Privacy Policy

Last updated: March 30, 2026

Who we are

AgentKey is operated by ANGELTECH (GRAINES DE CODE), a simplified joint-stock company (SAS) registered in France under SIREN 878 731 157, with its registered office at 9 Route de la Conche, 19320 Saint-Martin-la-Meanne, France.

For the purposes of the EU General Data Protection Regulation (GDPR), ANGELTECH is the data controller for personal data collected through AgentKey. For credentials and organizational data that you store in AgentKey, ANGELTECH acts as a data processor on your behalf.

What data we collect

Account data

When you sign up, we collect your email address, name, and organization details through AgentKey's native authentication system. This data is used to identify you, manage your account, and communicate with you about the service.

Organizational data

You create and manage the following data within AgentKey:

Agent registrations — agent names, descriptions, and hashed API keys
Tool configurations — tool names, descriptions, URLs, auth types, and usage instructions
Encrypted credentials — SaaS API keys, OAuth tokens, and bot tokens stored in AES-256-GCM encrypted form
Access grants — which agents have access to which tools, with approval status and justifications
Audit logs — a record of all actions taken in your organization (registrations, approvals, denials, credential fetches, revocations)
Notification settings — Slack and Discord webhook URLs (encrypted)

Usage analytics

We use Cloudflare observability to collect operational telemetry for availability, performance, and security monitoring. We do not use third-party tracking cookies or cross-site advertising analytics.

What we do not collect or do

We never access, read, or log the decrypted content of your stored credentials
We never sell, share, or trade personal data or organizational data with third parties for marketing or advertising
We never use your credentials, tool configurations, or agent data for training AI models
We do not use tracking cookies or third-party advertising trackers

How we use your data

To provide the service — storing credentials, vending them to authorized agents, managing access grants, generating audit logs
To communicate with you — account-related emails, service notifications, security alerts
To improve the product — aggregated, anonymized usage patterns (not credential content or personal data)
To power AI features — tool names, URLs, and publicly available documentation are processed by AI models to generate setup guides and form drafts. Credentials are never sent to AI model providers.

Legal basis for processing (GDPR)

Contract performance — processing necessary to provide the AgentKey service (Article 6(1)(b))
Legitimate interest — product improvement through anonymized analytics, security monitoring (Article 6(1)(f))

Data storage and security

Where data is stored

Database— Cloudflare D1, hosted and replicated on Cloudflare's infrastructure
Application hosting — Cloudflare Workers and Workers Assets
Authentication — native AgentKey email magic-link sessions stored in D1

Data is transferred from the EU to the United States under the EU-U.S. Data Privacy Framework. Our subprocessors participate in the framework or maintain appropriate safeguards.

How data is protected

Credentials are AES-256-GCM encrypted at rest with per-record random initialization vectors and authentication tags
All data in transit is encrypted via TLS
Agent API keys are stored as SHA-256 hashes, not in recoverable form
Webhook URLs (Slack, Discord) are encrypted at rest using the same AES-256-GCM scheme

See our Security page for detailed technical information.

Data retention

Account data — retained while your account is active. Deleted upon account deletion.
Credentials — permanently deleted when the tool is removed or the organization is deleted.
Audit logs — retained for 30 days on the free tier. Retained for 30 days after organization deletion, then permanently purged.
Analytics data — anonymized and aggregated. No personal data is retained in analytics.

Your rights (GDPR)

As a data subject under GDPR, you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — correct inaccurate personal data
Erasure — request deletion of your personal data (deleting your organization achieves this)
Data portability — export your data (AgentKey supports YAML export of tool configurations)
Objection — object to processing based on legitimate interest
Restriction — request that we restrict processing of your data

To exercise any of these rights, contact us at privacy@agentkey.dev. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection authority. In France, this is the CNIL (Commission Nationale de l'Informatique et des Libertés).

Subprocessors

We use the following third-party services to operate AgentKey:

Provider	Purpose	Location
Cloudflare	Application hosting, database, transactional email, AI model routing, edge protection, DNS, TLS termination, and operational observability	Global
Workers AI	Setup guide generation and form drafting through Cloudflare Workers AI (tool names and URLs only, never credentials)	Cloudflare infrastructure

We will update this list when we add new subprocessors. Material changes will be communicated through the dashboard or by email.

Cookies

AgentKey uses only strictly necessary cookies for authentication. We do not use cookies for tracking, advertising, or analytics.

Children

AgentKey is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the dashboard or by email at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Contact

For privacy-related questions or to exercise your data rights, contact us at privacy@agentkey.dev.