Privacy Policy

This Privacy Policy describes how AgentBuild, Inc. (“AgentBuild,” “we,” “us”) collects, uses, shares, and protects personal data. It applies to:

• Visitors to agentbuild.it and our marketing pages
• AgentBuild customers (the humans who hold an account and connect AI agents)
• End users of customer-published websites (when those sites submit data to AgentBuild — e.g. contact-form submissions)

For end-user data submitted through customer sites, AgentBuild acts as a processor on behalf of the customer (the controller); the data processing terms in Section 10 of our Customer Terms of Service govern that processing.

1. Information we collect

1.1 Information you give us.

• Account data: email address, password (hashed), business name (optional), country
• Payment data: processed by our payment provider (Stripe). We store the last four digits of the card and the billing address; we do not store full card numbers
• Domain registrant data: when you register a domain, we collect your name, postal address, phone, and email — this data is required by ICANN and transmitted to the domain registrar (currently name.com)
• Customer Content: content you (or an AI agent you authorize) submits through the Service to publish on your sites
• Support communications: what you tell us when you contact support

1.2 Information collected automatically.

• API and platform logs: API requests, response codes, IP addresses, timestamps, user-agent strings — used for security, debugging, and abuse prevention
• Marketing-site analytics: PostHog in cookieless mode: aggregate pageviews and events tied to an in-memory identifier that resets on every page reload. No cookies. No session recording. No autocapture. No keystroke logging. No data shared with ad networks
• Authentication cookies: when you sign in, we set a small number of strictly necessary cookies (session, CSRF) — these are exempt from cookie consent under EU/UK ePrivacy rules

1.3 Information from end users of your sites. If a visitor to a site you publish through AgentBuild submits a contact form (or uses other interactive features you’ve enabled), we receive and store their submitted data on your behalf in your isolated per-site database. We process this data as your processor; you are the controller. End users with privacy questions about a customer site should contact the customer who operates that site.

1.4 First-party visitor analytics on customer-published sites. We collect aggregate, cookieless analytics on customer-published sites so the customer’s AI agent can answer “how is my site doing” questions. AgentBuild acts as the customer’s processor for this collection; the customer is the controller and is responsible for disclosing the use of analytics in their own privacy policy. The Service collects:

• Page path (sanitized — query strings beyond UTM keys are stripped, and segments that look like opaque tokens are redacted)
• Referrer hostname only (the full referrer URL, including referrer paths, is never stored)
• Country (Cloudflare edge geolocation, two-letter code)
• Device class (mobile / tablet / desktop)
• Browser bucket (Chrome / Safari / Firefox / Edge / Other)
• UTM parameters when present
• Timestamp

We do not collect or store: IP addresses, raw user-agent strings, full referrer URLs, query string parameters beyond the UTM keys, cookies, localStorage identifiers, browser fingerprints, or any cross-site identifier. There is no session recording, heatmap, scroll tracking (Wave 1), or click-path replay. Your IP address is used only for transient abuse-prevention rate limiting (60-second salted hashing) and is never stored or associated with your visit record.

Honoring opt-out signals. The visitor analytics beacon is not transmitted from browsers sending the Global Privacy Control (Sec-GPC) signal or with Do Not Track set to 1. Customers can also disable analytics for an entire page by setting window.__AGENTBUILD_DISABLE_ANALYTICS__ = true before page load.

2. Lawful basis for processing (EU/UK)

If GDPR or UK GDPR applies to you, we rely on the following lawful bases:

3. How we use information

• To operate, maintain, and improve the Service
• To register and manage domains on your behalf
• To send transactional email (account verification, receipts, renewal reminders, security notices)
• To prevent fraud and abuse, enforce our Terms, and respond to legal process
• To respond to support requests
• To send marketing email if and only if you opted in (you can unsubscribe at any time)

We do not use Customer Content to train AI or machine-learning models, and we do not provide Customer Content to third parties for that purpose.

4. How we share information

We share personal data only with the subprocessors listed at agentbuild.it/legal/subprocessors, each of whom processes data only as needed to provide their part of the Service and is bound by data-protection terms.

