Skip to main content
When you connect an AI assistant (Claude, ChatGPT, or any MCP-compatible tool) to Profile, you’re granting it delegated access to act on your behalf within a single Profile account. This page explains exactly what that means for your data.

What an AI assistant can access

Access is controlled by scopes. At connection time you see a consent screen listing the scopes the assistant is requesting. You can deny any of them. An assistant with a given scope can read or modify only the data that scope covers.
ScopeData exposed
profiles:readProfile names, emails, phone numbers, DISC / Focus / Core scores, AI-generated behavioral debriefs for profiles on the connected account
profiles:writeCreate new profiles (sending an assessment invite), update profile metadata, delete profiles
tags:manageTag names, colors, and the profile-to-tag relationships for tags on the connected account
account:readAccount name, configured assessments, resource aliases on the connected account
account:writeAccount settings and resource aliases on the connected account
A connected assistant cannot see data from other Profile accounts, other users’ sessions, or any data outside the account it was connected from.

How your data flows

  1. You tell the assistant something in plain language.
  2. The assistant decides whether to call a Profile tool and which one.
  3. The call goes from the assistant’s servers to Profile over HTTPS, authenticated by an OAuth access token scoped to your account.
  4. Profile returns the requested data (or performs the requested action).
  5. The assistant uses the response to answer you in chat.
The data the assistant sees is the same data Profile’s web app would show to you signed in as yourself.

What Profile does with the data

Profile logs every connector action in your account’s audit trail. We do not send your behavioral data or account contents to the AI provider for training, analytics, or any purpose other than fulfilling the tool call you triggered.

What the AI provider does with the data

Every AI provider has its own data handling terms. When you use Claude, Anthropic’s policies apply. When you use ChatGPT, OpenAI’s policies apply. Check the terms of the specific assistant you’re connecting to. Profile does not control whether the AI provider uses conversation content for model training, caching, or fine-tuning. If that matters for your use case, read the provider’s documentation carefully before connecting.

Retention

  • Access tokens expire automatically after approximately one hour and are refreshed by the assistant as needed. Expired tokens cannot be used.
  • Connection records (the list of apps you’ve authorized) persist until you revoke them.
  • Audit logs of connector actions follow Profile’s standard audit retention.
  • Profile data created by connector actions (new profiles, tags, invites) persists normally, same as if you’d created it through the web app.

Revoking access

At any time, you can:
  1. Open Profile in your browser.
  2. Go to your User Profile.
  3. Open the Connected apps section.
  4. Click Revoke on the connection you want to disconnect.
Revocation is immediate on Profile’s side: the next request from that assistant will fail. The assistant’s currently-issued access token remains technically valid until its natural expiry (up to one hour), but the grant is marked revoked and cannot be refreshed.

Multiple Profile accounts

If you belong to more than one Profile account, each connection is tied to exactly one account. Connecting an assistant while signed in to Account A does not grant it access to Account B. To give the same assistant access to a second account, sign into that account in Profile and connect again.

Your rights

You can:
  • View all active connections at any time from the Connected apps section of your user profile.
  • Revoke any connection instantly.
  • Export or delete your account data through Profile’s standard data controls. See our Data Privacy page.
For broader privacy questions, see our Privacy Policy or contact support@profilebehavior.com.