AgentAdmit — Privacy Policy
Last updated: May 31, 2026. This policy may be updated over time. Material changes will be communicated before they take effect.
1. Scope of This Policy
This Privacy Policy explains how AgentAdmit collects, uses, stores, and discloses personal data when you use the AgentAdmit hosted service.
This includes:
- the AgentAdmit dashboard
- account creation and authentication
- API usage
- token generation and exchange flows
- token verification / introspection
- development and staging usage with test keys
- production usage with live keys
- support, billing, and service communications
This policy applies to:
- developers and organizations integrating AgentAdmit into applications, APIs, or MCP servers
- app owners and MCP server operators using the hosted service
- end users who go through an AgentAdmit-powered authorization flow in a connected application
This policy does not govern how a third-party application or MCP server uses data inside its own product. Those operators are responsible for their own product privacy disclosures and practices.
2. Data Controller
The data controller for the AgentAdmit hosted service is:
AgentAdmit LLC
- Legal: legal@agentadmit.com
- Support: support@agentadmit.com
- Web: https://agentadmit.com
If required by applicable law, we will identify additional contact or representative information.
3. Plain-English Summary
AgentAdmit is built around authorization, auditability, and user control. Our privacy practices are intended to support those same values.
In plain English:
- we collect the data needed to run the hosted service
- we log verification and authorization metadata as part of the hosted-service model
- test keys and live keys both use the hosted service
- we do not sell your personal data
- we do not use your data to train AI models
- we use service metadata for security, billing, operations, analytics, and future service features subject to our policies and applicable law
- app owners remain responsible for their own app-layer privacy disclosures
If you want the detailed version, the rest of this policy explains it.
4. What We Collect
4.1 Account and Profile Information
When you create or use an AgentAdmit account, we may collect:
- email address
- name, if provided
- organization or company information, if provided
- authentication-related account data
- account status and environment information
4.2 Billing and Subscription Information
If you subscribe to a paid offering, we may collect or receive:
- billing status
- subscription status
- plan / tier information
- renewal and payment event metadata
- limited payment-related metadata from payment processors
We do not store full payment card numbers if those are handled by a third-party payment processor.
4.3 Token and Authorization Metadata
As part of providing the hosted service, we may collect and store metadata related to:
- connection-token issuance and exchange
- granted scopes
- connection identifiers
- app identifiers
- agent labels or agent-related identifiers
- issuance, expiration, revocation, and status timestamps
- environment or key type (for example, test vs live)
We may store token-related metadata needed for service operation, revocation, auditability, security, and billing. We do not need to store every token in plaintext to provide the service.
4.4 Verification / Introspection Metadata
Because AgentAdmit uses mandatory introspection for the hosted service, we may collect metadata related to token verification and protected requests, including:
- app or integration identifier
- environment / key type
- pseudonymous or app-provided user identifiers
- scopes requested or used
- endpoints or tools being verified
- timestamps
- response status
- request-level operational metadata
- IP address or network metadata needed for security, abuse prevention, reliability, and fraud detection
This applies to both:
- test-key development usage
- live-key production usage
4.5 Audit and Operational Logs
We may maintain audit, security, and operational logs relating to:
- authorization events
- revocations
- verification attempts
- failures and denials
- account and service activity
- debugging and incident response
4.6 Communications and Support Data
If you contact us, we may collect:
- support emails and messages
- bug reports
- feedback submissions
- feature requests
- billing or account-related communications
4.7 Device, Browser, and Technical Data
When you use the dashboard or APIs, we may collect standard technical information such as:
- browser or user-agent data
- device or client metadata
- session and authentication metadata
- error and performance data
5. How the Hosted-Service Model Affects Privacy
This section is important because it explains the practical privacy consequences of using AgentAdmit.
5.1 Test Keys and Live Keys Both Use the Hosted Service
Test keys are for development and testing. Live keys are generated in the AgentAdmit dashboard only after the app owner pays for a subscription.
Both test keys and live keys use AgentAdmit's hosted verification infrastructure.
That means development and testing are not outside the hosted service. Verification metadata, service logs, and operational controls may apply before go-live, not only after production activation.
5.2 Mandatory Introspection Means Verification Metadata Exists
Mandatory introspection is part of the product design. Because the hosted service performs verification, AgentAdmit necessarily processes verification-related metadata.
