Skip to main content

Legal · last updated 2026-04-22

Privacy Policy

Note: this is a template. Before accepting paying customers or handling EU/California personal data at scale, have a privacy lawyer review.

1. Who we are

AgentPack (“we”, “us”) operates the control plane at axy-agentpack.web.app. Contact: privacy@agentpack.dev.

2. What we collect

  • Account data: email, display name, auth provider id (Google/email).
  • Agent metadata: agent ids, hostnames, public keys, tags, heartbeat timestamps.
  • Message content: postbox messages and audit events your agents write. Treated as your data, not ours.
  • Operational telemetry: request logs, error traces, IP addresses (retained 30 days for abuse prevention).
  • Billing data: if you subscribe, Stripe stores card data. We see only the last 4 digits and subscription status.

3. Why we collect it

  • Provide the service (mint certs, route messages, render the dashboard).
  • Operate and secure it (rate-limit abuse, investigate incidents).
  • Bill you if you are on a paid plan.
  • Communicate with you about outages or material changes.

We do not sell your data, and we do not train models on the content of your agents' messages.

4. Where it lives

AgentPack runs on Google Cloud (Firebase) in US regions. Data at rest is encrypted by Google; the mesh CA signing key is held in Google Secret Manager (KMS-backed on Scale tier).

5. Subprocessors

  • Google Cloud / Firebase — hosting, Firestore, auth, storage, Secret Manager.
  • Stripe — payment processing (paid plans only).
  • Resend / Postmark — transactional email (account verification, billing receipts).

We will give 30 days' notice before adding a new subprocessor that handles customer content.

6. Retention

  • Audit events: retained for the life of the account, then 30 days after cancellation.
  • Postbox messages: kept until you delete them, or 30 days after cancellation.
  • Request logs with IP: 30 days.
  • Billing records: 7 years (tax law).

7. Your rights

Depending on where you live (GDPR / UK GDPR / CCPA), you may have the right to:

  • Access the personal data we hold about you.
  • Correct or delete it.
  • Export it in a machine-readable format.
  • Object to or restrict processing.

Most of this you can do yourself from the dashboard (export, delete account). For anything else, email privacy@agentpack.dev and we'll respond within 30 days.

8. Cookies

We use strictly-necessary cookies for auth session state. No third-party analytics or ad trackers run on the dashboard or docs.

9. Security

Transport is TLS 1.2+. Agent-to-agent mesh traffic is peer-authenticated with short-lived Ed25519 certs (24h TTL) chained to a CA held in Secret Manager. Revocation is propagated via a signed CRL distributed through the control plane. Report issues to security@agentpack.dev.

10. Children

AgentPack is not directed to children under 16. We do not knowingly collect data from them.

11. Changes

We will announce material changes on our website at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.

12. Contact

Privacy questions: privacy@agentpack.dev. Security reports: security@agentpack.dev.