Privacy Policy

Stabile: Loyalty Rewards Agent — ChatGPT App & MCP Server
Developer: StabileRewards  •  Effective Date: 2026-03-30  •  Contact: privacy@stabilerewards.com

This Privacy Policy describes how Stabile: Loyalty Rewards Agent (“we”, “our”, or “us”) handles data when merchants and AI agents invoke our tools via the ChatGPT App and MCP (Model Context Protocol) server. We are committed to full transparency about every data field our tools receive and process.

1. Data We Process

Our tools receive only the information required to calculate and issue loyalty rewards. The table below lists every data field accepted as input by our MCP tools, its purpose, and whether it is returned in any response.

Field Category Purpose Returned in response?
customer_email Buyer identifier Identifies the buyer per the ACP / UCP buyer object standard. Used to route reward calculations and issuances to the correct account. No
cart_total Transaction data Current cart value in USD. Used to calculate eligible reward options and their economic impact. No
cart_id Session identifier Merchant-provided checkout session ID. Used to correlate reward actions to a specific cart. Not returned in tool responses. No
transaction_id Transaction reference Merchant’s reference ID for the underlying commerce transaction. Associates reward issuances with the correct order. No
reward_amount Reward data Quantity of loyalty units (points, miles, credits, etc.) to be issued per the merchant’s program configuration. Yes (numeric value only)
idempotency_key Technical identifier Caller-generated key used to safely deduplicate retried requests. Contains no personal information. Not returned in tool responses. No

All data is processed transiently at request time. No buyer personal data — including email addresses — is persisted to any database or log by our MCP server.

2. How We Use This Data

Data is used exclusively to:

We do not use any data for advertising, profiling, model training, or any purpose beyond delivering the loyalty reward service.

3. Data Retention

Our MCP server is stateless with respect to buyer data. No buyer personal data is written to persistent storage. Session state required for SSE transport is held in Redis and is scoped to the active connection only.

4. Data Sharing and Disclosure

We do not sell buyer or merchant data. We may share data only in these limited situations:

5. Data Security

All data is transmitted over TLS-encrypted connections. Access to infrastructure is restricted to authorized personnel. We apply industry-standard access controls and secure communication protocols throughout our stack.

6. Your Rights

Because our MCP server does not persist personal data, there is no stored buyer profile to access, correct, or delete. For questions about data processed during a specific transaction, contact us with the relevant transaction_id or idempotency_key for investigation.

To submit a data inquiry or exercise any rights: privacy@stabilerewards.com

7. Changes to This Policy

We may update this policy from time to time. The effective date above reflects the most recent revision. Continued use of the app after changes constitutes acceptance of the updated policy.