Privacy Policy

Last updated: July 2026

Agenturo is operated by its founder. For privacy matters, contact privacy@agenturo.app.

Agenturo is GDPR-compliant. We process personal data lawfully under Article 6 GDPR, honour all data subject rights, maintain a public sub-processor list, and act as your data processor for lead capture under a formal Data Processing Agreement.

1. Data Collected

Account data: email, name. Agent config: content you provide during setup. Conversations: messages (30-day retention). Leads: name, email, phone, company — encrypted at rest (AES-256), 90-day retention. IP addresses: stored by Agenturo only as SHA-256 hashes, never in plain text. Our analytics and error-monitoring providers process your IP address transiently (e.g., to derive approximate location); we do not retain it in plain text.

Product analytics (PostHog): page views, clicks and interaction events, device and browser information, approximate location derived from IP, and a pseudonymous identifier stored on your device. For logged-in users, events are linked to your internal account ID (not your email or name). We use this data to understand and improve the Service — never for advertising, and it is never sold.

Error monitoring & session replay (Sentry): when an error occurs (and for a small sample of sessions), we capture technical diagnostics and a visual replay of the session in which all text, all inputs, and all media are masked before leaving your browser — the replay shows page structure and interactions, not what you typed or read.

2. How We Use Your Data

  • Account data: to provide and manage your account, send service communications.
  • Agent configuration: to build, personalise, and serve your AI agent.
  • Conversations: to deliver AI responses and maintain conversation context.
  • Leads: to provide lead capture functionality to agent owners.
  • IP addresses (hashed): for rate limiting, abuse prevention, and security.
  • Product analytics (pseudonymous): to understand usage patterns and improve the Service. Not used for advertising; not sold or shared for cross-context behavioural advertising.
  • Error diagnostics & masked session replays: to detect, reproduce, and fix bugs.

3. Legal Basis

Account: contract performance (Art. 6(1)(b)). Conversations: legitimate interest (Art. 6(1)(f)). Leads: explicit consent (Art. 6(1)(a)). Analytics: legitimate interest.

3A. Data Roles — Agent Owners & Visitors

For platform data (your account, your agent configuration, billing, analytics), Agenturo is the data controller.

For data you share with an agent as a visitor — messages you type into a chat, and any details you submit through a lead form — the agent's owner determines why that agent exists and what it does with your information; the owner is the data controller for lead data, and Agenturo processes it on the owner's behalf under our Data Processing Agreement. Requests concerning data you gave to a specific agent should be directed to that agent's owner in the first instance; we will assist either way at privacy@agenturo.app.

Do not share sensitive personal data with an AI agent — health, financial, government-ID, biometric, or other special-category information. Agents are automated software operated by independent owners; treat anything you type as visible to the agent's owner.

4. Third Parties

Creem (payments/MoR), OpenRouter (LLM inference), Vercel (hosting), Resend (email), Neon (database), PostHog (product analytics), Sentry (error monitoring & masked session replay). Calendar booking links redirect to third-party scheduling services. See the full subprocessors list.

5. International Data Transfers

Your data may be transferred to and processed in the United States, where our primary infrastructure providers (Vercel, Neon, OpenRouter, Resend, Sentry, PostHog) operate. Our payment processor Creem operates within the EU. For transfers from the EEA/UK to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46 GDPR. See our subprocessors list for each provider's transfer mechanism.

6. Your Rights (GDPR — EEA / UK)

Under GDPR and applicable data protection law, you have the following rights:

  • Access: Request a copy of your personal data — email privacy@agenturo.app.
  • Rectification: Correct inaccurate data — email privacy@agenturo.app or update in your admin panel.
  • Erasure: Delete your agent from the admin panel — permanently and immediately removes all associated data (conversations, messages, leads, soul versions, analytics, token records). To close your login account, email privacy@agenturo.app.
  • Data portability: Your agent soul is available as plain text in the soul editor at any time. For other data export requests, email privacy@agenturo.app.
  • Restriction & objection: Email privacy@agenturo.app.
  • Withdraw consent: For email marketing — use the unsubscribe link in any marketing email. For lead data as a visitor — contact the agent owner whose page you used, or email privacy@agenturo.app. For account data — email privacy@agenturo.app. Withdrawal does not affect lawfulness of prior processing.
  • Lodge a complaint: Contact your local data protection authority (e.g., ICO for UK, your national DPA for EEA).

