabs API terms
Twilio	Phone calls, SMS messages, call routing	Subject to Twilio data processing agreement

All AI providers process data under their respective API/enterprise data processing agreements, which prohibit using customer data for model training.

4. Data Isolation and Security

4.1 Tenant Isolation

Each organization's data is stored in a separate, isolated Firestore database. Cross-organization data access is architecturally impossible at the database level. Platform administration functions are restricted to verified Gains Insights staff.

4.2 Security Measures

Encryption in transit: TLS 1.3 on all connections
Encryption at rest: Google Cloud default encryption + AES-256 via Cloud KMS for sensitive data
Authentication: Firebase Authentication with ID token verification and optional MFA
Authorization: Role-based access control (7 roles) with server-side enforcement
API security: Rate limiting (Upstash Redis), CSRF protection, input validation (Zod schemas on all endpoints), Cloud Armor WAF
Secret management: Google Cloud Secret Manager for all credentials
SSRF protection: DNS-resolving URL validator blocking private IP ranges
Audit logging: Structured logging with automatic PII redaction
Dependency security: Automated vulnerability scanning (Dependabot + npm audit)

4.3 MCP Server Security

The AskMCP.ai MCP server has additional security layers:

OAuth 2.1 + PKCE authentication
Per-IP and per-persona rate limiting
6-layer content safety pipeline (injection detection, topic boundaries, output moderation, PII scrubbing)
Cloud Armor WAF with OWASP rules

5. Information Sharing

We may share your information in the following circumstances:

5.1 Service Providers

We use third-party services to operate our platform:

Google Cloud Platform: Infrastructure, databases, storage, authentication
Stripe: Payment processing
Cloudflare: CDN, DDoS protection, WAF
Sentry: Error tracking and monitoring
Upstash: Rate limiting (Redis)

5.2 AI Model Providers

As described in Section 3, your data is shared with AI providers to deliver platform features.

5.3 Social Media Platforms

When you publish content through our platform, that content is shared with the respective social media platform per your configuration.

5.4 Legal Requirements

We may disclose information if required by law, legal process, or government request.

5.5 Business Transfers

In the event of a merger, acquisition, or sale, your data may be transferred as part of the business assets.

We do NOT sell your personal information to third parties.

6. Data Retention

Data Type	Retention Period
Account data	While account is active + 30 days after deletion
Content you create	While account is active + 30 days after deletion
Voice recordings	90 days, or as configured by your organization
Call transcripts	While account is active + 30 days after deletion
AI agent memory	While account is active + 30 days after deletion
Analytics data	12 months rolling
Brand intelligence data	6 months rolling
Audit logs	12 months
Error logs (Sentry)	90 days
MCP conversation data	30 days
Social media cached data	30 days after integration disconnected

7. Your Rights and Choices

7.1 Access and Export

You can access and export your data at any time through:

Dashboard > Settings > Data Export
API endpoints for programmatic access
Contacting support@gainsinsights.com

7.2 Deletion

You can request deletion of your data by:

Closing your account (Settings > Account > Delete Account)
Contacting support@gainsinsights.com
Data is permanently deleted within 30 days of request

7.3 Integration Controls

You can connect or disconnect third-party integrations at any time. Disconnecting an integration revokes our access and triggers deletion of cached data within 30 days.

7.4 Communication Preferences

You can manage notification preferences in Settings > Notifications. You may opt out of marketing communications while still receiving essential service notifications.

7.5 AI Agent Controls

You can:

Enable or disable autonomous agent actions
Configure what actions agents can perform
Review and approve agent-generated content before publication
Delete agent memory and conversation history

8. Cookies and Tracking

We use essential cookies for authentication and session management. We do not use third-party advertising cookies.

Cookie/Technology	Purpose	Duration
Firebase Auth token	Authentication	Session
CSRF token	Security	Session
Sentry	Error tracking	Session

9. International Data Transfers

Your information may be transferred to and processed in the United States, where our servers are located (Google Cloud us-central1). We rely on Google Cloud's data processing agreements and standard contractual clauses for international transfers.

10. Children's Privacy

Our services are not directed to individuals under 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 18, we will delete it promptly.

11. California Privacy Rights (CCPA)

California residents have additional rights:

Right to Know: Request details about data collected about you
Right to Delete: Request deletion of your personal information
Right to Opt-Out: We do not sell personal information
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights, contact privacy@gainsinsights.com or use the in-app data export/deletion tools.

12. European Privacy Rights (GDPR)

For users in the European Economic Area:

Legal basis: Contract performance (providing the service), legitimate interest (security, improvement), consent (marketing)
Data Protection Officer: privacy@gainsinsights.com
Rights: Access, rectification, erasure, restriction, portability, objection
Supervisory authority: You have the right to lodge a complaint with your local data protection authority

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before the changes take effect. The “Effective Date” at the top will be updated.

14. Contact Us

Gains Insights LLC

Email: support@gainsinsights.com

Privacy inquiries: privacy@gainsinsights.com

Security issues: security@gainsinsights.com

Website: gainsinsights.com

Data deletion requests: support@gainsinsights.com (processed within 30 days)

By using Gains Insights, you acknowledge that you have read and understood this Privacy Policy.