Privacy Policy

This Privacy Policy explains how AgentGate ("we", "us", "our") collects, uses, stores, and protects personal data in connection with the website and the Service available at https://agentgate.eu.

AgentGate acts as a controller for personal data collected from website visitors, prospects, commercial contacts, and users of its own accounts. AgentGate acts as a processor for personal data submitted to the Service by customers when those customers use the Service for their own business purposes.

2. Who processes the data

AgentGate is the operator of the Service. As no incorporated company has yet been formed, the processing activities covered by this Privacy Policy are currently operated under the AgentGate name. For any privacy-related question, you can contact: privacy@agentgate.eu.

When customers use the Service to process data relating to their own users, employees, customers, suppliers, or beneficiaries, those customers determine the purposes of processing and act as controllers. In that context, AgentGate processes such data only on their behalf and in accordance with their instructions, as described in the applicable DPA.

3. Data we collect

3.1 Account data

We may collect the following categories of account-related data:

• email address;
• name or display name, where provided;
• password in hashed or encrypted form;
• encrypted 2FA secret;
• recovery code hashes or fingerprints;
• IP address and user-agent during sign-in;
• authentication and account security logs.

3.2 Operational data submitted through the Service

When the Service is used by a customer, we may process on that customer's behalf:

• payment intents;
• amount, currency, beneficiary, category, memo or payment purpose;
• agent or application identifier;
• approval or rejection decisions;
• audit events;
• webhook delivery metadata;
• more generally, any content submitted through the Service by the customer or its agents.

This data is processed on behalf of the customer, who acts as the controller.

3.3 Technical data and telemetry

We collect certain technical data required to operate and secure the Service, including:

• API request server logs;
• IP address;
• requested path or endpoint;
• response status code;
• latency;
• error and security logs;
• minimal usage metrics.

We do not use advertising trackers or cross-site tracking cookies.

4. How we use personal data

We use personal data to:

• provide, operate, administer, and secure the Service;
• authenticate users and prevent fraud, abuse, or unauthorized access;
• send transactional emails such as sign-in alerts, password reset emails, approval notifications, or service notices;
• respond to support, demo, or contact requests;
• comply with legal, regulatory, accounting, and contractual obligations;
• maintain service reliability, traceability, auditability, and security;
• improve the Service, its performance, and resilience, without using customer operational data to train models.

We do not sell personal data and we do not use operational data submitted by customers to train AI models.

5. Legal bases

Where AgentGate acts as a controller, the relevant legal bases are:

• performance of a contract, to provide the Service, manage accounts, authenticate users, and deliver subscribed features;
• legitimate interests, to secure the Service, prevent abuse, generate technical logs, improve product stability, and respond to B2B commercial requests;
• legal obligation, to comply with tax, accounting, security, and legal retention requirements;
• consent, where required, for example for non-essential cookies or optional communications.

Where AgentGate acts as a processor, the legal basis for the underlying processing is determined by the customer acting as controller.

6. Retention

We retain personal data for limited periods consistent with the purposes described above:

• account data: for as long as the account exists, and up to 30 days after deletion unless longer retention is necessary for security, evidence, or legal compliance;
• audit events: according to the retention period associated with the subscribed plan, for example 7 days, 12 months, or up to 10 years on certain enterprise plans;
• server logs: 90 days;
• backups: rolling 30-day window;
• support or contact data: for as long as needed to handle the request, followed by limited archival where necessary to protect legal rights;
• contractual and billing data: for the period required by applicable law.

Where AgentGate acts as a processor, retention also depends on customer instructions and the applicable DPA.

7. Sharing

We share personal data only with the following categories of recipients:

• technical subprocessors and service providers, such as hosting, transactional email, monitoring, logging, and error tracking providers;
• administrative, judicial, or regulatory authorities where disclosure is legally required;
• a potential acquirer, investor, successor, or purchaser in the context of a restructuring, merger, acquisition, or asset transfer, subject to appropriate safeguards;
• legal and professional advisers where necessary to protect our rights or comply with our obligations.

Processors and service providers acting on our behalf must provide sufficient security and confidentiality guarantees and must be bound by appropriate contractual commitments.

8. International transfers

Personal data is hosted within the European Economic Area where possible. If a subprocessor processes personal data outside the EEA, AgentGate implements an appropriate transfer mechanism, including Standard Contractual Clauses or another lawful safeguard recognized under GDPR.

9. Security

We implement appropriate technical and organizational measures to protect personal data, including:

• encryption in transit;
• encryption at rest where relevant;
• role-based access controls;
• audit logging;
• least privilege practices;
• periodic backups;
• technical monitoring and incident prevention measures.

10. Cookies and similar technologies

AgentGate uses a limited number of strictly necessary cookies and similar technologies, for example to:

• maintain an authenticated session;
• protect against CSRF attacks;
• manage essential technical settings.

We do not use advertising cookies or cross-site tracking technologies. If non-essential cookies are added in the future, they will be subject to specific notice and, where required, prior consent.

11. Data subject rights

Subject to applicable law, you may request:

• access to your personal data;
• correction of inaccurate data;
• deletion of your data;
• restriction of processing;
• portability of your data;
• objection to certain processing activities;
• withdrawal of consent where processing is based on consent.

You can exercise these rights by contacting: privacy@agentgate.eu.

Where AgentGate acts as a processor on behalf of a customer, requests relating to operational data submitted by that customer should generally be directed to the relevant customer as controller. AgentGate may assist its customers as provided in the applicable DPA.

If you believe your rights have been violated, you may also lodge a complaint with the competent data protection authority, including the CNIL in France.

12. No sale and no model training

We do not sell personal data. We do not use operational data submitted by customers through the Service to train AI models. This distinction is particularly important for a B2B SaaS provider acting both as controller for its own business data and as processor for customer-submitted data.

13. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes to the Service, our practices, or legal requirements. If a material change is made, the updated version will be posted on this page and, where appropriate, customers will be notified by email.

14. Contact

For any question about this Privacy Policy or the processing of personal data, contact: privacy@agentgate.eu.