SDK Privacy & Compliance Guide
This guide helps you fill out Apple App Store and Google Play compliance forms when your app integrates AgentAdmit.
How AgentAdmit Handles Data
AgentAdmit has two data flow layers. Both matter for your compliance disclosures.
Layer 1: React SDK (Client-Side)
The @agentadmit/react SDK runs in your app on the user's device. It:
- Sends the user's auth token (provided by your app), scope selections, and duration preference to the API endpoint you configure via
apiBase - Does NOT collect device identifiers, location, contacts, photos, browsing history, advertising IDs, or analytics
- Does NOT use any Apple Required Reason APIs
- Has zero hardcoded external domains — it sends data only where you tell it to
The React SDK ships with a PrivacyInfo.xcprivacy privacy manifest for iOS/React Native distribution.
Layer 2: Hosted Service (Server-Side)
When your backend SDK (Node, Python, Go, Ruby, Java, or PHP) validates tokens, it calls api.agentadmit.com/v1/verify. This is mandatory introspection — the core security mechanism that enables real-time revocation.
Data transmitted to AgentAdmit during token validation:
- Pseudonymized user identifier (
app_user_id— set by your app, not a real name or email) - The token being validated
- App ID and API key
- Scope and connection metadata
What AgentAdmit does with this data:
- Validates token authenticity and scope enforcement
- Enables real-time revocation (immediate effect when a user disconnects an agent)
- Usage-based billing (counting API calls per app)
Specific fields logged per verification call:
app_id, pseudonymized app_user_id, connection_id, scope_used, API endpoint and method, agent_label, and timestamp. This data is used to enforce access control, generate audit logs, and calculate usage for billing. No PII (names, emails, phone numbers, addresses) is collected or stored by AgentAdmit.
What AgentAdmit does NOT do:
- Does not sell user data
- Does not use data for advertising or cross-app tracking
- Does not collect PII (names, emails, phone numbers, addresses)
- Does not share data with third parties beyond the validation service
- Does not have any in-app AI features — AgentAdmit is an authorization service, not an AI processing service. It authorizes AI agents to access your app, but does not itself use AI models to process, analyze, or generate content. This keeps the data collection story clean for compliance purposes.
Apple Privacy Nutrition Labels
When submitting your app to the App Store, use these answers for the Privacy Nutrition Labels:
Data Types Collected
| Data Type | Collected? | Details |
|---|---|---|
| Contact Info | No | — |
| Health & Fitness | No | — |
| Financial Info | No | — |
| Location | No | — |
| Sensitive Info | No | — |
| Contacts | No | — |
| User Content | No | — |
| Browsing History | No | — |
| Search History | No | — |
| Identifiers > User ID | Yes | Your app's internal user ID (pseudonymized) is included in token validation calls. Mark as "Used for App Functionality" and "Linked to User Identity." |
| Usage Data > Product Interaction | Yes | Scope selections and connection events are processed for token validation. Mark as "Used for App Functionality" and "Linked to User Identity." |
| Diagnostics | No | — |
Tracking
- Does the SDK track users? No.
- Does the SDK use data for tracking as defined by App Tracking Transparency? No.
Privacy Manifest
The React SDK includes PrivacyInfo.xcprivacy with:
NSPrivacyTracking: falseNSPrivacyTrackingDomains: (empty)NSPrivacyCollectedDataTypes: (empty — the SDK itself doesn't independently collect data)NSPrivacyAccessedAPITypes: (empty — no Required Reason APIs used)
Google Play Data Safety Form
When filling out the Data Safety section:
Data collection
| Data Type | Collected? | Shared with AgentAdmit? | Purpose | Optional? |
|---|---|---|---|---|
| Personal identifiers | Pseudonymized user ID via token validation | Yes (to api.agentadmit.com for verification) | App functionality, security | Required |
| App interactions | Scope selections, connection data | Yes (for token validation and billing) | App functionality | Required |
| All other types | No | No | — | — |
Is data encrypted in transit?
Yes. All communication uses HTTPS — both the React SDK (fetch API) and the server-side SDKs (introspection calls to api.agentadmit.com).
Can users request data deletion?
Yes. Users can revoke agent connections at any time through the SDK's ConnectionsList component. Revocation takes effect immediately via real-time introspection — there is no cache delay.
Does your app share data with third parties?
Token validation data is sent to AgentAdmit (api.agentadmit.com) as a service provider performing security verification on your behalf. AgentAdmit does not sell this data, use it for advertising, or use it for cross-app tracking.
Under Google's definitions, a "service provider" processing data on your behalf is typically not classified as "sharing." We recommend noting this in your disclosure for full transparency.
React SDK Customization
The React SDK components are designed for customization. They use CSS class names (not inline styles), so your app's styles always take precedence.
Theme Support
<AgentAdmitPanel theme="dark" /> // Adds aa-dark class
<AgentAdmitPanel theme="light" /> // Adds aa-light class
<AgentAdmitPanel theme="system" /> // Default — no theme class added
Custom Styling
Every component accepts a className prop for custom CSS:
<AgentAdmitPanel className="my-custom-panel" />
<ScopeSelector className="my-scope-picker" />
All internal elements use aa-* class names that you can override:
| Class | Element |
|---|---|
aa-panel | Root container |
aa-btn | All buttons |
aa-btn-primary | Primary action buttons |
aa-pill | Scope permission pills |
aa-duration-option | Duration picker buttons |
aa-token-display | Token display area |
aa-template-card | Prompt template cards |
aa-connection-card | Connection list items |
Custom Labels
<AgentAdmitPanel
headerTitle="Connect Your AI Assistant"
generateButtonLabel={(count) => `Create Token (${count} permissions)`}
/>
Accessibility
All components include ARIA attributes for screen reader support:
role="region",role="radiogroup",role="list",role="alertdialog"aria-expanded,aria-controls,aria-pressed,aria-checkedaria-liveregions for dynamic content updates- Proper
<label>associations withhtmlFor/id
Apple HIG Compliance Tips
When using the React SDK in an iOS app:
- Ensure all interactive elements have a minimum touch target of 44×44 points
- Use your app's native font stack (the SDK doesn't force any fonts)
- Match your app's color scheme using the
aa-*class overrides - The SDK respects Dark Mode when
theme="system"ortheme="dark"is set
Material Design Compliance Tips
When using the React SDK in an Android app:
- Override
aa-btnclasses to use Material-style elevation and ripple effects - Use your app's Material color tokens for the
aa-*class overrides - The SDK's card-based layout naturally fits Material Design patterns