Privacy & security

This is a plain-English summary of how we handle your data. The formal Privacy Policy is at myagentplatform.com/legal/privacy — that’s the legally authoritative version. But if you want to actually understand what we do, read this.

The short version

• Each user’s agent runs in its own isolated container — no mixing of data between users
• Your email/calendar credentials are encrypted with a key unique to your account
• We do not train AI models on your data — not your conversations, not your emails, not your files
• We don’t sell your data to anyone, ever
• You can export everything and delete everything at any time
• We read your data only in specific support situations you explicitly authorize

What data we collect

Account data

• Your email address (for login + billing + notifications)
• Your name (from onboarding — optional)
• Your company and role (from onboarding — optional, but used to personalize your agent)
• Your timezone
• Your hashed password (we never see the plaintext)

Billing data (handled by Stripe, not us)

• Your payment method (last 4 digits only — full card info stays with Stripe)
• Billing address (for tax purposes)
• Invoice history

Agent data (inside your private container)

• MEMORY.md and USER.md — curated memory your agent maintains
• Conversation history — all chats with your agent
• Workspace files — anything you upload or your agent creates
• Scheduled task configs — cron jobs you’ve set up
• Skill documents — reusable “skills” your agent has written for itself

Connected service data (if you choose to connect them)

• Email credentials — app passwords, encrypted
• Calendar credentials — app passwords, encrypted
• OAuth tokens for Telegram, Discord, Slack, social media — encrypted
• IMAP/CalDAV sync state — minimal metadata needed to not re-fetch data

Usage data

• How often you log in
• Which features you use
• How many tokens / credits you consume
• Which models your agent runs

Where your data lives

• Primary data center: Contabo Cloud, US-Central region (St. Louis, Missouri, USA)
• Control plane and agent nodes: both in the same data center
• Backups: encrypted, stored in Contabo Object Storage (US-Central)
• No multi-region replication right now — if you need EU data residency, we’re not the right fit today

Who can access your data

You

You can access everything you own:

• Dashboard → Memory (your MEMORY.md and USER.md)
• Dashboard → Workspace (all your files)
• Dashboard → Chat history
• Dashboard → Settings → Export data (one-click download of everything)

Your agent

Your agent (running in its own container) has full access to:

• Its own memory files
• Its own workspace
• Email/calendar credentials (to use IMAP/CalDAV)
• OAuth tokens (to use Telegram/Discord/Slack/social platforms)

Your agent does NOT have access to:

• Other users’ agents
• Our central systems
• Our source code
• Our team’s data

Us (the team)

By default, we cannot read:

• Your conversation history
• Your memory files
• Your workspace files
• Your email credentials
• Your email/calendar content

We CAN see (for operational reasons):

• Your account metadata (email, plan, billing)
• Anonymized usage metrics (token counts, feature usage)
• Error logs (which tools your agent called, error messages — but NOT the content of the calls unless it’s part of an error message)
• System logs (which services ran, when, for how long)

Support access

If you email support and we need to diagnose your specific issue, we may ask you to explicitly authorize us to look into your agent’s state. This permission is:

• Opt-in per incident — we don’t have blanket access
• Time-limited — expires after 24 hours
• Logged — you can see every support access in your audit log
• Revocable — you can end it at any time

Law enforcement

We comply with valid legal process (subpoenas, search warrants). This is very rare. We will notify you unless legally prohibited. We will push back on overly broad requests.

What we use your data for

• Running the service — operating the platform, your agent, integrations, billing
• Improving the service — aggregated metrics about feature usage, not individual data
• Support — helping you with specific issues you ask for help with
• Legal compliance — taxes, fraud prevention, responding to valid legal process

We do NOT use your data for:

• Training AI models (yours or anyone else’s)
• Selling to data brokers
• Targeted advertising
• Licensing to third parties
• Sharing with other users

Third-party services we use

• Stripe — payment processing
• SendGrid — outbound email (password resets, billing receipts, marketing)
• Contabo — hosting infrastructure (compute + object storage)
• MiniMax (default text) and Google Gemini (default vision and fallback) — primary LLM providers your agent queries via our LiteLLM proxy. Additional providers (Anthropic, OpenAI, DeepSeek, Mistral, Groq, xAI, Together AI, OpenRouter, custom OpenAI-compatible endpoints) are available exclusively via Bring-Your-Own-Key.
• Serper — web search results for your agent
• Post for Me — social media posting proxy

Each of these has access only to the specific data needed for their function. None of them see your full account picture.

Your email, calendar, and social media

When you connect these, the credentials are encrypted with a key unique to your agent. Your agent can read them to use the services. Nobody else — including our team — can decrypt them.

When you disconnect a service:

• Email/calendar — the encrypted app password is immediately deleted. You can also revoke the app password directly from your email provider for belt-and-suspenders.
• Social media OAuth — we revoke the token with the platform
• Messaging channels (Telegram/Discord/Slack) — we un-pair and the platform no longer routes to us

What happens if you delete your account

1. Immediate: subscription canceled, agent pod shut down
2. Within 24 hours: your email/social/calendar connections revoked
3. Within 30 days: data retained in cold storage (in case you come back)
4. After 30 days: permanently deleted, cryptographically shredded

If you want immediate deletion without the 30-day window, email support with the request. We’ll do it within 5 business days.

Security practices

• All data encrypted at rest (AES-256)
• All data encrypted in transit (TLS 1.2+)
• Agent containers isolated via Kubernetes network policies
• No shared state between agents — each has its own PVC
• Principle of least privilege — every component has the minimum permissions it needs
• Regular security updates for base images and dependencies
• Admin access to production is limited to specific team members with audit logging

Vulnerability disclosure

If you find a security issue, please email security@myagentplatform.com with details. We’ll acknowledge within 48 hours and work with you on a responsible disclosure timeline.

We don’t have a formal bug bounty program yet, but we respond to legitimate reports with gratitude (and sometimes credit bounties).

What we’re NOT doing yet

Honest list of things people expect that we haven’t built:

• SOC 2 or HIPAA certification — not yet, not planned for 2026
• GDPR Data Protection Officer — we comply with GDPR principles but don’t have a DPO
• Formal SLA — informally 99.5%, no contractual commitment yet
• BAA for HIPAA — not available
• Data residency outside the US — not available today
• SSO / SAML — not available for individual accounts

If any of these are deal-breakers for you, we understand — we’re just not there yet.

Questions?

Privacy questions → privacy@myagentplatform.com

Security reports → security@myagentplatform.com

General support → support@myagentplatform.com