Privacy Policy — Agentity

1. Overview

This Privacy Policy describes how Quallet, Inc. ("Agentity," "we," "us," or "our") collects, uses, discloses, and protects information about you when you use the Agentity platform at agentity.to and its subdomains, APIs, and related services (collectively, the "Platform").

Agentity is a business-to-developer (B2D) infrastructure platform. Our customers are developers and organizations ("Users") who build and operate AI agent workflows. The end-users of AI agents you deploy are not our direct customers, and any personal data they generate through agent actions is processed by you as the data controller — not by us directly.

We are committed to transparency. This policy is written to be accurate and specific to what the Platform actually collects — not boilerplate. If something in here contradicts what you observe, please contact us.

2. Who We Are

The data controller for personal information collected through the Platform is:

Legal name: Quallet, Inc.
Operating as: Agentity
Contact: [email protected]

For purposes of the California Consumer Privacy Act (CCPA/CPRA), we are a "business." For purposes of the General Data Protection Regulation (GDPR), we are a "data controller" with respect to account and usage data we collect directly from Users.

3. Data We Collect

We collect the following categories of information, described precisely based on the data the Platform actually processes:

3.1 Account & Identity Information

Email address — collected at registration; used for authentication, billing communications, and service notices.
Name — collected at registration; used to personalize your account.
Password — collected at registration. Passwords are not stored in plaintext; they are hashed using a one-way cryptographic function before being stored on our servers. We cannot recover your plaintext password.

3.2 Authentication & Session Tokens

JWT access tokens — issued at login; stored in a client-side browser cookie (access_token) with a 30-day maximum age, the Secure flag, and SameSite=Strict. The token payload contains your user account ID, an issued-at timestamp (iat), and an expiration timestamp (exp).
JWT refresh tokens — issued at login; stored in a client-side browser cookie (refresh_token) with identical security flags and a 30-day maximum age. Used to obtain new access tokens without requiring re-authentication. Invalidated server-side on logout.
CSRF tokens — a cryptographically random 32-byte token generated per browser session and stored in sessionStorage. Cleared on logout. Never transmitted to our servers except as a header in mutating requests; not persisted on our backend.

3.3 Provider API Keys (Bring-Your-Own-Key)

API keys you supply for third-party providers (currently: AgentMail, AgentPhone, and Privacy.com). These credentials are encrypted at rest in Agentity's secure vault using industry-standard encryption. They are decrypted only transiently in memory when required to execute an API call to the provider on your behalf.

3.4 Agentity API Keys

API keys you generate within the dashboard for programmatic access to the Agentity API. These are credentials scoped to your account; their metadata (creation date, label if set) is stored on our servers.

3.5 Agent Identity Records

For each provisioned identity asset (email address, phone number, or virtual card), we store: a unique identity ID, the associated agent ID you specified, and the creation timestamp. We do not store the content of communications (emails or SMS messages) received by provisioned identities on our platform; that content resides with the underlying provider.

3.6 Agent Intent Logs

When your agent requests an action through the Agentity API, we store an intent record containing: a unique intent ID, the agent ID, a subject line, an action type, a message body, and a creation timestamp. These records form an audit log of agent activity under your account.

3.7 Subscription & Billing Data

We store your subscription plan name, subscription status (active, canceled, or past due), and associated timestamps. We do not store payment card numbers, bank account details, or any PCI-scoped payment instrument data on our servers. Payment processing is handled entirely by Stripe, Inc., who maintains their own PCI-DSS compliance program.

3.8 Technical & Log Data

IP addresses — recorded in standard web server and application logs when you access the Platform.
HTTP request metadata — including request path, HTTP method, response status code, and timestamp. Used for security monitoring, debugging, and abuse detection.
Browser user agent — included in HTTP request headers; logged as part of standard access logs.

What we do NOT collect: We do not use third-party analytics trackers, advertising pixels, or behavioral profiling SDKs. We do not collect precise geolocation. We do not read the content of emails or SMS messages passing through provisioned identity infrastructure (that content is held by AgentMail/AgentPhone respectively).

4. How We Collect Data

Directly from you. Account information (email, name, password) is collected through registration and account management forms. Provider API keys are entered manually in the dashboard. Agentity API keys are generated on request.

Automatically from your use of the Platform. Technical and log data (IP address, user agent, request metadata) is captured automatically by our web servers and application infrastructure when you or your AI agents make requests to the Platform.

From third-party providers. We receive subscription and payment status information from Stripe via webhooks. We receive provisioned identity metadata (such as assigned email addresses or phone numbers) from AgentMail and AgentPhone when fulfilling provisioning requests on your behalf.

From your AI agents. When your AI agents make API calls to the Platform using your Agentity API keys, we collect intent and activity data as described in Section 3.6. This data is generated by your agents but is associated with your account.

