Propalt MCP & AI Integrations Privacy Notice

Effective date: 27 May 2026  |  Last updated: 27 May 2026

This Propalt MCP & AI Integrations Privacy Notice explains how Propalt Ltd processes information when our services are accessed through AI assistants, GPTs, Model Context Protocol integrations, APIs, and other AI-enabled interfaces.

This notice applies to authenticated Propalt users in the United Kingdom and European Economic Area who access Propalt through:
  • ChatGPT or other AI assistant interfaces;
  • GPT Actions;
  • Model Context Protocol (MCP) integrations;
  • OAuth-authorised AI integrations;
  • Propalt APIs used by AI assistants, agents, or automated workflows; and
  • chat-based or natural-language interfaces that call Propalt services.

This notice supplements the main Propalt Privacy Policy. Where this notice differs from the main Propalt Privacy Policy, this notice applies to Propalt MCP and AI integration activity.

1. Who we are

Propalt Ltd is a UK company providing property intelligence, location intelligence, market analytics, business information, mapping, and related data services.

For the purposes of UK data protection law, including the UK GDPR and Data Protection Act 2018, Propalt Ltd is generally the controller of personal data that we determine how and why to process through our services.

Contact: support@propalt.co.uk

2. What this notice covers

This notice covers information processed when an authenticated Propalt user interacts with Propalt through an AI-enabled interface.

For example, a user may ask an AI assistant to:
  • look up information about a postcode, street, town, local area, or property;
  • retrieve nearby schools or local amenities;
  • analyse demographics, household composition, income indicators, crime data, or census information for an area;
  • retrieve property, market, valuation, comparable, or historical property data;
  • search for address, street, or geographic information;
  • retrieve business, organisation, ownership, or market intelligence; or
  • use Propalt tools through an MCP server or API action.

When this happens, the AI platform may send relevant parts of the user's request to Propalt so that Propalt can return the requested result.

Propalt MCP and API integrations are available only to authenticated Propalt users. They are not intended for unauthenticated public use.

3. Information we may receive

When an authenticated Propalt user interacts with Propalt through an AI assistant, GPT, MCP client, or API-based integration, we may receive the following categories of information.

3.1 User query information

This may include:
  • natural-language prompts or instructions;
  • postcodes, addresses, streets, towns, or place names entered by the user;
  • latitude and longitude coordinates;
  • property identifiers or property-related search criteria;
  • company names, organisation names, or business-related search terms;
  • filters, preferences, or parameters selected by the user;
  • requests for market, demographic, school, crime, census, valuation, or comparable-property data; and
  • any other information the user chooses to submit as part of the request.

Propalt does not store full natural-language prompts by default. Where full prompt text is temporarily retained, this is only for limited purposes such as debugging, security investigation, abuse prevention, or support.

Propalt does store structured API parameters exactly as submitted where needed to provide, secure, debug, audit, and support the MCP or API service.

Users should avoid submitting unnecessary personal, confidential, sensitive, or special category information into AI prompts.

3.2 Technical and security information

We may process technical information needed to operate, secure, monitor, and improve the integration, including:
  • API request metadata;
  • timestamps;
  • IP address;
  • authentication status;
  • API keys, access tokens, or OAuth-related metadata;
  • user agent, device, browser, or client information;
  • rate-limit information;
  • error logs;
  • audit logs;
  • integration identifiers; and
  • security, abuse-prevention, and fraud-prevention signals.

3.3 Account and integration information

Because Propalt MCP and API integrations are available only to authenticated Propalt users, we may process:
  • account identifiers;
  • organisation identifiers;
  • user role or permission information;
  • integration configuration;
  • billing or subscription status;
  • consent or authorisation records;
  • connected account metadata; and
  • support correspondence.

3.4 Public and licensed data returned by Propalt

Propalt may return information derived from public, licensed, aggregated, or proprietary datasets, including:
  • property data;
  • land, address, and geographic data;
  • school and local amenity data;
  • demographic and census data;
  • crime and environmental indicators;
  • household and income indicators;
  • market activity and price data;
  • valuation and comparable-property information;
  • company, director, organisation, or business information; and
  • other property, location, or market intelligence.

