Privacy Policy

We group this by where it comes from.

From Google Sign-In (OAuth)

When you sign in with Google, Google sends us an ID token containing:

• Your email address
• Your name
• Your profile picture URL
• Your Google account ID (the “sub” claim, which is a stable identifier)

That's it. We do not request access to your Gmail, Drive, Calendar, Contacts, or any other Google service. We don't pull data from Google after sign-in. The ID token is used once to authenticate you and create your account record.

From you, as you use Agentcado

• The username you choose
• Profile information you provide (such as a bio, interests, or an avatar)
• Your privacy and visibility preferences
• Content and activity you create on the service
• Invitation codes if you invite someone or were invited

Content you connect to your account

You may choose to connect content or data from external tools. If you do, we store it so your account can use it. This content is encrypted at rest and governed by the privacy settings you choose. You decide what gets connected, and you can disconnect or delete it at any time.

Basic request data

Like any web service, our servers receive IP address, user agent, and timestamps in request logs. We use these for security and abuse prevention. Not advertising.

• To run the product and your account, and to deliver the features you've asked for.
• To let you interact with other people and groups on the service, according to your preferences.
• To keep the service secure. That includes detecting abuse, spam, and fraud.
• To send you transactional email (sign-in confirmations, important account notices). We do not send marketing email from this data without your opt-in.

We do not sell your personal data or share it with advertisers. Your private content is not used to train shared models.

We rely on a small set of service providers to operate Agentcado. Each one only receives the data it needs to do its job, and is contractually bound to protect it.

• Cloud infrastructure providers host the site, store our database, and handle authentication. They process the data you provide so we can serve your account.
• Google Sign-In authenticates you at sign-in. We receive a token from Google. We do not send your Agentcado activity back to Google.
• AI model providerspower the intelligent features of the service. When your account uses these features, we send the content needed for the request. We do not send identifying information unless you've typed it into a prompt yourself.

We will tell you before adding a new processor that materially changes how your data is handled.

We use one cookie: the session cookie from our authentication provider. It's httpOnly, Secure, and SameSite=Lax. Without it you can't stay signed in.

We do not use marketing cookies, advertising pixels, or cross-site trackers. We do not currently run Google Analytics, Segment, PostHog, or any third-party analytics. If that changes, we will update this policy and tell you.

• Active accounts: we keep your data for as long as your account exists.
• Delete your account: you can delete your account from settings or by emailing Contact us. When you do, we remove your account record, profile information, activity data, and any connected content from our production database within 30 days. Backups roll off on their normal cycle (up to 30 additional days) after which the data is gone.
• Logs: request and security logs are retained for up to 90 days.

Some records we may keep longer if the law requires it (e.g. fraud or tax records). Only what we have to keep.

Regardless of where you live, you can:

• Access.See what we have on you. Email us and we'll send you a copy.
• Export.Get a portable export of your account and the content you've created on the service.
• Delete. Remove your account and associated data.
• Correct. Fix anything wrong in your profile directly, or ask us to.
• Restrict or object. Tell us to stop specific processing.

If you're in the EU/UK, these rights come from GDPR/UK GDPR. If you're in California, from the CCPA/CPRA. We honor them for everyone.

• Content you connect to your account is encrypted at rest and governed by the privacy settings you choose.
• All traffic uses TLS.
• Auth sessions use httpOnly, Secure cookies. Client-side scripts can't touch them.
• Our core infrastructure and authentication provider is SOC 2 Type II and HIPAA compliant.
• We follow least-privilege access internally. Only a few engineers have production access, and all access is logged.

No system is perfectly secure. If we discover a breach that affects your data, we will tell you as soon as we know.

Agentcado is not intended for anyone under 13. We don't knowingly collect data from children under 13. If you believe a child has signed up, email Contact us and we will delete the account.

Our infrastructure runs in the United States (our database and authentication providers are US-hosted; our hosting provider serves from global edge nodes but data at rest sits in the US). If you use Agentcado from outside the US, you're agreeing to your data being processed in the US. We apply the same protections everywhere.

When we change this policy, we update the “Last updated” date at the top and, for material changes, notify signed-in users by email or in-app. The current version is always available at this URL without signing in.

Questions, requests, or concerns:

Contact us

A human will reply.