This Privacy Policy describes how MSP Automator Labs, LLC, a New Jersey limited liability company doing business as StackJack.io (“StackJack,” “we,” “us,” or “our”) collects, uses, and protects information in connection with the StackJack application (the “Service”) and the stackjack.io website (the “Site”).
By using StackJack or visiting the Site, you agree to the practices described in this policy. If you do not agree, please do not use the Service or the Site.
The short version: we collect what we need to operate the service, we do not sell or share your data with third parties, and we do not use your information for marketing purposes.
When you create a StackJack account, we collect the information you provide during registration: your name, email address, company or organization name, and billing information. Payment processing is handled by Stripe — we never store your full credit card number, CVV, or raw payment credentials. We retain only what Stripe provides to confirm your subscription (last four digits, card brand, billing address, transaction identifiers).
When you use StackJack to interact with your connected platforms, we log tool call metadata (which tool was invoked, timestamp, response status, latency), aggregate call volume counts for rate limiting and plan enforcement, and error/diagnostic logs for debugging. We do not log the content or payload of API responses from your connected platforms.
When you visit stackjack.io, we may collect standard technical information: IP address, browser type and version, operating system, referring URL, pages visited, time on pages, and navigation paths. We use cookies strictly necessary for site functionality (WooCommerce cart, login sessions). We do not use third-party advertising trackers or retargeting pixels.
StackJack operates as an MCP proxy that connects AI assistants to your MSP tools. Depending on your plan and the connector, we process different credential types.
You provide a Client ID and Client Secret for each connector (your platform API application credentials (e.g., HaloPSA, NinjaRMM, or CIPP Client ID and Secret; ConnectWise Manage API keys)). These are encrypted at rest and used exclusively to authenticate API requests to your platform on your behalf.
Each team member authenticates as themselves via the OAuth 2.0 PKCE flow. StackJack facilitates the handshake but never sees or stores your platform password. We receive and store OAuth access and refresh tokens, encrypted at rest, used solely to authenticate requests under your individual identity.
Your StackJack subscription supports unlimited MCP client connections (e.g., Claude Desktop, Cursor, Copilot). We log which MCP client initiated each tool call for audit and rate-limiting purposes. Per-user tool restrictions you configure are enforced at the proxy level.
If you use team invite functionality (available on Business plans), we collect the email addresses of invited team members and associate their accounts with your subscription for access control and audit logging.
Pass-through proxy: StackJack does not store, cache, index, or retain the content of API responses from your connected platforms. Your ticket details, client records, device information, asset data, invoices, and all other business data flows through StackJack in transit and is discarded after the request completes.
We use the information we collect for the following purposes and no others.
Authenticating your connections to HaloPSA, NinjaRMM, ConnectWise Manage, CIPP, and other supported platforms. Routing MCP tool calls between your AI assistant and your connected platforms. Enforcing plan-level rate limits and tool access controls.
Managing your subscription, processing payments through Stripe, communicating with you about your account status (subscription confirmations, billing notices, critical service notifications), and providing customer support when you contact us.
Monitoring service health, diagnosing errors, and analyzing aggregate usage patterns (tool call volumes, error rates, latency) to improve reliability and performance. This analysis is performed on metadata only — never on the content of your business data.
Your account information, usage data, connector credentials, and any business data that transits through StackJack will never be sold to any third party, under any circumstances, for any reason.
We do not provide, rent, license, or disclose your information to third parties for their marketing, advertising, or promotional purposes. We do not operate an email marketing list, newsletter, or promotional mailing program. Period.
The business data that flows through StackJack from your connected platforms (tickets, clients, devices, invoices, etc.) is never used to train, fine-tune, or improve any machine learning or AI model — ours or anyone else’s.
StackJack is a proxy. Your HaloPSA tickets, NinjaRMM device records, ConnectWise Manage service tickets, CIPP tenant data, client information, financial data, and all other business content passes through in transit and is not persisted, cached, indexed, or retained after the API response is delivered.