Some of this information may relate to identifiable individuals where it is publicly available, business-related, legally published, or otherwise lawfully processed.

4. Information we do not intend users to submit

Propalt's MCP and AI integrations are not designed for users to submit sensitive personal information.

Users should not submit:
  • health information;
  • financial hardship information;
  • criminal offence information;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • biometric or genetic data;
  • children's personal data;
  • private residential information about another person unless lawfully required for the requested property or location search;
  • passwords, secret keys, or private credentials; or
  • confidential information that they do not have permission to share.

If such information is submitted, it may be processed incidentally as part of the user's prompt, API request, structured API parameters, logs, or support records.

5. How we use information

We use information processed through MCP and AI integrations to:
  • receive and interpret user requests;
  • authenticate API or MCP access;
  • return property, area, market, location, or business intelligence results;
  • provide AI assistant integrations with relevant API responses;
  • maintain, debug, and secure our APIs and MCP services;
  • prevent abuse, scraping, fraud, unauthorised access, and excessive usage;
  • monitor service performance and reliability;
  • provide customer and technical support;
  • improve the accuracy, quality, and usability of Propalt services;
  • maintain audit logs;
  • comply with legal, regulatory, and contractual obligations; and
  • enforce our terms, acceptable-use rules, and API usage limits.

We do not use information submitted through MCP or AI integrations to make decisions that produce legal or similarly significant effects about individuals.

6. AI outputs and automated processing

Propalt may return data, analysis, summaries, classifications, rankings, estimates, or other outputs through AI-enabled interfaces.

These outputs are provided for informational and research purposes only. They should not be treated as professional advice or as the sole basis for decisions involving legal rights, financial eligibility, housing eligibility, employment, credit, insurance, or access to essential services.

Users are responsible for checking important information before relying on it. Property, location, demographic, market, valuation, school, crime, ownership, and business datasets may be incomplete, out of date, estimated, inferred, aggregated, or subject to source errors.

Propalt does not intentionally use MCP or AI integration data to conduct automated decision-making that has legal or similarly significant effects on individuals.

7. Lawful basis for processing

Where UK GDPR or EU GDPR applies, our lawful basis depends on the context. We may process personal data on the following bases.

Contract

Where processing is necessary to provide Propalt services, API access, MCP access, account functionality, support, or integration functionality requested by the user or their organisation.

Legitimate interests

Where processing is necessary for our legitimate interests, including:
  • providing property, location, market, and business intelligence services;
  • operating and improving APIs and MCP integrations;
  • securing our systems;
  • preventing abuse, fraud, scraping, and unauthorised access;
  • maintaining audit and technical logs;
  • supporting B2B research, due diligence, and corporate transparency;
  • responding to technical and customer support requests; and
  • improving service quality and reliability.

Legal obligation

Where processing is necessary for compliance with applicable law, regulation, court orders, tax, accounting, fraud-prevention, or regulatory requirements.

Consent

Where we rely on consent, for example for certain optional features, users may withdraw consent at any time.

8. OAuth, API keys, and authentication

Propalt MCP and API integrations are available only to authenticated Propalt users. They may use API keys, bearer tokens, OAuth, or other authentication methods.

We process authentication data to:
  • verify that a request is authorised;
  • connect the AI integration to the relevant Propalt account or workspace;
  • apply permissions, limits, and access controls;
  • prevent unauthorised access;
  • revoke or refresh access where required; and
  • maintain audit and security logs.

OAuth tokens, API keys, bearer tokens, and similar credentials are encrypted at rest.

Users and organisations are responsible for keeping their API keys, OAuth credentials, and access tokens secure. Users should not paste secret credentials directly into AI prompts.

Users can disconnect or revoke MCP and AI integration access. After revocation or disconnection, Propalt will stop accepting future authorised requests from that integration, subject to normal security, audit, legal, and backup retention.

OAuth tokens, API keys, and similar credentials are retained only for as long as needed to provide authorised access, unless longer retention is required for security, audit, legal, or compliance purposes.