5. How We Use Your Data

We use the data we collect for the following purposes:

Providing the Services. Authenticating your account, executing API calls to third-party providers using your Provider Keys, provisioning identity assets, storing and retrieving agent vault data, and displaying your dashboard.
Account management. Sending transactional emails such as password reset instructions, subscription confirmation, payment receipts, and service notices. We do not send marketing emails without your explicit opt-in.
Security & fraud prevention. Detecting and investigating suspicious activity, unauthorized access, abuse of the Platform, and violations of our Terms of Service. Log data and IP addresses are used for this purpose.
Billing & payments. Managing subscriptions, processing payments through Stripe, handling billing disputes, and tracking subscription status.
Legal compliance. Complying with applicable laws, regulations, legal process, or governmental requests, including applicable data retention and reporting obligations.
Platform improvement. Analyzing aggregate, de-identified usage patterns to understand how the Platform is used and to improve performance and features. We do not use individually identifiable data for this purpose.
Audit logging. Maintaining intent records and API call logs so you can audit the actions your AI agents have taken.

We do not sell your personal information. We do not use your personal information to serve you targeted advertising. We do not use your Provider API keys for any purpose other than executing the specific API calls you authorize through the Platform.

6. Legal Basis for Processing

For Users subject to laws requiring a legal basis for data processing (including the GDPR and U.S. state privacy laws), we rely on the following bases:

Performance of a contract (GDPR Art. 6(1)(b)). Processing your account information, authentication tokens, Provider API keys, agent identity records, and subscription data is necessary to provide the Services you have contracted for.
Legitimate interests (GDPR Art. 6(1)(f)). Processing log data, IP addresses, and request metadata for security monitoring, fraud detection, and abuse prevention. Our legitimate interest in securing the Platform outweighs the minimal privacy impact of this processing.
Legal obligation (GDPR Art. 6(1)(c)). Retaining certain records as required by applicable law, including financial record-keeping requirements.
Consent. Where we seek your consent for specific processing (e.g., marketing communications), we will obtain it separately and you may withdraw it at any time.

7. How We Share Your Data

We do not sell, rent, or trade your personal information to third parties. We share information only in the following limited circumstances:

With third-party service providers acting as data processors. We use third-party providers to help us operate the Platform (see Section 8). These providers process your data only on our documented instructions and are bound by data processing agreements with appropriate confidentiality and security obligations.
With third-party providers you direct us to use. When you add a Provider Key to the Platform and request provisioning, we transmit necessary information (including your Provider Key and provisioning parameters) to that provider to fulfill the request. This sharing is initiated by your instructions and governed by your own agreement with that provider.
For legal compliance. We may disclose your information if required to do so by law, court order, subpoena, or other legal process, or if we have a good-faith belief that disclosure is necessary to comply with applicable law, protect our legal rights, or prevent fraud or imminent harm.
In a business transfer. If Agentity is acquired, merged, or its assets are sold, your information may be transferred to the acquiring entity as part of that transaction, subject to the same privacy protections. We will notify you of such a transfer by updating this policy or providing direct notice.
With your consent. For any other purpose with your explicit prior consent.

8. Third-Party Service Providers

The Platform integrates with the following third-party services. Each handles data under its own privacy policy, linked below:

Stripe, Inc. — Payment processing and subscription management. Stripe receives your payment card information directly (we never see or store raw card numbers). Stripe may collect billing address and transaction data. See Stripe's privacy policy for details. Stripe is PCI-DSS Level 1 certified.
AgentMail — Email provisioning for AI agents. When you supply an AgentMail API key and request email provisioning, we transmit provisioning parameters to AgentMail. Email content sent to or from provisioned addresses is handled by AgentMail, not stored in Agentity's infrastructure.
AgentPhone — Phone number provisioning for AI agents. When you supply an AgentPhone API key and request phone provisioning, we transmit provisioning parameters to AgentPhone. SMS and voice content is handled by AgentPhone.
Privacy.com — Virtual debit card provisioning. When you supply a Privacy.com API key and request card provisioning, we transmit provisioning parameters to Privacy.com. Full card numbers (PANs) are handled by Privacy.com and are not stored in Agentity's systems.
Google Fonts (Google LLC) — The Platform loads fonts from Google's CDN (fonts.googleapis.com and fonts.gstatic.com). When your browser fetches fonts, Google may log your IP address as part of standard CDN operation. Refer to Google's privacy policy for details. No personal account data is shared with Google.

We do not use any third-party analytics platforms (e.g., Google Analytics, Mixpanel, Segment), advertising networks, social media pixels, or session recording tools.