You will only receive transactional communications related to your account: subscription confirmations, billing notices, and critical service notifications. That’s it. No drip campaigns, no “just checking in,” no promotional emails.
StackJack integrates with a limited number of third-party services essential to operating the platform. They receive only the minimum information required.
Payment Processing
Stripe processes subscription payments. Payment information is transmitted directly to Stripe via their client-side SDK — StackJack servers never receive your full card number. Stripe’s privacy policy governs their handling of your payment data.
Storefront & Order Management
The stackjack.io storefront is powered by WooCommerce on our self-hosted WordPress installation. Order records are stored in our WooCommerce database and not shared with Automattic or any WooCommerce-affiliated entity.
HaloPSA, NinjaRMM, ConnectWise Manage, CIPP, etc.
StackJack communicates with platforms you explicitly connect using credentials you provide. Data exchanged is governed by your existing agreements with those vendors. StackJack acts as an authorized intermediary — we transmit requests and responses but do not independently access, analyze, or retain the data.
Anthropic (Claude), OpenAI, etc.
StackJack is consumed by AI assistants through the MCP protocol. The AI provider sends tool call requests to StackJack, and StackJack returns the results. The AI provider’s own privacy policy governs how they handle conversation content. StackJack does not send data to AI providers beyond the tool call responses they request.
We do not use any third-party analytics platforms, advertising networks, data brokers, customer data platforms, or any other service that would result in your data being shared outside the providers listed above.
All stored credentials (Client IDs, Secrets, OAuth tokens) encrypted using AES-256.
All communications encrypted via TLS 1.2+ between your AI, StackJack, and your platforms.
Every customer’s data is completely isolated. One tenant can never access another.
Web Application Firewall with industry-standard rule sets on every request.
Every tool call logged with timestamp, duration, and result.
Hosted on Microsoft Azure with auto-scaling, private networking, and access controls.
No system is perfectly secure. While we implement robust protections, we cannot guarantee absolute security. If we become aware of a security breach affecting your data, we will notify you in accordance with applicable law.
Retained for the duration of your active subscription and for a reasonable period afterward to facilitate reactivation and comply with legal and financial record-keeping obligations.
Deleted when you disconnect a connector or cancel your subscription. Encrypted credentials are purged from our systems; we do not retain copies.
Retained for up to 90 days for operational and debugging purposes, then automatically purged.
Never retained. StackJack is a pass-through proxy. Response data exists only in memory for the duration of the request and is not written to any persistent storage.
To request deletion of your account and all associated data, contact us at ceej@stackjack.io. We will process deletion requests within 30 days.
Depending on your jurisdiction, you may have the following rights regarding your personal information.
Request a copy of the personal data we hold about you.
Request correction of inaccurate personal data.
Request deletion of your personal data from our systems.
Request an export of your data in a machine-readable format.
Object to certain processing of your personal data.
We will not discriminate against you for exercising your privacy rights.
To exercise any of these rights, email ceej@stackjack.io. We will respond to verified requests within 30 days.
StackJack is a business-to-business service designed for managed service providers and IT professionals. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that we have collected personal information from a minor, we will delete it promptly.
StackJack’s infrastructure is hosted on Microsoft Azure. Your data may be processed in the United States or other jurisdictions where Azure operates data centers. If you are in the EEA, UK, or other jurisdictions with data transfer restrictions, by using StackJack you consent to the transfer and processing of your data in the United States. We apply the same protections regardless of where data is processed.
The stackjack.io website uses cookies strictly necessary for site operation: session cookies to maintain your login state, WooCommerce cookies for storefront functionality (cart, checkout, account management), and standard WordPress session/authentication cookies. We do not use advertising cookies, third-party tracking cookies, or retargeting pixels of any kind.
We may update this Privacy Policy from time to time. If we make material changes, we will notify active subscribers by email and update the “Last updated” date at the top. Changes will not be applied retroactively. If a change materially reduces your rights or expands how we use your data, we will obtain your consent before applying it to data collected under the previous policy.