Privacy Policy

1. What We Collect

We collect the following information when you use rentanagent:

• Anonymous session ID: A randomly-generated UUID stored in a cookie called rentanagent_anon on first visit. Used to tie your work to a stable identity before you sign up. Cleared when you sign up (we migrate your work to your account).
• Validated ideas: The business idea text you submit to the Validation Agent + the resulting Launch Kit data + demand scores. Stored in our database, tied to your anonymous session or account.
• Phone Call Agent data: When you authorize a call, we store the target phone number, your task description, the digital authorization signature, and after the call: the recording, transcript, and outcome.
• Outreach data: Drafted emails, prospect lists, and (for Phase 2 auto-send mode) the recipients you choose to send to via your connected Gmail.
• Landing page signups: Email addresses submitted via the public signup form on your published landing page. These are visible only to you (the artifact owner) and stored in our database.
• Browser fingerprint: We generate a browser fingerprint hash (derived from your User-Agent and Accept-Language headers) to prevent rate-limit abuse. This fingerprint is stored alongside anonymous execution data for up to 30 days and is not used for cross-site tracking.

1a. What We Collect (Account Holders)

If you create an account, additionally:

• Account info: Email address, name, and password (hashed by Supabase Auth — we never see it in plaintext)
• Profile data: Username, bio, and any info you add to your profile
• Conversation data: Messages you send to AI agents, stored to provide chat history
• Payment data: Handled entirely by Stripe — we store only a Stripe customer ID and subscription ID, never card numbers
• Usage data: Pages visited, agents rented, messages sent (aggregate, for platform analytics)
• Creator API keys: If provided (OpenAI, Anthropic, Groq), stored encrypted at rest using AES-256-GCM application-level encryption
• Integration tokens: OAuth access tokens for Gmail, Slack, Notion, Discord, GitHub, HubSpot, Google Calendar, and other connected services — stored encrypted at rest using AES-256-GCM application-level encryption
• Agent memory: Preferences, writing voice, context, and interaction patterns learned from your agent usage — stored per-user per-agent, never shared with creators or other users
• Task outputs: Generated deliverables (reports, emails, content) stored in encrypted cloud storage, accessible only by you
• Webhook data: If you configure webhook outputs, data sent to your specified URLs leaves the Platform — we are not responsible for how external endpoints handle that data

2. How We Use Your Data

• To provide and improve the Platform
• To process payments and payouts
• To send transactional emails (account verification, password reset, rental confirmations)
• To enforce our Terms of Service
• To calculate and display usage quotas

We do not sell your personal data. We do not use your conversation history to train AI models.

3. Conversation Data

Messages you send to AI agents are stored in our database (Supabase) to provide conversation continuity. This data is associated with your user account and the specific agent. Creators cannot see individual user conversations. We retain conversation history for the duration of your account.

You can request deletion of your conversation history by contacting us. Deleting your account removes all associated conversation data.

Local/proxy agents: If you rent a Local Agent (one that runs on the Creator's own infrastructure), your messages are forwarded to that Creator's server. Rent an Agent does not control how those messages are processed or stored by the Creator. Review the agent's description before renting.

4. Third-Party Integrations (Gmail, Slack, Notion)

If you connect a third-party account, we store your OAuth access token encrypted at rest (AES-256-GCM). This token is used solely to execute actions you explicitly confirm — we do not access your accounts for any other purpose.

• Gmail: We may read recent inbox threads (to provide context to your agent) and send emails on your behalf only upon your explicit confirmation. We do not store email content beyond what is necessary to complete the action.
• Slack: We may post messages to channels you authorize, only upon your explicit confirmation.
• Notion: We may create or search pages in your workspace, only upon your explicit confirmation.

You can disconnect any integration at any time from your dashboard. Upon disconnection, your access token is permanently deleted from our database.

5. Creator API Keys

If you provide a third-party API key (OpenAI, Anthropic, Groq, etc.) as a Creator, it is encrypted at rest using AES-256-GCM application-level encryption before being stored. It is used solely to power your listed agents. We do not share it with third parties beyond the AI provider it belongs to. You can remove your API key at any time from the agent edit page.

6. Third-Party Services

We use the following third-party services that may process your data:

• Supabase — database and authentication hosting. Data stored in the US. Supabase provides disk-level encryption in addition to our application-level encryption for sensitive fields.
• Vercel — application hosting and CDN.
• Stripe — payment processing. Subject to Stripe's privacy policy.
• Google (Gemini) — AI inference for platform-hosted agents using the Gemini model. Prompts and responses are sent to Google's API. Subject to Google's API terms.
• Anthropic (Claude) — AI inference for platform-hosted agents using Claude models. Prompts and responses are sent to Anthropic's API. Subject to Anthropic's usage policy.
• Groq — AI inference for platform-hosted agents using open-source models (e.g., Llama 3). Prompts and responses are sent to Groq's API. Subject to Groq's terms of service.
• OpenRouter — AI inference routing. Subject to OpenRouter's terms.
• Resend — transactional email delivery.
• Sentry — error monitoring and performance tracking. No personal data is sent — only anonymized error reports.
• Langfuse — AI observability and tracing. Agent inputs, outputs, and performance metrics are sent for quality monitoring. Subject to Langfuse's privacy policy.
• Connected integrations — Gmail, Slack, Discord, Notion, HubSpot, GitHub, Google Calendar, Twitter/X, TikTok, Twilio, and other services you choose to connect. Each is only accessed when you explicitly authorize it. Subject to each provider's respective terms and privacy policies.

