AgentAdmit Privacy Policy
Last updated: July 3, 2026. This policy may be updated over time. Material changes will be communicated before they take effect.
1. Scope of This Policy
This Privacy Policy explains how AgentAdmit collects, uses, stores, and discloses personal data when you use the AgentAdmit hosted service.
This includes:
- the AgentAdmit dashboard
- account creation and authentication
- API usage
- token generation and exchange flows
- token verification / introspection
- development and staging usage with test keys
- production usage with live keys
- support, billing, and service communications
This policy applies to:
- developers and organizations integrating AgentAdmit into applications, APIs, or MCP servers
- app owners and MCP server operators using the hosted service
- end users who go through an AgentAdmit-powered authorization flow in a connected application
This policy does not govern how a third-party application or MCP server uses data inside its own product. Those operators are responsible for their own product privacy disclosures and practices.
2. Data Controller
The data controller for the AgentAdmit hosted service is:
AgentAdmit LLC
- Legal: legal@agentadmit.com
- Support: support@agentadmit.com
- Web: https://agentadmit.com
If required by applicable law, we will identify additional contact or representative information.
3. Plain-English Summary
AgentAdmit is built around authorization, auditability, and user control. Our privacy practices are intended to support those same values.
In plain English:
- we collect the data needed to run the hosted service
- we log verification and authorization metadata as part of the hosted-service model
- test keys and live keys both use the hosted service
- we do not sell your personal data
- we do not use your data to train AI models
- we use service metadata for security, billing, operations, analytics, and future service features subject to our policies and applicable law
- app owners remain responsible for their own app-layer privacy disclosures
If you want the detailed version, the rest of this policy explains it.
4. What We Collect
4.1 Account and Profile Information
When you create or use an AgentAdmit account, we may collect:
- email address
- name, if provided
- organization or company information, if provided
- authentication-related account data
- account status and environment information
4.2 Billing and Subscription Information
If you subscribe to a paid offering, we may collect or receive:
- billing status
- subscription status
- plan / tier information
- renewal and payment event metadata
- limited payment-related metadata from payment processors
We do not store full payment card numbers if those are handled by a third-party payment processor.
4.3 Token and Authorization Metadata
As part of providing the hosted service, we may collect and store metadata related to:
- connection-token issuance and exchange
- granted scopes
- connection identifiers
- app identifiers
- agent labels or agent-related identifiers
- issuance, expiration, revocation, and status timestamps
- environment or key type (for example, test vs live)
We may store token-related metadata needed for service operation, revocation, auditability, security, and billing. We do not need to store every token in plaintext to provide the service.
4.4 Verification / Introspection Metadata
Because AgentAdmit uses mandatory introspection for the hosted service, we may collect metadata related to token verification and protected requests, including:
- app or integration identifier
- environment / key type
- pseudonymous or app-provided user identifiers
- scopes requested or used
- endpoints or tools being verified
- timestamps
- response status
- request-level operational metadata
Our verification audit log does not store IP addresses or network identifiers. IP addresses are used transiently for rate limiting and are processed at the network layer by our hosting provider (see Section 9); they are not retained by AgentAdmit as part of the verification audit log.
This applies to both:
- test-key development usage
- live-key production usage
4.5 Consent Events
If you use the Consent Ledger, we collect and store consent events, meaning the per-user, per-caller-class consent switches your users set (for example, in-app AI or external agent access) and the evaluation events recorded each time a consent verdict is checked. These events form the exportable compliance trail described in your plan and are retained according to the plan-tiered windows in Section 10.
4.6 Audit and Operational Logs
We may maintain audit, security, and operational logs relating to:
- authorization events
- revocations
- verification attempts
- failures and denials
- account and service activity
- debugging and incident response
4.7 Communications and Support Data
If you contact us, we may collect:
- support emails and messages
- bug reports
- feedback submissions
- feature requests
- billing or account-related communications
4.8 Device, Browser, and Technical Data
When you use the dashboard or APIs, we may collect standard technical information such as:
- browser or user-agent data
- device or client metadata
- session and authentication metadata
- error and performance data
5. How the Hosted-Service Model Affects Privacy
This section is important because it explains the practical privacy consequences of using AgentAdmit.
5.1 Test Keys and Live Keys Both Use the Hosted Service
Test keys are for development and testing. Live keys are generated in the AgentAdmit dashboard only after the app owner pays for a subscription.
Both test keys and live keys use AgentAdmit's hosted verification infrastructure.
That means development and testing are not outside the hosted service. Verification metadata, service logs, and operational controls may apply before go-live, not only after production activation.
5.2 Mandatory Introspection Means Verification Metadata Exists
Mandatory introspection is part of the product design. Because the hosted service performs verification, AgentAdmit necessarily processes verification-related metadata.
This supports:
- scope enforcement
- revocation
- auditability
- abuse prevention
- billing and usage metering
- service reliability and analytics
5.3 AgentAdmit Does Not Become the App's Entire Privacy Layer
AgentAdmit processes the authorization layer. App owners and MCP server operators remain responsible for:
- their own application data flows
- their own user disclosures
- their own privacy policies
- the downstream business logic inside their own systems
6. Why We Use Data
We may use personal data and service metadata to:
- create and manage accounts
- authenticate users
- issue and manage test keys and live keys
- operate token generation, exchange, verification, and revocation flows
- enforce scopes and permissions
- provide auditability and account visibility
- meter usage and support billing
- prevent abuse, fraud, and security incidents
- troubleshoot errors and improve service reliability
- respond to support requests
- comply with legal obligations
- improve product operations and develop future service features consistent with our policies and applicable law
We do not use personal data to train AI models.