9. Cookies & Browser Storage

We use a minimal set of browser storage mechanisms, limited to those necessary to operate the Platform. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

Cookies (persistent, set by Agentity):

access_token — Stores your JWT access token. Duration: up to 30 days. Flags: Secure, SameSite=Strict,path=/. Purpose: authenticating your requests to the Platform. Cleared on logout.
refresh_token — Stores your JWT refresh token. Duration: up to 30 days. Flags: Secure, SameSite=Strict,path=/. Purpose: obtaining new access tokens without re-login. Invalidated server-side and cleared client-side on logout.

Session Storage (tab-scoped, not sent to servers):

csrf_token — A cryptographically random 32-byte token used to prevent cross-site request forgery attacks. Scoped to the browser tab/session. Cleared on logout. Never persisted to a server database.

Disabling cookies: The access_token andrefresh_token cookies are strictly necessary for the Platform to function. Blocking them will prevent you from logging in. Because we use no tracking or advertising cookies, a cookie consent banner is not required for our current cookie usage under most applicable frameworks. If this changes, we will update this section and provide a consent mechanism.

10. Data Security

We implement technical and organizational measures designed to protect your data against unauthorized access, alteration, disclosure, or destruction. Specific measures include:

Encryption in transit. All communications between your browser and the Platform are encrypted using TLS (HTTPS). API calls to third-party providers are made over HTTPS.
Encryption at rest. Provider API keys and agent secrets stored in the vault are encrypted at rest using industry-standard symmetric encryption.
Password hashing. Passwords are never stored in plaintext. We use a cryptographic one-way hashing algorithm (with per-password salt) before storage.
Authentication cookies. Session cookies are issued with the Secure flag (HTTPS-only) and SameSite=Strict to mitigate CSRF and man-in-the-middle attacks.
CSRF protection. Mutating API requests require a cryptographically random CSRF token generated client-side.
Token invalidation. Refresh tokens are invalidated server-side on logout, ensuring that stolen tokens cannot be used to maintain access after a user signs out.
Access controls. Internal access to production data is restricted to authorized personnel on a need-to-know basis.

Despite these measures, no security system is infallible. You are responsible for maintaining the security of your account credentials and API keys. If you believe your account has been compromised, contact us immediately at [email protected].

Data breach notification. In the event of a security breach that affects your personal data and is required to be reported under applicable U.S. state breach notification laws (including Cal. Civ. Code § 1798.82 and equivalent statutes), we will notify you as required by law, which is typically within 72 hours to 30 days depending on the jurisdiction.

11. Data Retention

We retain your data for as long as necessary to provide the Services and fulfill the purposes described in this policy, subject to the following:

Active accounts. Account information (email, name), Provider API keys (encrypted), agent identity records, intent logs, and API key metadata are retained for the duration of your account.
After account deletion or termination. We will delete or de-identify your personal information within a reasonable period following account closure, except as required to: (a) resolve outstanding billing disputes; (b) comply with applicable legal record-keeping obligations (e.g., financial record retention under applicable tax law); (c) prevent fraud or abuse; or (d) enforce our Terms of Service.
Authentication tokens. Access tokens expire per their expclaim. Refresh tokens have a maximum 30-day browser cookie lifetime and are invalidated server-side on logout. CSRF tokens persist only for the browser session.
Server logs. Technical log data (IP addresses, request metadata) is retained for security and operational purposes for a rolling period consistent with industry practice, then deleted or anonymized.
Billing records. Transaction and subscription records are retained as required to comply with financial and tax regulations, typically up to seven years from the date of transaction.

You may request deletion of your personal information at any time by contacting us at [email protected]. We will respond within the timeframe required by applicable law.

12. Your Rights & Choices

Regardless of your jurisdiction, you have the following general rights with respect to your personal information held by Agentity:

Access. You may request a copy of the personal information we hold about you.
Correction. You may update your name or email address through your account settings or by contacting us.
Deletion. You may request that we delete your personal information. We will comply subject to legal retention obligations and fraud prevention needs.
Portability. You may request your data in a structured, machine-readable format where technically feasible.
Opt-out of marketing. We do not send marketing emails by default. If we ever do, every marketing email will include an unsubscribe link.
Account deletion. You may close your account at any time by contacting [email protected]. Closing your account will result in deletion of your data consistent with Section 11.

To exercise any of these rights, email us at [email protected] with the subject line "Privacy Request." We will respond within the timeframe required by applicable law (typically 30–45 days). We may need to verify your identity before processing your request.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), as amended by the California Privacy Rights Act ("CPRA"), grants you specific rights regarding your personal information.

Categories of personal information collected (past 12 months):

Identifiers — name, email address, user account ID, IP address.
Account credentials — hashed password, authentication tokens, API keys.
Commercial information — subscription plan, subscription status.
Internet/electronic activity — HTTP request logs, API call logs, intent records.
Sensitive personal information — Provider API keys (treated as sensitive credentials).