We may also disclose personal data if required by law, court order, or lawful government request; to enforce our Terms; or to protect AgentBuild, our customers, or the public from harm.

If AgentBuild is involved in a merger, acquisition, or sale of assets, personal data may be among the transferred assets; we will notify you and provide an opportunity to object where required by law.

We do not sell your personal data and we do not share it with third parties for their own marketing or advertising purposes.

5. Where data is stored and processed

AgentBuild’s primary database is hosted in Supabase us-east-2. Per-customer site databases (Cloudflare D1) and assets (Cloudflare R2) are distributed globally across Cloudflare’s edge for performance, with metadata residence in the United States. Personal data may be transferred to the United States and other countries.

Where required (transfers from the EEA, UK, or Switzerland), we rely on the Standard Contractual Clauses adopted by the European Commission, the UK International Data Transfer Addendum, and the Swiss equivalent. Each subprocessor’s agreement incorporates these clauses; AgentBuild is a downstream beneficiary.

6. How long we keep data

• Account data: while your account is open, plus 90 days after deletion (for fraud and dispute resolution); some records (billing, tax) up to 7 years as required by law
• API and platform logs: up to 90 days, then aggregated and de-identified
• Customer Content: while your account is open; 30 days after termination, then deleted
• Domain registrant data: because ICANN requires registrars to retain registrant data for at least 2 years after a domain expires or is transferred, your registrant contact information may persist at the registrar after you delete your AgentBuild account. We delete our internal copy on schedule, but we cannot accelerate the registrar’s retention obligation. This is a known tension between GDPR’s right to erasure and ICANN’s retention requirement; ICANN’s policy currently prevails for the data fields ICANN requires
• Marketing-site analytics: PostHog rolls events up into aggregates; raw events are deleted after 90 days
• Customer-site visitor analytics:raw events retained for 30 days then deleted; daily aggregates retained for up to 2 years (or until the customer’s account is terminated, whichever comes first)

7. Your rights

Depending on where you live, you may have the right to:

• Access the personal data we hold about you
• Rectify inaccurate data
• Erasedata (“right to be forgotten”) — subject to retention obligations described in Section 6
• Port your data to another service
• Object to processing based on legitimate interests
• Restrict processing while a dispute is resolved
• Withdraw consent (where consent is the lawful basis) — withdrawal does not affect prior processing
• Lodge a complaintwith your local data-protection authority (in the UK, the Information Commissioner’s Office at ico.org.uk; in the EU, your country’s supervisory authority)

To exercise these rights, email privacy@agentbuild.it. We will respond within 30 days. We do not charge for these requests except where they are manifestly unfounded or excessive (e.g. repetitive).

8. Security

We use appropriate technical and organizational measures to protect personal data, including:

• TLS encryption in transit; encryption at rest for our primary databases
• API keys stored as SHA-256 hashes; the plaintext key is shown once at creation and never persisted server-side
• Per-customer site isolation: every customer site has its own Cloudflare D1 database and R2 bucket — no shared database, no cross-tenant queries
• Row-level security policies on platform tables
• Access controls: AgentBuild personnel can access customer data only when needed for support, debugging, or security, and access is logged
• Subprocessor due diligence and contractual data-protection terms (DPAs and SCCs)
• Incident-response procedures with breach notification within 72 hours to affected customers and authorities where required

No system is perfectly secure; you should also protect your account by safeguarding your API keys and using a strong, unique password.

9. Children

AgentBuild is not directed to children. We do not knowingly collect personal data from anyone under 16 (in the EEA, UK, or Switzerland) or 13 (elsewhere). If you believe we have collected personal data from a child, contact privacy@agentbuild.it and we will delete it.

10. Changes to this policy

We may update this Privacy Policy. For material changes, we will notify active accounts at least 14 days before the change takes effect by email and by posting the updated policy with a new “Last updated” date.

11. Contacting us

Privacy questions, requests to exercise rights, or complaints:

AgentBuild, Inc. — Privacy
Email: privacy@agentbuild.it
Address: 600 N Broad Street, Suite 5 #3477, Middletown, Delaware 19709