What we collect, what we don’t.

The short version

• We collect what we need to run the platform — emails, agency configs, AI usage logs, payment records.
• We don’t sell your data, and we don’t train AI models on it.
• Your AI conversations and brand kits are tenant-isolated; another agency can’t see your data.
• You can export everything you’ve put in, or delete your account, any time.
• End clients reviewing deliverables don’t need an account — only the magic-link token.

1. Who we are

OpenAgentcy is owned and operated by Simple Software LLC, a Colorado limited liability company ("OpenAgentcy," "we," "our"). The service is reachable at openagentcy.com and on agency subdomains in the form {slug}.openagentcy.com. Contact us at hello@openagentcy.com.

2. What we collect

We collect three categories of data:

Account data

• Your email address (for sign-in via magic link)
• Agency name and slug
• Agency type (agency vs. business)
• Plan tier and billing customer ID (we store the Stripe customer ID, not your card)
• Workspace and brand-kit configurations you create
• Knowledge documents you upload (treated as confidential and tenant-scoped)

Usage data

• AI agent calls — input tokens, output tokens, model used, latency, raw cost
• Routing decisions — which specialist agent handled which message
• Critic verdicts — pass/fail, recommendation, flags raised
• Deliverables saved and client-decision events (approved / rejected / commented)
• Server-side error and performance traces (Sentry)

Inferred data

• Markup tier (calculated from your rolling-30d billed usage)
• Workspace presets you save (snapshots of your agent + brand + knowledge configurations)

3. What we don’t collect

• We do not collect or store payment card details — Stripe handles that directly.
• We do not run third-party analytics that fingerprint visitors. Vercel Speed Insights and Analytics measure aggregate page performance only.
• We do not sell, rent, or share customer data with marketing partners.
• We do not train AI models on your conversations, brand kits, or knowledge documents.

4. How AI usage works

When you talk to an agent, the request is routed through OpenRouter to a frontier model (Claude, GPT, Gemini, etc., chosen per task). Conversation content is processed by these providers under their respective no-training terms. We do not retain copies of conversations beyond your workspace — deleting a workspace removes all messages, deliverables, and usage events tied to it.

When agents take actions on your connected tools (Gmail, Slack, HubSpot, and others) we send only the parameters needed for that specific call to Composio, our tool-execution provider. Composio brokers the call to the third party using OAuth tokens you authorized; we never see those tokens.

On the White-label tier, every client-facing surface (subdomain pages, deliverable review portal, transactional emails) renders with the agency’s logo, wordmark, colors, support email, and copy in place of OpenAgentcy’s. Inference still routes through our gateway under the same data terms.

5. End-client data

End clients (your clients, who review deliverables you ship them) interact with OpenAgentcy through magic-link review URLs. We collect:

• Their decision (approved / rejected / changes requested)
• Optional comment they leave
• Timestamp + IP address (for audit trail; never displayed publicly)

Review tokens expire 24 hours after creation and are single-use after a decision is recorded. End clients are not asked to create accounts.

6. How we share data

We share data only with our infrastructure providers, all under their respective DPAs:

• Supabase — Postgres database + Auth (US-East-1)
• Vercel — application hosting, edge network, CDN
• OpenRouter — AI model inference broker (Anthropic, OpenAI, Google, and others)
• Composio — tool-execution broker for connected third-party apps (Gmail, Slack, etc.)
• Stripe — billing and payment processing
• Resend — transactional email delivery
• Cloudflare — DNS (and on the White-label tier, custom-domain SSL termination, when enabled in V2)
• Sentry — server-side error monitoring

We do not share data with advertising networks, analytics resellers, or any third party for purposes beyond running the platform.

7. Your rights

You can email hello@openagentcy.com to:

• Access — request a copy of all data we hold about your agency
• Export — receive a structured export of workspaces, brand kits, knowledge docs
• Correction — fix inaccurate information
• Deletion — close your account and remove your data (subject to legal retention obligations for billing records)
• Restriction — pause processing while we resolve a dispute
• Portability — receive your data in a machine-readable format
• Object — opt out of any non-essential processing

We respond to requests within 30 days. Residents of the EU/EEA, UK, and California have additional rights under GDPR/CCPA — contact us and we’ll honor them.

8. Data retention

• Active workspaces and their content: kept for the lifetime of your subscription.
• Cancelled accounts: workspaces stay accessible read-only for 30 days, then archive (data retained but not served). Permanent deletion on request.
• Billing records: retained for 7 years to satisfy tax/audit requirements (legal obligation).
• Server logs: 30 days.
• Sentry error traces: 90 days.

9. Security

• All traffic is HTTPS with HSTS preload.
• Database access uses row-level security keyed to your agency ID — another tenant cannot read your data even with leaked credentials.
• API routes require authentication; cron endpoints require a shared secret.
• Stripe webhooks verify HMAC signatures.
• We do not store secrets in source code; environment variables are encrypted at rest.

We aim for SOC 2 Type II in Q3 2026. No security control is perfect — if you discover a vulnerability, please report it to hello@openagentcy.com.

10. Children

OpenAgentcy is not intended for use by anyone under 16. We do not knowingly collect data from minors. If you believe we have, contact us and we’ll delete it.

11. Cookies

We use essential cookies for authentication (Supabase Auth session). We do not use marketing or third-party tracking cookies. Vercel Analytics uses first-party cookies for aggregate page-load measurement only.

12. Cross-border transfers

Our infrastructure runs primarily in the United States (Supabase US-East-1, Vercel US edge nodes). If you access OpenAgentcy from outside the US, your data is transferred to the US for processing. We rely on Standard Contractual Clauses with our subprocessors where required.

13. Changes

When we change this policy, we update the date at the top and email notification to active agency owners for material changes (data we collect, who we share with, retention periods). Routine clarifications don’t trigger an email but always get a date bump.

14. Contact

Email hello@openagentcy.com.