Privacy Policy

Last updated: February 2026

⚠️ Quo MCP is not HIPAA compliant and is not covered under Quo's Business Associate Agreement. Do not use this tool to transmit protected health information (PHI).

Introduction

Quo MCP is a Model Context Protocol server that provides communication tools through AI assistants such as Claude Desktop and ChatGPT. This policy describes how we handle data when you use the Quo MCP service.

Data Collection

Quo MCP collects limited analytics data to monitor service health and improve reliability. When you invoke a tool, we record:

A hashed, anonymized identifier derived from your credentials (SHA-256, first 16 characters only — your actual credentials are never stored)
The tool name invoked (e.g., send-message, create-contact)
Whether the call succeeded or failed
Response time in milliseconds
Client type (Claude Desktop, ChatGPT, or other)

We never collect or store: message content, contact details, phone numbers, conversation text, or any user-generated content. Analytics data contains no personally identifiable information.

Authentication & Security

Quo MCP uses OAuth 2.0 with PKCE for secure authentication:

Authentication is handled through a standard OAuth 2.0 authorization flow
Access tokens are short-lived (1-hour expiry) and cryptographically signed
No credentials are stored server-side — the server is fully stateless
Tokens are signed with HMAC-SHA256 to prevent tampering
After token expiry, full re-authentication is required

Third-Party Services

Quo MCP integrates with the following third-party services:

Quo API — All messaging, contact, and call transcript operations are performed through the Quo API. Data flows directly between the MCP server and Quo's infrastructure.
Segment — Anonymous tool usage analytics (as described in Data Collection above) are sent to Segment for aggregation. Segment does not receive any user content or credentials.
Cloudflare Workers — The MCP server runs on Cloudflare's edge infrastructure. Cloudflare processes requests but does not persistently store user data beyond standard request logging.

Data Retention

The Quo MCP server does not persistently store any user data. It operates as a stateless proxy between your AI assistant and the Quo API.

Access tokens expire after 1 hour and are not stored server-side
Analytics events are retained according to Segment's data retention policies
No message content, contact information, or call transcripts are cached or stored by the MCP server

HIPAA Compliance

Quo MCP is not HIPAA compliant and is not covered under Quo's Business Associate Agreement (BAA). You must not use this service to transmit, store, or process protected health information (PHI). If your use case involves healthcare data, do not use Quo MCP.

Contact

For privacy inquiries or questions about this policy, please contact Quo support at my.quo.com.