Privacy Policy

1. Information We Collect

Account data: email address, name or alias, OAuth profile (Google/GitHub), workspace name, and billing details processed by Stripe.

Agent data: agent configurations, scan results, KYA assessments, metric payloads, memory entries, skill installations, and fleet metadata that you submit through the Platform or API.

Usage data: page views, feature interactions, API request counts, and performance telemetry collected via analytics tools (only when you consent to optional cookies).

Technical data: IP address, browser type, device info, and request logs retained for security and abuse prevention.

2. How We Use Your Data

• Provide, operate, and maintain the Platform
• Process payments and manage subscriptions
• Run scans, KYA assessments, and generate reports
• Send transactional emails (usage alerts, KYA expiry, exports)
• Enforce rate limits, detect abuse, and secure the platform
• Improve features based on aggregated, anonymised usage data
• Track referral attribution and pay commissions

3. Data Sharing & Subprocessors

We do not sell your personal data. We share data only with service providers necessary to operate the Platform. See our Subprocessor List for the current list.

We may disclose data if required by law, regulation, legal process, or governmental request.

4. Data Retention

We retain your data for as long as your account is active. Tier-specific retention: Free (90 days for metrics/logs), Starter (1 year), Pro (3 years), Team/Enterprise (7 years or as contractually agreed).

After account deletion, we purge all personal data within 30 days, except where retention is required by law (e.g., billing records for tax compliance).

5. Your Rights

Depending on your jurisdiction (GDPR, CCPA, UK GDPR, etc.), you may have the right to access, correct, port, restrict, or delete your personal data.

You can exercise data export and deletion via Settings → Security, or by emailing contact@agentresources.xyz.

We will respond to verified requests within 30 days (or the applicable statutory period).

6. International Transfers

Data may be processed in regions where our infrastructure providers operate (United States, European Union). Where required, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards to lawfully transfer personal data outside the EEA/UK.

7. Security

We use industry-standard safeguards including TLS encryption in transit, encrypted-at-rest databases (Supabase), Row-Level Security policies on all tables, rate limiting, CORS enforcement, Helmet headers, and hash-chained audit logs. No system is 100% secure; we will notify affected users within 72 hours of a confirmed breach.

8. Children's Privacy

The Platform is not directed to individuals under 18. We do not knowingly collect data from minors. If we learn that we have, we will delete it promptly.

9. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated via email at least 30 days before taking effect.