We respond to all requests within 30 days. We may request identity verification before processing your request.

6A. Your Rights (CCPA / CPRA — California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) grant you the following rights:

  • Right to Know: What categories of personal information we collect, the sources, the business purpose, and the categories of third parties we share it with.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information we hold about you.
  • Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for monetary or other consideration. No opt-out link is required, but you may confirm this by emailing privacy@agenturo.app.
  • Right to Limit Use of Sensitive Personal Information: Limit use of sensitive PI to what is necessary to perform the service.
  • Right to Non-Discrimination: We will not treat you differently for exercising any of these rights.

Categories of personal information collected in the past 12 months:

  • Identifiers: Email address, name, hashed IP address — collected for account management and security. Not sold.
  • Internet / electronic activity: Conversation messages, session data, error logs — collected for service delivery and debugging. Not sold.
  • Commercial information: Subscription plan, payment status — collected for billing. Not sold.
  • Inferences: Agent configuration and usage patterns — collected to personalise and serve your agent. Not sold.

To exercise CCPA rights: email privacy@agenturo.app. We respond within 45 days (extendable by a further 45 days with notice for complex requests). You may designate an authorised agent to submit requests on your behalf with written verification.

7. Automated Decision-Making

Agenturo uses AI models to generate conversational responses. This processing is core to the Service you have requested (Art. 22(2)(a) GDPR). No decisions with legal or similarly significant effects are made solely by automated means. AI-generated responses may be inaccurate and should not be relied upon as professional advice.

8. Security

Encryption at rest (AES-256 for leads), encryption in transit (TLS 1.3), hashed IPs (SHA-256), parameterised queries, CSP headers, HSTS, rate limiting, and real-time error monitoring (Sentry).

Breach notification. In the event of a personal data breach likely to result in high risk to your rights and freedoms, we will notify affected users without undue delay by email, and report to the relevant supervisory authority within 72 hours, as required by GDPR Art. 33–34.

9. Cookies & Local Storage

We do not use advertising cookies, and we do not sell or share data collected via cookies. We use the following:

Cookie / StoragePurposeTypeDuration
next-auth.session-tokenAuthentication session (HttpOnly, Secure)Essential30 days
themeLight/dark theme preferenceFunctionalPersistent
ph_* (PostHog)Product analytics — pseudonymous identifier so usage events from the same device are counted once. Set across *.agenturo.app.AnalyticsUp to 1 year

Essential cookies are required for the Service to function and cannot be disabled. The theme preference cookie contains no personal data. Analytics identifiers are used solely to improve the Service — never for advertising or cross-site tracking. To object to analytics processing, email privacy@agenturo.app (see §6, Restriction & objection).

10. Data Retention

Conversations and conversation analysis: 360 days, enforced by an automated nightly sweep. Leads: 90 days (extendable to 1 year with your consent). Agent memory (the durable facts and summaries your agent learns): retained for the life of the agent so it can keep remembering. Account data: subscription period + 90 days. Anonymised aggregates: indefinite. Deleting your agent or your account immediately and permanently removes the associated data regardless of these windows.

11. Children's Privacy

Agenturo is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact privacy@agenturo.app and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

13. Relationship to the Terms of Service

This Policy describes how we handle personal data; it does not create contractual rights or warranties beyond those required by applicable data protection law. Any claim arising out of or relating to the Service — including one connected with this Policy — is subject to the Terms of Service, including its disclaimer of warranties (§12), limitation of liability (§13), and dispute resolution (§16) provisions, to the fullest extent permitted by law. Nothing in this section limits your statutory rights under GDPR, CCPA, or other applicable data protection law, including your right to lodge a complaint with a supervisory authority.

Contact

privacy@agenturo.app · support@agenturo.app