This supports:
- scope enforcement
- revocation
- auditability
- abuse prevention
- billing and usage metering
- service reliability and analytics
5.3 AgentAdmit Does Not Become the App's Entire Privacy Layer
AgentAdmit processes the authorization layer. App owners and MCP server operators remain responsible for:
- their own application data flows
- their own user disclosures
- their own privacy policies
- the downstream business logic inside their own systems
6. Why We Use Data
We may use personal data and service metadata to:
- create and manage accounts
- authenticate users
- issue and manage test keys and live keys
- operate token generation, exchange, verification, and revocation flows
- enforce scopes and permissions
- provide auditability and account visibility
- meter usage and support billing
- prevent abuse, fraud, and security incidents
- troubleshoot errors and improve service reliability
- respond to support requests
- comply with legal obligations
- improve product operations and develop future service features consistent with our policies and applicable law
We do not use personal data to train AI models.
We do not sell your personal data.
7. Legal Bases for Processing
Where applicable law requires a legal basis for processing, we may rely on:
- contract performance — to provide the hosted service you requested
- legitimate interests — for security, fraud prevention, logging, service analytics, abuse prevention, debugging, and operational improvement
- legal obligations — where we must retain or disclose data to comply with law
- consent — where we specifically ask for it and applicable law requires it
The exact legal basis may depend on the type of data and your jurisdiction.
8. How We Share Data
We may share data:
- with service providers and processors who help us operate the hosted service
- with payment providers for billing and subscription handling
- with infrastructure, hosting, email, support, and security vendors acting on our behalf
- when required by law, regulation, legal process, or enforceable governmental request
- to protect the rights, security, or integrity of AgentAdmit, our users, or others
- in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate protections
We do not sell personal data.
We do not share personal data for cross-context behavioral advertising.
9. Third-Party Processors and Services
We use the following third-party service providers to operate the AgentAdmit hosted service:
| Provider | Purpose | Data Processed |
|---|---|---|
| Clerk | Authentication and user management | Email, name, auth session data |
| Supabase | Database and data storage | Account data, token metadata, audit logs |
| Stripe | Payment processing and billing | Billing status, subscription data, payment metadata |
| Vercel | Application hosting and delivery | Request metadata, IP addresses, performance data |
These providers act as processors on our behalf and are contractually bound to use your data only to provide services to us.
10. Data Retention
We retain data for as long as reasonably necessary to:
- provide the service
- maintain security and auditability
- support billing and records requirements
- investigate abuse or incidents
- comply with legal obligations
- enforce our agreements
Different categories of data may have different retention periods.
The final published version of this policy should align specific retention commitments with the actual production implementation and pricing model.
11. Cookies and Similar Technologies
AgentAdmit may use cookies or similar technologies for:
- authentication
- session management
- security protections
- dashboard functionality
- reliability and performance
We do not use advertising cookies or cross-site behavioral tracking cookies as part of the core hosted-service model described in this policy.
If we later add optional analytics or similar technologies that require additional notice or consent, we will update this policy and our user experience accordingly.
12. Data Security
We use administrative, technical, and organizational measures designed to protect personal data and service data.
These measures may include:
- encryption in transit
- hashing of bearer credentials at rest (connection tokens and API keys are never stored in plaintext)
- access controls
- credential protection
- role-based access to production systems
- security logging and incident response practices
- regular maintenance and patching
No system is perfectly secure. If we experience a security incident requiring notice under applicable law, we will provide notice as required.
13. Your Rights
Depending on your jurisdiction, you may have rights such as:
- access to your personal data
- correction of inaccurate data
- deletion of personal data
- restriction of processing
- objection to certain processing
- data portability
- withdrawal of consent where processing depends on consent
- the right to complain to a regulator or supervisory authority
You may also be able to revoke agent access through the product's connection and revocation mechanisms.
The final published version of this policy should include the specific request channels, timelines, and jurisdiction-specific disclosures required for launch.
14. International Transfers
If you use AgentAdmit from outside the country where the service is operated, your data may be transferred to and processed in other jurisdictions, including the United States.
Where required, we will rely on appropriate transfer mechanisms and contractual safeguards in the final published version of this policy.
15. Children's Privacy
AgentAdmit is not intended for children under the minimum age allowed by applicable law for use of the service without parental involvement.
If we learn that we have collected personal data from a child in violation of applicable law, we will take appropriate steps to delete it.
16. Changes to This Policy
We may update this Privacy Policy from time to time.
If we make material changes, we may provide notice through appropriate channels such as:
- dashboard notices
- updated effective dates
Your continued use of the service after an updated policy becomes effective may constitute acceptance to the extent permitted by law.
17. Contact Information
AgentAdmit LLC
- Legal: legal@agentadmit.com
- Support: support@agentadmit.com
- Web: https://agentadmit.com