Agentfy
Get started

Privacy Policy

Last updated:

1. Overview

This Privacy Policy describes what data Agentfy collects, why, and how we protect it. It applies to both the marketing site (agentfy.io) and the application (app.agentfy.io).

2. Data We Collect

2.1 Account data

  • Email, display name, scrypt-hashed password.
  • Tenant slug, role, optional 2FA secret.
  • Login event history (IP, user-agent, timestamp).

2.2 Billing data

  • PayPal payer email (when topping up). We do not store credit card numbers.
  • Wallet balance and transaction ledger.

2.3 Operational data

  • Device identifiers, paired fingerprints, tunnel handshake logs.
  • Macro definitions, scheduled tasks, watchdog configurations.
  • Run history (3-day retention, then automatic deletion).
  • Screenshots and OCR results captured during macro / agent runs (transient, retained only for the run lifetime).

2.4 What we do NOT collect

  • Browser fingerprints, marketing cookies, third-party tracker pixels.
  • Inter-tenant data — strict tenant isolation at the database row level.
  • Plaintext from the encrypted Vault — we cannot recover lost keys.

3. How We Use Data

  • To operate the Service (run your macros, dispatch your agents, deliver MCP calls).
  • To process billing transactions.
  • To send transactional emails (account verification, password reset, billing receipts).
  • To detect abuse and respond to security incidents.

We do not sell your data, mine it for advertising, or share it with third parties except as needed to deliver the Service (payment processor, email transactional provider).

4. Data Storage

  • Primary data resides in PostgreSQL on DigitalOcean (SFO3 region).
  • Vault contents are encrypted with AES-256-GCM at rest using a tenant-scoped master key.
  • JWT secrets and database passwords are managed via 1Password and never committed to git.

5. Data Retention

  • Account data: retained until you delete your account.
  • Macro run history: 3 days, then auto-purged.
  • Audit logs (tenant_events): 90 days.
  • Wallet ledger: retained indefinitely for accounting reasons.

6. Your Rights

Depending on your jurisdiction (GDPR / CCPA / PIPL / etc.), you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccuracies.
  • Request deletion (subject to legal retention obligations).
  • Object to or restrict certain processing.
  • Receive your data in a portable format.

Email [email protected] to exercise these rights.

7. International Transfers

Our infrastructure is hosted in the United States. By using the Service, you consent to your data being processed there.

8. Children

The Service is not intended for users under 16. We do not knowingly collect data from children.

9. Changes

Material changes to this Policy will be announced via email or in-product notification at least 30 days before they take effect.

10. Contact

Privacy questions: [email protected]