Name: XMV Solutions GmbH
Address: DE

Last updated: 9 May 2026

This notice describes how data is processed when you use microsoft-tasks-mcp, an open-source Model Context Protocol server published by XMV Solutions GmbH on GitHub. It applies specifically to the multi-tenant OAuth application registration owned by XMV Solutions GmbH that the tool uses by default to access Microsoft Planner and Microsoft To Do.

Who is the data controller

You (or your organisation) remain the data controller for any personal data accessed through microsoft-tasks-mcp. The tool runs entirely on your local machine and connects directly to your Microsoft 365 tenant.

XMV Solutions GmbH is the publisher of the OAuth application registered with Microsoft Entra ID (multi-tenant, public client, delegated scopes only). This registration is the technical identifier the tool uses to request access on your behalf; it does not grant XMV Solutions GmbH access to any of your data.

What data is processed

When you sign in via the Microsoft Device Code flow:

Sign-in metadata (your account name, tenant identifier, granted scopes) is exchanged between your local machine and Microsoft Entra ID. XMV Solutions GmbH does not receive this data.
OAuth tokens (access token and refresh token) are issued by Microsoft directly to your local machine and stored in your operating system's keyring. They never transit any XMV-controlled infrastructure.
Task content that you access via the tool — Microsoft To Do task lists, To Do tasks, Microsoft Planner plans, buckets, and tasks (titles, bodies, due dates, assignees, completion status, ETags, and the M365 group memberships needed to enumerate Planner plans) — is fetched from Microsoft Graph directly to your local machine. XMV Solutions GmbH does not receive, log, or retain any of this content.

Read-only by default; writes are opt-in

By default, microsoft-tasks-mcp requests only the Tasks.Read Graph scope (plus Group.Read.All required for Planner plan enumeration, User.Read, and offline_access for the refresh token). The default install registers only read tools; the agent can list, search, and inspect tasks, but cannot create, update, complete, or delete anything.

As an explicit opt-in for power users, the tool can be configured to expose write tools (todo_task_create, planner_task_create, plus the corresponding update / complete / delete tools) by setting the environment variable TASKS_ALLOW_WRITES=true. This:

adds Tasks.ReadWrite to the OAuth scope set, so the consent screen shows it clearly on first sign-in;
enables the per-profile created-by-me registry on disk (see “Where data is stored” below).

The agent never modifies tasks it did not create itself. This is enforced by a per-profile registry on your local machine: every task the agent creates via this tool is recorded by ID. The update / complete / delete tools refuse — at the tool layer, before any Microsoft Graph call — to act on a task whose ID is not in this registry. There is no path where the agent can accidentally modify a task created by you, by a colleague, by Outlook's flagged-mail integration, or by another application. ETag-based optimistic concurrency adds a second guard against silently clobbering edits made externally between the agent's read and write.

Where data is stored

OAuth tokens: in your local OS keyring (or, as a fallback, an owner-only JSON file at ~/.cache/mcp-server-microsoft-tasks/<profile>/token.json).
Per-profile created-by-me registry (only when TASKS_ALLOW_WRITES=true): a JSON file at ~/.cache/mcp-server-microsoft-tasks/<profile>/registry.json recording the IDs and last-known ETags of tasks the agent created in this profile, so the write tools can refuse to touch anything else. Contains task IDs and metadata; does not duplicate the task content itself.
Tasks created by the agent (when writes are enabled): inside your Microsoft 365 tenant, in the To Do list or Planner plan you specified, attributed to your signed-in user account.
Audit log entries: inside your Microsoft 365 tenant, attributing each action to your signed-in user account.

XMV Solutions GmbH operates no servers, telemetry endpoints, or analytics for this tool. The tool's only outbound network traffic is to login.microsoftonline.com and graph.microsoft.com.

Third parties

The tool calls Microsoft Identity (login.microsoftonline.com) and Microsoft Graph (graph.microsoft.com). Microsoft's processing of your sign-in data is governed by the Microsoft Privacy Statement and your tenant's own data-processing arrangements with Microsoft.

Your rights

Because XMV Solutions GmbH does not process or hold any personal data when you use this tool, GDPR data-subject requests do not apply to us in this context. Direct your data access, correction, or deletion requests to:

Microsoft (for sign-in metadata and tokens issued by Entra ID), via the Microsoft Privacy Dashboard.
Your own organisation (for the task content the tool accesses on your behalf).

BYO override

If your organisation prefers not to rely on the XMV-Solutions-published OAuth application — for example because of app-allowlisting policies, or because you want full control over consent and audit-log attribution — you can register your own OAuth application in your tenant and override the client identifier via the TASKS_CLIENT_ID environment variable. In that case, this notice applies only to whatever residual interactions remain (none, by design).

Contact

For questions about this notice or about the OAuth application registration:

XMV Solutions GmbH
E-mail: oss@xmv.de
Full company details: Impressum

This notice is specific to microsoft-tasks-mcp. The general XMV company privacy notice (covering the website, contact forms, etc.) is at Datenschutzerklärung.

Privacy Notice — microsoft-tasks-mcp