Your California rights:

Right to Know. You may request disclosure of the specific pieces and categories of personal information we have collected about you in the past 12 months, the sources from which it was collected, the business purpose for collection, and the categories of third parties with whom it is shared.
Right to Delete. You may request deletion of personal information we have collected, subject to certain exceptions (legal obligations, fraud prevention, etc.).
Right to Correct. You may request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing. We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. No opt-out mechanism is required, but we honor opt-out signals.
Right to Limit Use of Sensitive Personal Information. We use Provider API keys only to perform the Services you request. We do not use sensitive personal information for secondary purposes beyond those permitted by the CPRA.
Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a verifiable consumer request under the CCPA/CPRA, email us at [email protected] with the subject line "California Privacy Request." We will respond within 45 days (extendable by an additional 45 days with notice). Requests may be submitted by an authorized agent with written permission.

14. Other U.S. State Privacy Rights

Several U.S. states have enacted comprehensive privacy laws that may grant you additional rights, including:

Virginia — Consumer Data Protection Act (Va. Code Ann. § 59.1-575 et seq.)
Colorado — Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.)
Connecticut — Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq.)
Texas — Texas Data Privacy and Security Act (Tex. Bus. & Com. Code § 541.001 et seq.)
Nevada — Senate Bill 220 (NRS § 603A)
And other states with enacted privacy legislation.

Where applicable, these laws may grant you rights to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of targeted advertising and profiling. Because we do not engage in targeted advertising or sell personal data, the opt-out rights have limited practical scope for our Platform. For access, correction, deletion, and portability rights, please contact us as described in Section 12.

We will respond to verified requests from residents of these states within the timeframes specified by their respective laws (generally 45–60 days).

15. EU, EEA & UK Residents (GDPR)

If you are located in the European Union, European Economic Area, or United Kingdom, the General Data Protection Regulation (GDPR) or UK GDPR grants you the following rights:

Right of access (Art. 15) — Obtain a copy of your personal data and supplementary information about how it is processed.
Right to rectification (Art. 16) — Request correction of inaccurate or incomplete personal data.
Right to erasure / "right to be forgotten" (Art. 17) — Request deletion of your data in circumstances permitted by law.
Right to restriction of processing (Art. 18) — Request that we limit processing of your data in certain circumstances.
Right to data portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
Right to object (Art. 21) — Object to processing based on legitimate interests.
Rights related to automated decision-making (Art. 22) — We do not engage in solely automated decision-making with legal or similarly significant effects.

International data transfers. Agentity is based in the United States. If you are in the EU/EEA/UK, your personal data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) adopted by the European Commission as the appropriate safeguard for such transfers where required. You may obtain a copy of relevant transfer safeguards by contacting us.

Right to lodge a complaint. You have the right to lodge a complaint with your local supervisory authority. In the EU, the relevant supervisory authority is determined by your country of residence. In the UK, it is the Information Commissioner's Office (ICO).

To exercise your GDPR rights, contact us at [email protected] with the subject line "GDPR Request." We will respond within one calendar month.

16. Children's Privacy

The Platform is not directed to, and we do not knowingly collect personal information from, children under 18 years of age (or the applicable age of majority in their jurisdiction). Our Services are developer infrastructure tools that require technical knowledge and legal capacity to contract.

If you believe we have inadvertently collected personal information from a child, please contact us immediately at [email protected] and we will delete such information promptly. We comply with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. § 6501 et seq.) with respect to users under 13.

17. International Data Transfers

Agentity operates from the United States. If you access the Platform from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.

By using the Platform, you acknowledge and consent to the transfer of your information to the United States in accordance with this Privacy Policy. For EU/EEA/UK users, we rely on appropriate safeguards as described in Section 15.

Our third-party providers (Stripe, AgentMail, AgentPhone, Privacy.com, Google) also operate globally and may process your data in jurisdictions outside your country of residence. We encourage you to review their privacy policies for details on their international data transfer practices.

18. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the "Last Updated" date at the top of this page and, where required by law or where the changes significantly affect your rights, by sending an email to the address associated with your account.

We encourage you to review this Policy periodically. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Policy. If you do not agree to the updated Policy, you should discontinue use of the Platform and delete your account.

We will maintain a record of prior versions of this policy upon request.

19. Contact & Data Requests

For privacy-related questions, concerns, or to exercise your rights, please contact us:

Email: [email protected]
Subject line for requests: "Privacy Request," "California Privacy Request," or "GDPR Request" as applicable
Operator: Quallet, Inc.

We are committed to working with you to resolve any concerns about your privacy. If you are not satisfied with our response, you may have the right to lodge a complaint with a supervisory authority in your jurisdiction, as described in Section 15 for EU/UK residents.

For security vulnerabilities or to report suspected misuse of personal data, please email [email protected] with the subject line "Security" or "Data Incident" respectively.

This Privacy Policy was last reviewed on April 4, 2026. The current version is always available at agentity.to/privacy.