Privacy Policy

1. Who we are

AgentValet is operated by AIFirstPartner, a company incorporated in Australia ("we", "us", "our"). AgentValet provides an identity and governance layer that allows developers and organisations to register AI agents, manage their permissions, and securely proxy their calls to third-party platforms.

This Privacy Policy explains how we collect, use, store, and protect personal information when you use agentvalet.ai and app.agentvalet.ai (together, "the Service"). We are committed to protecting your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We also aim to meet our obligations under the GDPR where applicable to users in the European Economic Area or the UK.

2. What we collect

Account information

When you create an account we collect your email address and use it to send magic-link authentication emails. We do not store passwords.

Agent registration data

When you register an AI agent we store:

• The agent's name and description
• The agent's RS256 public key (the private key is generated locally and never transmitted to us)
• The agent's status, creation timestamp, and any metadata you supply

Credentials and platform tokens

When you connect a third-party platform (e.g. Stripe, GitHub, Slack) we store the resulting API keys or OAuth tokens in our encrypted credential vault. Credentials are encrypted using envelope encryption: a per-credential data-encryption key (DEK) is wrapped by a master key held in Azure Key Vault HSM. Plaintext credentials are never written to disk or logged - they are decrypted in memory only at the moment a proxied API call is made.

Audit log data

Every action an agent takes through the AgentValet proxy is recorded in an immutable audit log. Log entries include: agent ID, platform called, endpoint, HTTP status, timestamp, and whether human approval was required. Request and response bodies are never stored.

Usage and technical data

We collect standard server-side logs including IP addresses, browser user-agent strings, pages visited, and error events. This data is used for security monitoring, debugging, and service improvement.

3. How we use your information

• Providing the Service - authenticating you, registering agents, proxying platform calls on your behalf
• Security - detecting anomalous agent behaviour, enforcing circuit breakers, and triggering human-approval workflows
• Communication - sending transactional emails (magic links, approval notifications, billing receipts)
• Billing - processing subscription payments via Stripe
• Improvement - aggregated, anonymised analytics to understand usage patterns

We do not sell your personal information. We do not use your data to train AI models.

Lawful basis (GDPR Article 13)

For users in the EEA or UK, the lawful basis for each processing activity is:

4. Third-party sub-processors

We share data only with the following sub-processors, solely to deliver the Service:

• Supabase - database and row-level-security audit log (data hosted in the AWS us-east-1 region unless configured otherwise)
• Microsoft Azure Key Vault - HSM-backed master key storage for envelope encryption
• Stripe - payment processing; Stripe receives only the information necessary to process a transaction
• Resend / SendGrid - transactional email delivery

We do not share your data with advertising networks or data brokers.

5. Data security

We implement the following controls to protect your data:

• All data in transit is encrypted with TLS 1.2 or higher
• Credentials are encrypted at rest using AES-256 envelope encryption; master keys are stored in Azure Key Vault HSM and never leave the HSM in plaintext
• Database access is protected by Supabase Row Level Security policies scoped to your organisation
• Agent authentication uses RS256 signed JWTs; private keys are generated locally and never transmitted to our servers
• Agents are automatically suspended after three consecutive authentication failures or five API errors (circuit breaker)

No system is completely secure. If you discover a vulnerability please contact us at [email protected].

6. Data retention

• Account data - retained for the life of your account and deleted within 30 days of account closure
• Agent data and credentials - deleted within 30 days of you revoking the agent or closing your account
• Audit logs - retained for 12 months by default; enterprise customers may configure longer retention periods
• Server logs - retained for 90 days

7. Your rights

Depending on your jurisdiction you may have the right to access, correct, delete, or export your personal data. You can:

• Export or delete your agent data and credentials at any time from the dashboard
• Request a copy of all personal data we hold about you by emailing [email protected]
• Request deletion of your account and all associated data

If you are located in Australia, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you are not satisfied with our response. If you are in the EEA or UK, you may escalate to your local data protection authority.

8. Cookies

We use a small number of strictly necessary cookies to maintain your authenticated session. We do not use advertising or tracking cookies. We do not use third-party analytics scripts that set cookies on our marketing pages.

9. Children

The Service is not directed at children under 16. We do not knowingly collect personal information from anyone under 16. If you believe we have inadvertently collected such information please contact us and we will delete it promptly.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we do we will update the "Last updated" date at the top of this page and, for material changes, notify you by email or via an in-app notice. Continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

11. Contact

For privacy questions or requests:

• Email: [email protected]
• Company: AIFirstPartner, Australia