Privacy Policy
Last updated: March 30, 2026
Who we are
AgentKey is operated by ANGELTECH (GRAINES DE CODE), a simplified joint-stock company (SAS) registered in France under SIREN 878 731 157, with its registered office at 9 Route de la Conche, 19320 Saint-Martin-la-Meanne, France.
For the purposes of the EU General Data Protection Regulation (GDPR), ANGELTECH is the data controller for personal data collected through AgentKey. For credentials and organizational data that you store in AgentKey, ANGELTECH acts as a data processor on your behalf.
What data we collect
Account data
When you sign up, we collect your email address, name, and organization details through our authentication provider (Clerk). This data is used to identify you, manage your account, and communicate with you about the service.
Organizational data
You create and manage the following data within AgentKey:
- Agent registrations — agent names, descriptions, and hashed API keys
- Tool configurations — tool names, descriptions, URLs, auth types, and usage instructions
- Encrypted credentials — SaaS API keys, OAuth tokens, and bot tokens stored in AES-256-GCM encrypted form
- Access grants — which agents have access to which tools, with approval status and justifications
- Audit logs — a record of all actions taken in your organization (registrations, approvals, denials, credential fetches, revocations)
- Notification settings — Slack and Discord webhook URLs (encrypted)
Usage analytics
We use Vercel Analytics to collect anonymous, aggregated usage data about how the marketing site and dashboard are used (page views, navigation patterns). Vercel Analytics is privacy-friendly: it does not use cookies for tracking, does not collect personal identifiers, and does not track users across sites.
What we do not collect or do
- We never access, read, or log the decrypted content of your stored credentials
- We never sell, share, or trade personal data or organizational data with third parties for marketing or advertising
- We never use your credentials, tool configurations, or agent data for training AI models
- We do not use tracking cookies or third-party advertising trackers
How we use your data
- To provide the service — storing credentials, vending them to authorized agents, managing access grants, generating audit logs
- To communicate with you — account-related emails, service notifications, security alerts
- To improve the product — aggregated, anonymized usage patterns (not credential content or personal data)
- To power AI features — tool names, URLs, and publicly available documentation are processed by AI models to generate setup guides and form drafts. Credentials are never sent to AI model providers.
Legal basis for processing (GDPR)
- Contract performance — processing necessary to provide the AgentKey service (Article 6(1)(b))
- Legitimate interest — product improvement through anonymized analytics, security monitoring (Article 6(1)(f))
Data storage and security
Where data is stored
- Database — Neon PostgreSQL, hosted in AWS us-east-1 (N. Virginia, United States)
- Application hosting — Vercel, us-east-1 region (United States)
- Authentication — Clerk, hosted in the United States
Data is transferred from the EU to the United States under the EU-U.S. Data Privacy Framework. Our subprocessors (Cloudflare, Vercel, Neon, Clerk) participate in the framework and maintain appropriate safeguards.
How data is protected
- Credentials are AES-256-GCM encrypted at rest with per-record random initialization vectors and authentication tags
- All data in transit is encrypted via TLS
- Agent API keys are stored as SHA-256 hashes, not in recoverable form
- Webhook URLs (Slack, Discord) are encrypted at rest using the same AES-256-GCM scheme
See our Security page for detailed technical information.
Data retention
- Account data — retained while your account is active. Deleted upon account deletion.
- Credentials — permanently deleted when the tool is removed or the organization is deleted.
- Audit logs — retained for 30 days on the free tier. Retained for 30 days after organization deletion, then permanently purged.
- Analytics data — anonymized and aggregated. No personal data is retained in analytics.
Your rights (GDPR)
As a data subject under GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate personal data
- Erasure — request deletion of your personal data (deleting your organization achieves this)
- Data portability — export your data (AgentKey supports YAML export of tool configurations)
- Objection — object to processing based on legitimate interest
- Restriction — request that we restrict processing of your data
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with your local data protection authority. In France, this is the CNIL (Commission Nationale de l'Informatique et des Libertés).
Subprocessors
We use the following third-party services to operate AgentKey:
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare | Edge protection (WAF, DDoS), DNS, email routing, TLS termination | Global (300+ cities) |
| Vercel | Application hosting, serverless functions, analytics | United States |
| Neon | PostgreSQL database | United States (us-east-1) |
| Clerk | User authentication and organization management | United States |
| Vercel AI Gateway | AI model routing for setup guide generation and form drafting (tool names and URLs only, never credentials) | United States |
We will update this list when we add new subprocessors. Material changes will be communicated through the dashboard or by email.
Cookies
AgentKey uses only strictly necessary cookies for authentication (session management via Clerk). We do not use cookies for tracking, advertising, or analytics. Vercel Analytics operates without cookies.
Children
AgentKey is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.
Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the dashboard or by email at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.
Contact
For privacy-related questions or to exercise your data rights, contact us at [email protected].