Privacy Policy

Last Updated: April 2026

1. Introduction

Surge Software Solutions ("Surge," "we," "our," "us") operates enterprise AI products and services including MCP (Model Context Protocol) connectors and AI-powered enterprise tools. This Privacy Policy describes how we collect, use, and protect information when you use our products and services.

2. Products Covered

  • Microsoft Teams MCP Connector (microsoft-teams-mcp-server)
  • Future MCP connectors and enterprise AI products
  • surgesoftware.com website

3. Information We Collect

Through our MCP Connectors:

  • OAuth 2.0 authentication tokens — required to access your enterprise platform on your behalf
  • Platform data accessed during your session (e.g., Teams channels, messages, search results) — processed in real-time, not stored
  • Session metadata (connection timestamps, transport type)

Through our Website:

  • Information you provide via contact forms (name, email, company, message)
  • Standard web analytics (page views, browser type, referral source)
  • Cookies for essential site functionality

4. How We Use Information

  • To authenticate you with your enterprise platform (Microsoft 365, etc.)
  • To process your queries and return results during active sessions
  • To respond to your inquiries submitted through our website
  • To improve our products and services

5. Data Handling Practices — MCP Connectors

  • Session-based processing: All data is processed in-memory during your active session only
  • No permanent storage: We do not store your messages, files, or enterprise data on our servers
  • Token isolation: Authentication tokens are scoped to individual sessions and never shared across users or sessions
  • Stateless architecture: When your session ends or disconnects, all session data is immediately cleared
  • No data mining: We do not analyze, profile, or mine your enterprise data for any purpose beyond fulfilling your immediate request

6. OAuth Permissions

Our Microsoft Teams MCP Connector requests the following Microsoft Graph permissions (delegated):

  • Channel.ReadBasic.All — List channels in your teams
  • ChannelMessage.Read.All — Read channel messages
  • Chat.Read — Read your chat messages
  • Chat.ReadWrite — Send chat messages on your behalf
  • ChannelMessage.Send — Send channel messages on your behalf
  • Team.ReadBasic.All — List your teams
  • User.Read — Read your basic profile

These permissions are requested through Microsoft's standard OAuth 2.0 consent flow. You or your organization's admin can review and revoke these permissions at any time through the Microsoft 365 admin center or Azure AD portal.

7. Data Sharing

  • We do NOT sell your data to anyone
  • We do NOT share your data with third parties for advertising or marketing
  • We do NOT use your data to train AI models
  • Data flows directly between your enterprise platform's API (e.g., Microsoft Graph) and the AI assistant (e.g., Claude) — we act as a secure conduit, not a data store

Third-party services involved in the data flow:

  • Microsoft Graph API (your platform)
  • Anthropic Claude (AI processing via MCP protocol)
  • Railway (infrastructure hosting)

8. Data Security

  • OAuth 2.0 with PKCE (Proof Key for Code Exchange) for authentication
  • All communications over HTTPS/TLS
  • No hardcoded secrets or credentials in published packages
  • Multi-tenant architecture with strict session isolation
  • Infrastructure hosted on Railway with SOC 2 compliant practices

9. Your Rights

  • Access: You can request information about what data we process during your sessions
  • Revocation:You can revoke our connector's access at any time through your Microsoft 365 admin settings (Azure AD > Enterprise Applications)
  • Deletion:Since we don't store your data permanently, there is nothing to delete. Session data is cleared automatically when you disconnect.
  • Portability:Your data remains in your enterprise platform — we don't create separate copies

10. GDPR Compliance (EU Users)

  • Legal basis for processing: Consent (you explicitly connect your account) and Legitimate Interest (providing the service you requested)
  • Data processor: Surge acts as a data processor on your behalf. Your enterprise platform remains the data controller.
  • Cross-border transfers:Data may be processed through servers in the US (Railway infrastructure) and routed through Anthropic's API. These transfers are governed by standard contractual clauses.
  • DPO Contact: venumuvva@gmail.com

11. Children's Privacy

Our products are designed for enterprise use and are not directed at children under 16. We do not knowingly collect information from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by updating the "Last Updated" date and, where possible, through our product interfaces.

13. Contact Us

For privacy-related inquiries:

  • Email: venumuvva@gmail.com
  • Company: Surge Software Solutions
  • Location: Hyderabad, India