9. What information may be shared with AI platforms

When a user accesses Propalt through an AI platform, such as ChatGPT or another AI assistant, that platform may process the user's prompts, conversation context, and responses according to its own terms and privacy policy.

Propalt only controls how Propalt receives, processes, stores, and returns information through its own APIs, MCP servers, systems, and integrations.

The AI platform may decide what parts of a user's prompt, conversation, or request are sent to Propalt. Propalt may return API results to the AI platform so that the assistant can display or summarise those results to the user.

Users should review the privacy policy and data controls of the AI platform they are using.

10. Do we use prompts, API requests, or AI providers to train AI models?

Propalt does not use individual user prompts submitted through MCP or AI integrations to train general-purpose large language models.

Propalt does not store full natural-language prompts by default.

Propalt does not send MCP or API user queries or API responses to third-party AI model providers for processing, enrichment, training, or evaluation.

We may use structured API request parameters, API request metadata, error logs, aggregated usage information, support feedback, and security logs to:
  • debug services;
  • improve API performance;
  • improve documentation;
  • improve product quality;
  • detect misuse;
  • monitor reliability; and
  • improve the relevance and safety of Propalt integration outputs.

Where we use data for analytics or improvement, we aim to use aggregated, minimised, pseudonymised, or anonymised information where practical.

11. Retention

We retain personal data processed through Propalt MCP and AI integrations only for as long as reasonably necessary for the purposes described in this notice, unless a longer period is required or permitted by law, contract, security, dispute resolution, or regulatory obligation.

Our standard retention periods are as follows:

Data categoryRetention period
Full natural-language promptsNot stored by default. If temporarily retained for debugging, security, abuse investigation, or support, retained for up to 30 days
Structured API request parameters and API logsUp to 90 days
Security, fraud, rate-limit, and abuse-prevention logsUp to 12 months
OAuth authorisation recordsWhile the integration remains connected, then up to 90 days after revocation or disconnection
OAuth tokens and API credentialsUntil expiry, rotation, revocation, disconnection, or account closure
Account, contract, and organisation recordsFor the life of the account, then up to 6 years
Billing, invoice, accounting, and tax records6 years from the end of the relevant financial year
Support correspondenceUp to 24 months after the issue is closed
Serious incident, dispute, legal, or compliance recordsUp to 6 years, or longer where legally required
Product and usage analytics in identifiable formUp to 12 months
Aggregated or anonymised analyticsMay be retained indefinitely
Backup copiesDeleted or overwritten within 90 days
Data rights and suppression request recordsUp to 6 years, with minimal suppression records retained where necessary to honour the request

Public, licensed, third-party, property, location, business, demographic, and geospatial datasets may be retained for as long as permitted by the relevant source licence, required by law, or reasonably necessary for Propalt's legitimate business purposes.

Where data is no longer required, we will delete, anonymise, aggregate, or otherwise minimise it in accordance with our internal retention and deletion processes.

12. Sharing information with third parties

We may share information processed through MCP and AI integrations with trusted third parties where necessary to operate, secure, support, or improve our services.

For Propalt MCP and API feeds, we do not use third-party analytics tools.

We use cloud and infrastructure providers to host, operate, secure, and deliver Propalt services. These include:
  • Google Cloud;
  • Amazon Web Services; and
  • other infrastructure, security, professional, legal, accounting, or support providers where necessary.
We may share information with:
  • cloud hosting providers;
  • database and infrastructure providers;
  • authentication and identity providers;
  • professional advisers;
  • payment, billing, and accounting providers where relevant to authenticated customer accounts;
  • security and fraud-prevention providers;
  • AI platform providers where the user chooses to access Propalt through that platform; and
  • public authorities, regulators, courts, or law enforcement where legally required.

We do not sell personal data.

Where third-party processors act on our behalf, we require them to process personal data only under appropriate contractual, confidentiality, and data protection obligations.

13. International transfers

Some providers used to operate Propalt services may process personal data outside the United Kingdom or European Economic Area.

