Legal

Privacy Policy

How AgentPays collects, uses, and protects your information.

This document was last updated on May 11, 2026. Please review it carefully. For questions, contact jkevfeeiii@gmail.com.

Overview

AgentPays (“we”, “us”, “our”) provides infrastructure that lets you control how your AI agents spend money. This Privacy Policy explains what information we collect, how we use it, and the choices you have. By using AgentPays, you agree to the practices described below.

Information we collect

Account information

When you create an account, our authentication provider (Clerk) collects your email address, name, and Google profile information used during sign-in. We receive a user identifier from Clerk and the basic profile details associated with your account.

Integration credentials

If you connect Privacy.com to issue virtual cards, we store your Privacy.com API key encrypted at rest in our database. The key is used to create single-use virtual cards on your behalf when your agents make approved purchases.

Payment information

When you save a payment method, Stripe stores your card details and returns a token to us. We never store your full card number or CVC. Stripe is used to collect our transaction fee.

Agent and purchase data

We store the agents you create, their spending rules, every purchase request your agents submit (including the merchant, amount, description, and justification), and the resulting transaction record.

Usage data

We collect product analytics from our application — pageviews, feature usage, basic device and browser metadata, and session recordings of dashboard activity — through PostHog. This helps us improve the product.

How we use your information

  • Authenticate you and operate your account.
  • Create single-use virtual cards through Privacy.com when your agents make approved purchases.
  • Enforce the spending rules you configure (per-agent budgets, velocity limits, merchant allow/deny lists).
  • Collect our transaction fee (1.5% or $0.50 minimum) via Stripe.
  • Send transactional emails such as purchase approval notifications through Resend.
  • Analyze product usage, debug issues, and improve features through PostHog product analytics and session recordings.
  • Protect against fraud, abuse, and security threats, and comply with legal obligations.

We do not sell your personal information, and we do not use your purchase data to build advertising profiles.

Third-party services

AgentPays relies on the following sub-processors to operate. Each one receives only the data necessary to perform its function.

Clerk

Purpose: Authentication and account management

Data received: Email, name, Google profile data, sign-in events

Supabase (PostgreSQL)

Purpose: Primary application database — hosts agents, purchase requests, transactions, and spend rules

Data received: All application data, including encrypted Privacy.com API keys

Privacy.com

Purpose: Virtual card issuance for approved purchases

Data received: API calls made on your behalf using your API key; purchase amount and merchant for each card issued

Stripe

Purpose: Payment method storage and AgentPays fee collection

Data received: Card token, billing details, amount of each fee charged

Resend

Purpose: Transactional email delivery (purchase approval notifications)

Data received: Email address, message content

PostHog

Purpose: Product analytics, session recordings, and error tracking

Data received: Pageviews, feature usage, device/browser metadata, dashboard session recordings

Vercel

Purpose: Application hosting and edge delivery

Data received: Server logs, IP addresses, request metadata

Each provider has its own privacy policy that governs how it handles the data it receives. You should review their policies if you have specific concerns.

Data retention

We retain your account and application data for as long as your account is active. When you delete your account, we permanently remove your agents, spend rules, encrypted Privacy.com API key, and stored payment methods. Transaction records may be retained for up to seven years to meet legal, tax, and accounting obligations, after which they are deleted or fully anonymized.

Backup snapshots may retain deleted data for up to thirty days before being expired.

Your rights

You have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Correct — update inaccurate or incomplete information through your account settings or by contacting us.
  • Delete — permanently remove your account and associated data from Settings → Delete account, or by contacting us.
  • Export — request a machine-readable copy of your data.
  • Object or restrict — ask us to limit or stop certain processing of your data.

To exercise any of these rights, email jkevfeeiii@gmail.com. We respond within a reasonable timeframe and consistent with applicable law.

Cookies and tracking

AgentPays uses cookies and similar technologies for two purposes: keeping you signed in (via Clerk session cookies) and product analytics (via PostHog). PostHog records dashboard interactions, including page navigation and clicks, to help us understand how the product is used.

You can disable cookies in your browser, but doing so will prevent you from staying signed in. PostHog tracking can be blocked using common tracker-blocking browser extensions.

Security

We take reasonable measures to protect your information:

  • Privacy.com API keys are encrypted at rest using AES-256-GCM and are never exposed in full after saving.
  • All connections to AgentPays are served over HTTPS/TLS.
  • Authentication is handled by Clerk, which manages session security, password hashing, and 2FA on our behalf.
  • Payment card details are tokenized by Stripe — we never store full PAN, CVC, or expiry in our systems.
  • Access to production data is limited to authorized personnel for legitimate operational purposes.

No security measure is perfect. We cannot guarantee absolute security, and you are responsible for keeping your AgentPays credentials and connected API keys secure.

CCPA & GDPR

For California residents (CCPA/CPRA)

You have the right to know what categories of personal information we collect, the purposes for which we use it, and the categories of third parties with whom we share it. You can request access, correction, or deletion of your personal information, and you have the right not to be discriminated against for exercising these rights. AgentPays does not sell personal information.

For users in the EEA, UK, or Switzerland (GDPR)

We process personal data on the legal bases of (a) performing the contract we have with you, (b) complying with our legal obligations, and (c) our legitimate interests in operating and securing the service. You have the right to access, rectify, erase, restrict, or port your data, and to object to processing. You also have the right to lodge a complaint with your local data protection authority.

To exercise any of these rights, contact jkevfeeiii@gmail.com.

Children's privacy

AgentPays is not intended for use by children under 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child, we will delete it promptly.

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “last updated” date at the top of the page and, where appropriate, notify you by email or through the product. Continued use of AgentPays after a change indicates your acceptance of the updated policy.

Contact us

If you have questions about this policy or how we handle your data, contact us at jkevfeeiii@gmail.com.