Privacy Policy

Slate MCP β€’ Last updated: March 1, 2026

Summary

The Slate MCP server allows AI assistants (such as Claude) to interact with your Slate account on your behalf using the Model Context Protocol (MCP). MCP is available on Standard and Pro plans. All access requires explicit OAuth authorization and is scoped to your account via row-level security.

Authentication and Authorization

The Slate MCP server uses OAuth 2.1 with mandatory PKCE (S256) for secure authentication. When you connect an AI assistant, you explicitly authorize it with a single permission scope:

  • course:create β€” create and manage courses in your Slate account

Token lifecycle:

  • Access tokens: 15-minute expiry
  • Refresh tokens: 7-day expiry, rotated on each use
  • Authorization codes: Single-use with 10-minute TTL

All tokens are stored as SHA-256 hashes. You can revoke access at any time by disconnecting from your Slate account settings.

Data Accessible via MCP

Read-only access

  • Course metadata (titles, descriptions, outlines, settings)
  • Lesson content (blocks, translations)
  • Review feedback and issue counts
  • Aggregate engagement analytics (completion rates, viewer counts, average progress)
  • AI credit balance and user preferences
  • Course tags and preview links

Write access

  • Create courses (AI-generated)
  • Create and update preview links
  • Open and close reviews, generate checklists
  • Add and remove course tags (including bulk operations)
  • Create and manage tracked sharing links

Data We Do NOT Collect

  • Individual viewer PII from tracked links (names, emails, and IP addresses are never exposed through MCP)
  • Browsing history
  • Payment details
  • Course content from other users

Analytics data returned through MCP is always aggregated. Individual viewer identities are never exposed.

Third-Party AI Processing

When you use MCP with an AI assistant, data retrieved from Slate is processed by that assistant's provider (e.g., Anthropic for Claude). Their privacy policy governs how they handle data received through MCP. Slate does not control how the AI assistant processes or stores data retrieved from your account.

We recommend reviewing their policies before connecting. See Anthropic's privacy policy.

Security

We implement multiple security measures to protect your data:

  • OAuth 2.1 with mandatory PKCE (S256): Prevents authorization code interception
  • Row-level security: All database tables enforce account-scoped access
  • Rate limiting: Three tiers based on plan (3/min free, 10/min standard, 20/min pro)
  • Prompt injection defense: Regex filtering, delimiter removal, and input length limits
  • Token hashing: All tokens hashed with SHA-256 before storage
  • Constant-time comparison: PKCE verification uses constant-time comparison to prevent timing attacks
  • PII sanitization: Structured logging with automatic PII sanitization
  • Content Security Policy: CSP headers on consent pages
  • X-Frame-Options: DENY: Consent pages cannot be embedded in iframes

Third-Party Services

ServicePurpose
SupabaseDatabase, authentication, and file storage
CloudflareWorker hosting and KV storage for rate limiting
Google (Gemini)AI course generation, review summaries, and translations (via AI worker)

Data Retention

  • Course data follows Slate's standard 30-day account deletion policy
  • Access tokens expire after 15 minutes
  • Refresh tokens expire after 7 days, rotated on each use
  • Authorization codes expire after 10 minutes, single-use
  • Rate limit counters in Cloudflare KV have automatic TTL

Your Rights

You can:

  • Revoke MCP access at any time by disconnecting from your Slate account settings
  • Delete any courses created via MCP from your Slate account
  • Request deletion of your account and all associated data
  • Exercise all rights described in our main privacy policy

Relationship to Main Privacy Policy

This policy covers data practices specific to the Slate MCP server. For general information about how Slate handles your data, including account information, content storage, and your broader privacy rights, please see our main privacy policy.

Changes to This Policy

We may update this privacy policy as the MCP server evolves. Changes will be noted by updating the "Last updated" date at the top of this page.

Contact

The Slate MCP server is built by Slate eLearning.