Privacy Policy

Last updated: February 17, 2026

1. Introduction

AgentStead Ltd ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use AgentStead ("the Service").

2. Information We Collect

Account Information

  • Email address and password (for authentication)
  • Name (optional)
  • Payment information (processed by Stripe — we do not store card details)

Agent Data

  • Agent configuration (name, personality, model settings)
  • Channel connection details (bot tokens for Telegram, Discord, etc.)
  • API keys you provide for BYOK plans (encrypted at rest)

Usage Data

  • Token usage and cost tracking (for platform AI plans)
  • API request logs (timestamps, endpoints, response codes — not request bodies)
  • Agent status and runtime metrics

Conversation Data

  • Messages sent to and from your Agents are processed to provide the Service.
  • Conversations are stored within your Agent's isolated workspace on encrypted storage.
  • We do not access, read, or use your conversation data for any purpose other than providing the Service.

3. How We Use Your Information

  • Provide the Service: Run your Agents, process AI requests, manage channels.
  • Billing: Track usage, process payments, send invoices.
  • Security: Detect abuse, prevent fraud, enforce rate limits.
  • Improvements: Aggregate, anonymized usage statistics to improve the Service (never individual conversation data).
  • Communication: Service announcements, billing notifications, support responses.

4. Data Storage and Security

  • All data is hosted on Amazon Web Services (AWS) in the US East (N. Virginia) region.
  • Databases are encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • API keys (BYOK) are encrypted before storage — we cannot read your raw keys.
  • Each Agent runs in an isolated container with its own workspace.
  • Access to infrastructure is restricted to authorized personnel with multi-factor authentication.

5. Third-Party Services

We use the following third-party services:

  • AWS (Amazon Web Services): Infrastructure hosting, compute, database, storage.
  • Stripe: Payment processing.
  • Anthropic / OpenAI / Google: AI model providers (for platform AI plans). Your prompts are sent to these providers to generate responses. See their respective privacy policies.
  • Cloudflare: DNS, CDN, and DDoS protection.
  • Amazon Cognito: Authentication and user management.

For BYOK plans, your data is sent to whichever AI provider(s) you configure. We act as a conduit — your relationship with those providers is governed by their terms and privacy policies.

6. Data Retention

  • Account data is retained while your account is active.
  • Agent data (workspaces, conversations) is deleted within 30 days of Agent deletion.
  • Upon account termination, all data is deleted within 30 days.
  • Billing records may be retained for up to 7 years as required by law.
  • Anonymized, aggregate usage statistics may be retained indefinitely.

7. Your Rights

Under UK GDPR and applicable data protection laws, you have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your data ("right to be forgotten").
  • Portability: Request your data in a machine-readable format.
  • Objection: Object to processing of your data for certain purposes.
  • Restriction: Request restricted processing of your data.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8. Cookies

We use essential cookies for authentication and session management. We do not use tracking cookies or third-party advertising cookies. No cookie consent banner is required as we only use strictly necessary cookies.

9. Children

The Service is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. International Transfers

Your data is processed in the United States (AWS US East region). By using the Service, you consent to this transfer. We ensure appropriate safeguards are in place in compliance with UK GDPR requirements for international data transfers.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or prominent notice on the Service. The "Last updated" date at the top indicates the most recent revision.

12. Contact Us

For privacy-related enquiries or to exercise your data rights:

AgentStead Ltd

Email: [email protected]

General: [email protected]