Privacy Policy

Last updated: May 2026

This privacy policy describes how the BoldTrail MCP Server operated by AiM Marketing Academy ("we", "us") handles your data.

What We Collect

• API Credentials: Your BoldTrail API token, encrypted with AES-256-GCM and stored in our secure key-value store (Upstash Redis via Vercel KV).
• Session Metadata: OAuth client registration data (client ID, redirect URIs) required by the MCP protocol.

We do not store any CRM data (contacts, listings, transactions, etc.). All CRM data is passed through in real-time and is never persisted on our servers.

How Your Data Flows

• When you use this MCP server through Claude, your requests are sent from Claude (Anthropic) to our server.
• Our server decrypts your stored credentials and makes API calls to BoldTrail on your behalf.
• BoldTrail API responses are returned to Claude for processing within your conversation.
• No CRM data is logged, cached, or retained by our server.

AI Training Disclosure

Your data is NOT used to train any AI models. Neither AiM Marketing Academy, Anthropic (Claude), nor any sub-processor in our data flow uses your CRM data for AI model training, fine-tuning, or improvement purposes. Anthropic's API terms explicitly exclude API conversation data from model training.

Sub-Processors

• Vercel — Hosts our server infrastructure (serverless functions)
• Upstash — Provides encrypted key-value storage (Redis) for credential storage
• Anthropic — Operates Claude, which processes API responses within your conversation context

Data Retention

• Encrypted API tokens: Up to 30 days (refresh token lifetime)
• Access tokens: 1 hour
• CRM data: Zero retention (real-time pass-through only)

Your Rights

• You may revoke access at any time by disconnecting in Claude Desktop or regenerating your API token in BoldTrail.
• You may request immediate deletion of your stored credentials via our self-service deletion page or by contacting us.
• Upon disconnection, your encrypted credentials are automatically purged when they expire.

Security

All credentials are encrypted at rest with AES-256-GCM. All communications use TLS 1.2+. Token lookups use SHA-256 hashing. We implement PKCE (S256) for OAuth flows.

Disclaimers

• AI-generated output should not be used for housing, credit, employment, or other material decisions about individuals without independent verification.
• Users are responsible for ensuring their use complies with applicable MLS rules, TCPA, CAN-SPAM, Fair Housing Act, and their CRM's terms of service.
• AI output should be reviewed before sending to clients or contacts.

Contact

For privacy inquiries or credential deletion requests, contact AiM Marketing Academy at support@aimarketingacademy.com.