Where this happens, we use appropriate safeguards as required by data protection law. These may include:
  • adequacy regulations;
  • the UK International Data Transfer Agreement;
  • the UK Addendum to the EU Standard Contractual Clauses;
  • contractual commitments from suppliers; and
  • technical and organisational security measures.

14. Security

We use technical and organisational measures designed to protect personal data processed through our MCP and AI integrations.

These may include:
  • encrypted transmission where supported;
  • encryption of OAuth tokens, API keys, bearer tokens, and similar credentials at rest;
  • access controls;
  • authentication and authorisation controls;
  • API rate limiting;
  • monitoring and logging;
  • token and credential controls;
  • infrastructure security controls;
  • vulnerability management;
  • backups and recovery processes; and
  • internal access restrictions.

No online service can be guaranteed to be completely secure. Users should take care when deciding what information to submit through AI assistants or API integrations.

15. Data accuracy and source limitations

Propalt services may use public, licensed, third-party, aggregated, statistical, inferred, or derived datasets.

Although we aim to provide useful and accurate information, we cannot guarantee that all information returned through MCP or AI integrations is complete, current, or error-free.

In particular:
  • property data may change over time;
  • ownership and company information may become outdated;
  • school, crime, demographic, and census data may be historical or aggregated;
  • valuations and market estimates are indicative only;
  • geospatial results may depend on source accuracy and search parameters; and
  • AI-generated summaries may simplify, omit, or misinterpret source data.

Users should independently verify information before making commercial, legal, financial, property, investment, compliance, or operational decisions.

16. Children

Propalt MCP and AI integrations are intended for business and professional users. They are not intended for children.

Users must not knowingly submit personal data relating to children through Propalt MCP or AI integrations unless they have a lawful basis to do so and the submission is necessary for the relevant service.

If we become aware that children's personal data has been submitted inappropriately, we may delete or restrict that information.

17. Individual rights

Where UK GDPR or EU GDPR applies, individuals may have rights including:
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restriction of processing;
  • the right to object;
  • the right to data portability;
  • the right to withdraw consent where processing is based on consent; and
  • the right to complain to a supervisory authority.

To exercise a data protection right, contact: support@propalt.co.uk

Please include enough information for us to identify the relevant record, such as your name, company, role, account, organisation, property reference, business record, or other relevant search context. We may need to verify your identity before responding.

If you are in the United Kingdom, you have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection. The ICO recommends giving the organisation concerned an opportunity to respond before raising the matter with the ICO.

18. Requests about public business or property-related information

Propalt may process public, business-related, property-related, or location-related information from lawful sources.

If information about you, your company, or your role appears in Propalt results and you believe it is inaccurate, inappropriate, outdated, or should not be processed, you may contact us at: support@propalt.co.uk

Please use the subject line: Data Request — Propalt AI Integration

We will review requests in accordance with applicable data protection law. In some cases, we may retain certain information where we have a lawful basis to do so, including legal obligation, public availability, legitimate interests, fraud prevention, record keeping, or dispute resolution.

19. User responsibilities

Users of Propalt MCP and AI integrations are responsible for:
  • ensuring they have authority to use the integration;
  • ensuring they have a lawful basis for any personal data they submit;
  • avoiding unnecessary personal or sensitive information in prompts;
  • complying with applicable law and contractual obligations;
  • checking outputs before relying on them;
  • keeping API keys and OAuth credentials secure;
  • disconnecting or revoking access where they no longer want an AI integration to access Propalt services;
  • not using Propalt outputs for unlawful discrimination, harassment, surveillance, or harmful profiling; and
  • not using Propalt services to make solely automated decisions with legal or similarly significant effects on individuals.

20. Changes to this notice

We may update this notice from time to time.

When we make material changes, we may notify users by updating the "Last updated" date, publishing a notice on our website, notifying account administrators, or using other appropriate communication methods.

21. Contact

For questions about this notice or Propalt's data protection practices, contact:

Propalt Ltd
Propalt House
19 Nab Wood Terrace
Bradford
BD18 4HU
United Kingdom

Email: support@propalt.co.uk