7. Data Retention

• Account data: retained until you delete your account
• Conversation history: retained until account deletion or explicit request
• Execution data (prompts/outputs): 90 days after account deletion
• Email send logs: 1 year
• Phone call transcripts: 30 days after completion (or as required by law)
• Anonymous session data: 30 days
• Integration tokens: deleted immediately upon disconnection; deleted upon account closure
• Payment records: 7 years (legal requirement)
• Deleted agent data: removed within 30 days of deletion

8. Your Rights

Depending on your location, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data ("right to be forgotten")
• Export your data in a portable format
• Object to or restrict certain processing
• Withdraw consent at any time (including by disconnecting integrations)

To exercise these rights, email privacy@rentanagent.app. We will respond within 30 days.

9. Cookies

We use session cookies for authentication only. We use short-lived cookies during OAuth flows (CSRF protection), which are deleted immediately after authentication completes. We do not use tracking cookies or advertising pixels. Third-party services (Stripe, Google) may set their own cookies subject to their respective policies.

10. Children's Privacy

The Platform is not directed to children. United States users: consistent with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13. European Economic Area, United Kingdom, and Switzerland users: consistent with GDPR Article 8, we do not knowingly collect personal information from children under 16 (or the lower age of digital consent set by your member state, if applicable). The Phone Call Agent and all paid features additionally require users to be at least 18 years of age.

If you become aware that a child has provided us with personal information without verifiable parental consent, contact privacy@rentanagent.app. We will delete the data and any associated account immediately upon verification.

11. Security

We implement the following security practices:

• All connections encrypted via HTTPS/TLS
• Sensitive fields (API keys, OAuth tokens) encrypted at rest with AES-256-GCM application-level encryption before database storage
• OAuth state parameters use cryptographically random nonces to prevent CSRF attacks
• OAuth callbacks verify the authenticated session matches the expected user before writing any data
• All integration actions require an active rental — unauthenticated or unauthorized requests are rejected
• Passwords hashed by Supabase Auth (bcrypt)

No system is 100% secure. In the event of a breach affecting your personal data, we will notify you within 72 hours as required by applicable law.

12. Law Enforcement Requests

We may disclose your data in response to valid legal process (subpoenas, court orders, or government requests). Where permitted by law, we will notify you before disclosing your data. We will challenge overbroad or legally insufficient requests.

13. Data Processing Roles

For purposes of GDPR and similar data protection laws:

• You are the data controller of your personal data and any data you input into the Platform
• We are a data processor acting on your behalf to deliver the services you request
• Creators/hosts are sub-processors only when you interact with their hosted agents — they are bound by our Terms of Service to handle your data in compliance with applicable law
• AI providers (Google, Anthropic, Groq) are sub-processors that receive only the data necessary to generate your requested output

We process your data solely based on: (a) your consent (which you can withdraw at any time); (b) performance of the contract (these Terms); and (c) our legitimate interests in operating and improving the Platform, balanced against your rights.

14. International Data Transfers

Your data may be processed in the United States, where our infrastructure is hosted. By using the Platform, you consent to this transfer. We rely on Standard Contractual Clauses (SCCs) and adequacy decisions where required by applicable law for international transfers.

15. Creator and Host Data Isolation

Creators and hosted agent operators do not have access to:

• Your personal identity, email, or account information
• Your integration tokens or connected account data
• Your agent memory or conversation history
• Your real user ID or any identifier that persists across sessions

Proxy/hosted agent requests: When you use a creator-hosted agent, only the form inputs you explicitly submit for that specific request are forwarded to the creator's endpoint. Before forwarding, the Platform automatically masks detected personal data (email addresses, phone numbers, government IDs, payment card numbers) and replaces your identity with an anonymous, single-use session token. Creators cannot link your requests across sessions or to your account.

Creators see only anonymized aggregate metrics: total runs, average quality scores, and revenue earned. No personally identifiable information is shared.

15a. Marketplace Data Protection

The following protections apply to all creator-hosted agents on the marketplace:

• PII masking: Email addresses, phone numbers, social security numbers, and credit card numbers detected in user inputs are automatically redacted before being sent to any external agent endpoint.
• Anonymous sessions: Each request to a hosted agent uses a random, single-use session identifier. Creators cannot track individual users across multiple requests.
• Content scanning: All responses from hosted agents are scanned for policy violations (unauthorized medical, legal, or financial advice) before being delivered to you.
• Data retention: Creators who host external agents must delete all user input data within 24 hours of processing. Creators must accept our Data Processing Agreement before publishing.
• Audit rights: The Platform reserves the right to audit creator endpoints for compliance with these data protection requirements.
• Deletion requests: You may request deletion of your data from any creator agent by contacting us at privacy@rentanagent.app. We will relay the request to the creator and confirm deletion within 30 days.

16. Changes to This Policy

We may update this policy periodically. We will notify you of material changes via email with at least 14 days' notice. Continued use of the Platform after the effective date constitutes acceptance.

17. Exercising Your Rights

You can exercise your data rights at any time:

• Export your data: Account holders can download a complete JSON export of their data via the dashboard, or hit GET /api/account/export while signed in.
• Delete your account: Account holders can permanently delete their account and all associated data via the dashboard. This calls DELETE /api/account/delete and removes data within 24 hours.
• Other requests: For correction, restriction, objection, or any data request you cannot self-serve, email privacy@rentanagent.app. We respond within 30 days as required by GDPR Article 12 and CCPA.

18. Sub-processors

A complete, current list of every third-party provider that may process your data on our behalf is published at rentanagent.app/legal/sub-processors. Under GDPR Article 28(4), you can object to a new sub-processor by emailing privacy@rentanagent.app.

19. Contact

Privacy questions or requests: privacy@rentanagent.app

General support: support@rentanagent.app

DMCA / legal: legal@rentanagent.app · See also /dmca