We do not sell your personal data.
7. Legal Bases for Processing
Where applicable law requires a legal basis for processing, we may rely on:
- contract performance: to provide the hosted service you requested
- legitimate interests: for security, fraud prevention, logging, service analytics, abuse prevention, debugging, and operational improvement
- legal obligations: where we must retain or disclose data to comply with law
- consent: where we specifically ask for it and applicable law requires it
The exact legal basis may depend on the type of data and your jurisdiction.
8. How We Share Data
We may share data:
- with service providers and processors who help us operate the hosted service
- with payment providers for billing and subscription handling
- with infrastructure, hosting, email, support, and security vendors acting on our behalf
- when required by law, regulation, legal process, or enforceable governmental request
- to protect the rights, security, or integrity of AgentAdmit, our users, or others
- in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate protections
We do not sell personal data.
We do not share personal data for cross-context behavioral advertising.
9. Third-Party Processors and Services
We use the following third-party service providers to operate the AgentAdmit hosted service:
| Provider | Purpose | Data Processed |
|---|---|---|
| Clerk | Authentication and user management | Email, name, auth session data |
| Supabase | Database and data storage | Account data, token metadata, audit logs |
| Stripe | Payment processing and billing | Billing status, subscription data, payment metadata |
| Vercel | Application hosting and delivery | Request metadata, IP addresses, performance data |
| Resend | Transactional email (retention expiry warnings, purge confirmations, and service alerts) | Developer email addresses |
| Upstash | Redis-based rate limiting | Request identifiers such as IP addresses and API key ids |
These providers act as processors on our behalf and are contractually bound to use your data only to provide services to us.
10. Data Retention
We retain data for as long as reasonably necessary to:
- provide the service
- maintain security and auditability
- support billing and records requirements
- investigate abuse or incidents
- comply with legal obligations
- enforce our agreements
Different categories of data have different retention periods. Current retention windows are:
- Verification / audit-log metadata: retained for up to 180 days, then automatically deleted by a scheduled hygiene process
- Consent Ledger events: retained per plan, as described below
- Expired or consumed connection tokens: deleted after 30 days
- Account, billing, and subscription records: retained for as long as your account is active and thereafter as required for legal, tax, and accounting obligations
Consent-event retention. Consent Ledger events (the per-user, per-caller-class consent switches and their evaluation events, described in Section 4.5) are the product's exportable compliance trail, and they follow plan-tiered retention windows that are separate from the 180-day verification audit-log window above:
- Test Mode (development): 30 days
- Starter: 6 months
- Builder: 2 years
- Pro and Enterprise: 7 years
Before consent events reach the end of their retention window, we send advance expiry warning emails at 60, 30, and 7 days before the first events would expire. When a purge runs, we send a purge confirmation email, and we hold a recovery snapshot of the purged events for 30 days after the purge before final deletion.
To be clear about the distinction: verification / audit-log metadata (Section 4.4) keeps its existing retention window of up to 180 days, while consent Ledger events follow the plan-tiered windows listed above.
We may retain limited records longer where necessary to comply with legal obligations, resolve disputes, or enforce our agreements. These windows may be adjusted as the service evolves; the current values are reflected here.
11. Cookies and Similar Technologies
AgentAdmit may use cookies or similar technologies for:
- authentication
- session management
- security protections
- dashboard functionality
- reliability and performance
We do not use advertising cookies or cross-site behavioral tracking cookies as part of the core hosted-service model described in this policy.
If we later add optional analytics or similar technologies that require additional notice or consent, we will update this policy and our user experience accordingly.
12. Data Security
We use administrative, technical, and organizational measures designed to protect personal data and service data.
These measures may include:
- encryption in transit
- hashing of bearer credentials at rest (connection tokens and API keys are never stored in plaintext)
- access controls
- credential protection
- role-based access to production systems
- security logging and incident response practices
- regular maintenance and patching
No system is perfectly secure. If we experience a security incident requiring notice under applicable law, we will provide notice as required.
13. Your Rights
Depending on your jurisdiction, you may have rights such as:
- access to your personal data
- correction of inaccurate data
- deletion of personal data
- restriction of processing
- objection to certain processing
- data portability
- withdrawal of consent where processing depends on consent
- the right to complain to a regulator or supervisory authority
You may also be able to revoke agent access at any time through the product's connection and revocation mechanisms.
To exercise any of these rights, contact us at legal@agentadmit.com. We will respond within 30 days of a verifiable request. We may need to verify your identity before acting, and some rights may be limited where the data is pseudonymized and we cannot reasonably re-identify you, or where retention is required by law.
14. International Transfers
If you use AgentAdmit from outside the country where the service is operated, your data may be transferred to and processed in other jurisdictions, including the United States.
Where required for transfers of personal data out of the European Economic Area, the United Kingdom, or other regulated jurisdictions, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) and equivalent mechanisms, together with the contractual commitments of our infrastructure sub-processors (see Section 9).
15. Children's Privacy
AgentAdmit is not intended for children under the minimum age allowed by applicable law for use of the service without parental involvement.
If we learn that we have collected personal data from a child in violation of applicable law, we will take appropriate steps to delete it.
16. Changes to This Policy
We may update this Privacy Policy from time to time.
If we make material changes, we may provide notice through appropriate channels such as:
- dashboard notices
- updated effective dates
Your continued use of the service after an updated policy becomes effective may constitute acceptance to the extent permitted by law.
17. Contact Information
AgentAdmit LLC
- Legal: legal@agentadmit.com
- Support: support@agentadmit.com
- Web: https://agentadmit.com