Privacy Policy
Last updated: 17 April 2026
CongressMCP takes the privacy of its users and the data they work with seriously. This policy describes what we collect, how we use it, who we share it with, and the rights you have over it.
1. What We Collect
Account information
- Email address (required for magic-link authentication)
- Name (required at signup)
- Session tokens and API keys you create
Usage data
- Every state-changing action you take in the service, captured in our audit log
- Timestamps, IP address, request identifiers, and (best-effort) the AI orchestrator through which the action was taken
- Content you create: signals, notes, reports, scorecards, contact directory entries
Billing data (paid tiers)
- Stripe customer and subscription identifiers. Stripe handles payment methods and billing addresses directly; we never see your card number.
2. How We Use It
We use the data you provide to:
- Authenticate you and maintain your sessions
- Deliver the service features you use (tracking, scorecards, reports)
- Maintain the audit log that you may request for compliance review
- Detect abuse and enforce rate limits
- Communicate service-related messages (magic links, billing notifications, major product changes)
We do not sell your data. We do not use your content to train AI models.
3. Third-Party Subprocessors
| Subprocessor | Purpose | Data shared |
|---|---|---|
| Stripe, Inc. | Payment processing | Email, billing address, payment method (collected by Stripe directly) |
| Resend | Transactional email | Email address, message content (magic links, notifications) |
| Supabase | Database hosting | All account and content data |
| DigitalOcean | Application hosting | All traffic |
| Anthropic | Optional in-app AI chat | Message content of any chats you initiate in the built-in chat (deprecated) |
| Routpoint (data.routpoint.com) | Congressional data source | Query terms; no user identity |
4. Retention
- Account data: retained while your account is active
- Content (signals, reports, etc.): retained while your account is active; purged 30 days after account deletion
- Audit log: retained for 90 days in active storage; archived for up to 3 years for compliance
- Billing records: retained per our tax and legal obligations (typically 7 years)
5. Your Rights
You have the right to:
- Access the data we hold about you
- Export your workspaces, signals, and reports
- Correct inaccurate account information
- Delete your account and associated content (subject to audit-log retention)
- Object to specific uses (contact support to discuss)
To exercise any of these, email [email protected]. We respond within 30 days.
6. Children
CongressMCP is a professional tool. We do not knowingly collect data from anyone under 18. If you believe we have, contact us and we will delete it.
7. International Users
The service is hosted in the United States. By using it, you understand that your data will be processed in the U.S. If you are in the EU/UK and want to discuss a data-processing agreement, contact us.
8. Security
We use industry-standard practices: HTTPS everywhere, encrypted secrets at rest, bcrypt/argon2 password hashing (for API keys), session cookies scoped with HttpOnly and Secure flags, and rate limiting on authentication endpoints. No system is perfectly secure; we disclose material security incidents to affected users within 72 hours of confirmation.
9. Changes to This Policy
We may update this policy. Material changes will be announced by email and posted here at least 14 days before taking effect.
10. Contact
Privacy questions: [email protected].