Last updated: 2026-07-15
This policy covers the Teamtailor MCP (Model Context Protocol) server, which lets Teamtailor customers use AI assistants, such as ChatGPT, to work with their Teamtailor account.
This policy applies specifically to the Teamtailor MCP server use and supplements Teamtailor's general Privacy Policy. Teamtailor's general Privacy Policy continues to apply to Teamtailor's processing of personal data.
Use of Teamtailor's MCP server is also subject to the agreement between Teamtailor and the relevant Teamtailor customer, including Teamtailor's Terms and Conditions and Data Processing Agreement.
What the MCP server is
The MCP server is an interface to a customer's existing Teamtailor account. It allows customer's users to connect an MCP-compatible AI assistant or other application - an "MCP client" - to the customer's existing Teamtailor account. Once connected, the MCP client may request information from Teamtailor and, where permitted, the assistant can call a fixed set of tools that read and update data in the customer's Teamtailor account, on the user's behalf.
Data the MCP server can access
Tools can return the following categories of data from the customer's Teamtailor account, depending on the user's permissions (configured by a Company Admin):
Candidate data: name, email, phone, location, LinkedIn URL, pitch and "about" text, resume text, uploaded file names and links, tags, source, ratings and reviews, answers to questions
Recruitment data: jobs, job pipelines and stages, applications, interview kits, scorecards, skills and traits, questions and answers, custom fields
Communication and activity: comments, messages with candidates, activity timelines, meeting details and meeting transcripts
Organization data: employees (name, title, role), departments, divisions, roles, locations
Task data: todos and their assignees
These categories are examples and may vary depending on the MCP client's tools made available by Teamtailor, the features used by the customer and the information entered or uploaded to the Teamtailor account. Free-text fields, messages, transcripts and uploaded documents may contain additional personal data, including sensitive personal data, provided by candidates, users or the Teamtailor customer.
Where a candidate is anonymized under Teamtailor's blind hiring feature, the MCP server is designed to apply the same masking: name, email, phone, location, LinkedIn URL and file names are withheld, and identifying details are scrubbed from free-text fields.
The MCP server also processes limited connection and usage metadata such as: user ID, company ID, the connected MCP client, user IP address, and which tools the user calls with which arguments.
Purposes
Processing on behalf of the Teamtailor customer
Teamtailor processes data through the MCP server to:
Execute the tool calls that the user's AI assistant makes on their behalf (read, create & modify, delete) in their account
Authenticate and authorize each request
Keep an audit trail of changes made through the MCP server, so the customer can see which user changed what and through which MCP client
Enforce customer's Company Admin permission settings
Data accessed through the MCP server is not used by Teamtailor to train AI models.
Processing for Teamtailor's own purposes
Teamtailor processes limited user, connection, security and usage data for its own purposes to:
provide, secure and maintain the MCP service
detect, investigate and prevent unauthorized or abusive use
monitor errors, performance and service reliability
troubleshoot technical issues; and
produce aggregated statistics and usage insights to understand and improve the service
For this processing, Teamtailor relies on its legitimate interests in providing, maintaining, protecting and improving a secure and reliable service. Further information about Teamtailor's processing as data controller is available in our general Privacy Policy.
Data accessed through the MCP server is not used by Teamtailor to train AI models. This statement applies only to Teamtailor. The external MCP client provider's use of data is governed by that provider's own terms and conditions and privacy notice.
What data is written where
Reads and writes go directly against user's Teamtailor account data, subject to their user permissions and the OAuth scopes granted (read, create & modify, delete).
Every write made through the MCP server is recorded in the customer's audit log with user identity, the connected client's name, user IP address, and a summary of the action.
Teamtailor stores application and infrastructure logs relating to the MCP server, including data points such as tool name, arguments, status and duration, tied to the user, company and connected MCP client and technical error information. Teamtailor acts as data controller when collecting and storing these logs.
Recipients
Data processed through the MCP server may be disclosed to the following recipients:
The MCP client that the customer's users connects via the integration: tool results are returned to the AI assistant connected (for example, ChatGPT). Once data reaches that MCP client, its handling of data is governed by that provider's own terms and conditions, privacy policy, and by the settings that the customer has with them, including whether or not data is used for training. Review those before connecting.
The customer: Company Admins or other authorised users within the organization can access MCP connection information, permissions and audit records in accordance with the functionality and access controls available in Teamtailor.
