Privacy Policy

Last updated: May 7, 2026

AgentNexus is building GDPR/CCPA readiness controls for controlled beta and early enterprise review. This policy is not a GDPR compliant, CCPA compliant, SOC 2, HIPAA, or ISO certification statement.

Privacy choices

Essential cookies are always on for authentication. Analytics stays off unless you allow it.

1. Controller and processor roles

For AgentNexus accounts, AgentNexus acts as the controller for account, billing, security, and product analytics data. For data that customers upload into agents, knowledge bases, conversations, and tool workflows, AgentNexus generally acts as a processor or service provider on behalf of that customer.

The GDPR lawful basis for account and billing processing is contract performance, legal obligation, legitimate interests for security and abuse prevention, and consent for optional analytics where required.

2. Data categories we process

  • Account data: email, name, OAuth profile metadata, organization membership, and session identifiers.
  • Product data: agents, prompts, model settings, widget configuration, knowledge metadata, files, and embeddings.
  • Conversation and tool data: dashboard chats, widget conversations, tool-call logs, triggers, and connection metadata.
  • Billing data: Stripe customer IDs, subscription status, invoices, credit grants, webhook audit rows, and fraud/dispute evidence.
  • Analytics data: PostHog product analytics only after opt-in and only when DNT/GPC does not block capture.

3. How we use data

  • Provide, secure, monitor, and improve AgentNexus.
  • Run agents, knowledge retrieval, conversations, and customer-selected tool integrations.
  • Process subscriptions, credit packs, invoices, refunds, disputes, and tax or accounting obligations.
  • Detect abuse, debug production issues, and maintain audit evidence without exposing raw secrets.

4. Cookies, analytics, DNT, and GPC

Essential cookies are required for authentication and session continuity. Optional analytics uses PostHog and is disabled by default until you select Allow analytics in Privacy choices. If you later withdraw consent, AgentNexus calls PostHog opt-out controls and clears local analytics state.

AgentNexus honors browser Do Not Track and Global Privacy Control signals for analytics capture. If DNT or Global Privacy Control is present, analytics remains disabled even if a prior local preference allowed it.

5. Third parties and subprocessors

Current subprocessors include Supabase for auth, database, storage, and vector search; Stripe for billing; Cloudflare for edge security and routing; Fly.io or Railway for managed runtime workloads when selected; OpenRouter and selected model providers for inference; GitHub for CI and repository operations. Enterprise DPA and subprocessor evidence is tracked separately in the internal vendor matrix.

Data may be transferred across borders where these providers operate. AgentNexus uses vendor contractual terms and security controls as readiness measures, but legal review is required before regulated enterprise commitments.

6. Retention and deletion

Product data is generally retained for the life of the account, agent, or knowledge source unless deletion is requested earlier. Knowledge source deletion removes Supabase Storage objects before deleting database rows. Account deletion requests are manually reviewed during beta to avoid accidental loss of billing or audit evidence.

Stripe, webhook, invoice, credit ledger, tax, dispute, and anti-fraud records may be retained under legal/accounting retention even after account deletion workflows remove customer content.

7. Your rights and DSAR endpoints

Depending on your location, you may request access, portability, correction, deletion, restriction, objection, or withdrawal of consent. Authenticated users can use /api/privacy/export for a JSON export package, /api/privacy/delete-request to submit a manually reviewed account deletion request, and /api/privacy/requests to view request status.

Exports include account, organization, agent, knowledge metadata, conversation, tool connection metadata, and credit/billing cache data. They do not include decrypted OAuth tokens, API keys, service-role keys, Stripe secrets, or OpenRouter keys.

8. CCPA notice at collection

AgentNexus collects identifiers, commercial information, internet or network activity, professional or account context, and customer-provided content to provide the service. AgentNexus does not sell or share personal information as those terms are used by CCPA/CPRA.

Do Not Sell or Share requests and Global Privacy Control signals are treated as opt-out signals for analytics and any future cross-context behavior. AgentNexus does not currently use sensitive personal information for purposes that require a Limit Sensitive Personal Information control beyond providing the service, security, billing, and legal obligations.

9. Security

AgentNexus uses Supabase Row Level Security, organization-scoped access checks, TLS, encrypted storage for sensitive tool credentials, and server-side secret handling. Production secret hardening requires ENCRYPTION_KEY to be configured; local fallback encryption is available only by explicit development opt-in.

10. Contact

For privacy questions or data requests, contact support@agtnx.ai.