Teamtailor's subprocessors: Teamtailor uses the same infrastructure, hosting, security and monitoring providers used to provide the wider Teamtailor service. These providers are listed in Teamtailor's applicable subprocessor documentation.
Authorities and other parties involved in a potential or existing legal proceeding: Teamtailor may only disclose data only as described in the service agreement in place with Teamtailor and as stated in our general Privacy Policy.
Teamtailor does not sell data shared through the MCP server.
Retention
Account data (candidates, jobs, applications, etc.) is not stored as a separate dataset by the MCP server. It remains in the customer's Teamtailor account and is retained according to the customer's retention settings and Teamtailor's standard retention rules.
OAuth tokens remain valid until they expire or the connection is revoked by the user or Company Admin.
Audit log events are retained in accordance with the audit-log retention applicable to the customer's Teamtailor account.
Application and infrastructure logs are used for security, troubleshooting, performance monitoring and usage insights and are retained in accordance with Teamtailor's standard retention rules.
Your controls
Enabling the integration with the customer's chosen AI service provider: connecting an MCP client is opt-in and consent based. The customer authorises it through Teamtailor's OAuth flow and chooses the access level (read, create & modify, delete) per role.
Revoking access: Users can disconnect a MCP client at any time from their Teamtailor account settings, or by asking the Company Admin to revoke the connection. Once the connection has been revoked, the MCP client will no longer be authorized to make further requests to Teamtailor through the integration. Revocation prevents future access through Teamtailor but does not automatically delete data that the AI service provider has already received. The AI provider's retention and deletion practices are governed by its own terms and privacy documentation.
Admin controls: Company Admins control whether MCP access is enabled, and which user roles can use it and at what access level (off, read, create & modify, delete).
User permissions: MCP tools are limited by the permissions associated with the user settings in the Customer's Teamtailor account. An MCP client is not able to access data that a user account is not permitted to access in Teamtailor.
Data-subject rights: For rights concerning candidate, recruitment or other data controlled by a Teamtailor customer, please contact the relevant company directly. Teamtailor will assist the customer in responding to requests in accordance with the applicable Data Processing Agreement.
For personal data that Teamtailor processes as data controller, including certain user, connection, security and service-usage information, you may exercise your rights as described in Teamtailor's general Privacy Policy.
Security
All MCP traffic is encrypted in transit (TLS). Authentication uses OAuth 2.1 with short-lived access tokens, and each request is authorized against the user permissions configured by Company Admin, and the scopes granted to the connected MCP client. Destructive tools are annotated so MCP clients can require confirmation before running them.
External MCP clients and Legal roles
The Teamtailor customer is the data controller for candidate, recruitment and other customer account data. Teamtailor acts as a data processor and processes that data under the applicable Data Processing Agreement. When a user requests data through an MCP client, Teamtailor makes the requested data available at the direction of the customer and its user.
Teamtailor provides the MCP server but does not provide, select or control the external AI provider or other MCP clients that the customer's users choose to connect. The connected AI service is a separate third-party service and is subject to its provider's own terms, privacy notice and data-handling practices.
The customer is responsible for:
determining which MCP clients and AI services its users are permitted to connect;
assessing whether the selected service is appropriate for the data concerned;
informing users of and enforcing applicable internal AI, privacy, security and acceptable-use policies
entering into any required agreement directly with the MCP client; and
ensuring that its selection, configuration and use of the AI service complies with the EU AI Act and/or any other laws or regulatory requirements applicable to the customer
Where applicable, the customer is also responsible for implementing appropriate measures relating to human oversight, transparency, instructions, monitoring and review of AI-generated outputs. Teamtailor does not control or have sufficient insight into the customer's configuration or use of the external AI service to assess or ensure compliance with these requirements.
For limited user, connection, security and usage information processed by Teamtailor for its own purposes, Teamtailor acts as data controller. Please refer to Section 3 above and Teamtailor's general Privacy Policy.
Updates to this MCP Server Privacy Policy
We will update this privacy policy when necessary for example because the MCP functionality, available tools or related data processing changes. We encourage our customers to frequently check this page for any changes. Information about when this policy was last updated is available on the top of this page.
Contact
If you wish to get in touch with Teamtailor to exercise your rights, or if you have any questions or concerns about how we handle your personal data, you can reach us by email to support@teamtailor.com
Teamtailor also has a Data Protection Officer (DPO) who monitors our compliance with the GDPR. Teamtailor's DPO can be reached by email to dpo@teamtailor.com.
Teamtailor AB, Östgötagatan 16, 116 25 Stockholm, Sweden
