Privacy Policy

Last updated: April 13, 2026

1. Introduction

AgentLedger ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and protect your information when you use our AI agent monitoring service ("the Service").

This policy applies to all users of the Service, including the web dashboard, API, and SDK.

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

  • Email address
  • Password (hashed, never stored in plain text) — if you sign up with email
  • Organization name
  • Authentication provider information (if using Google or GitHub OAuth), including your name and profile picture as provided by the OAuth provider

2.2 Agent Activity Data

When your AI agents use the Service via our API or SDK, we collect the data you send us:

  • Agent name and identifier
  • Service being called (e.g., "slack", "stripe")
  • Action performed (e.g., "send_message", "charge")
  • Action status (success, error, blocked)
  • Estimated cost
  • Duration
  • Custom metadata you choose to include

Important: You control what data your agents send to AgentLedger. We recommend not sending personal data (PII) in the metadata field unless necessary. We do not inspect, analyze, or use your agent activity data for any purpose other than providing the Service to you.

2.3 Usage Data

We automatically collect limited technical data when you use the Service:

  • IP address
  • Browser type and version
  • Pages visited, features used, and scroll depth
  • Referral source
  • Session duration and engagement time

We use Google Analytics 4 (GA4) to collect this usage data. GA4 may set cookies to distinguish unique users and sessions. See Section 9 for more details on cookies.

3. How We Use Your Data

We use your data for the following purposes:

  • Provide the Service: Display your agent activity, enforce budgets, send alerts
  • Account management: Authentication, authorization, billing
  • Improve the Service: Analyze aggregate usage patterns (not individual agent data)
  • Security: Detect and prevent fraud, abuse, or unauthorized access
  • Communications: Service-related announcements, security alerts

We do not sell your data to third parties. We do not use your agent activity data for advertising, profiling, or AI training.

Agent activity data (action names, agent names, cost, and status) may be included in notification payloads sent to third-party services you configure, such as Slack, Discord, PagerDuty, or custom webhooks.

4. Data Storage and Security

Your data is stored in Supabase (PostgreSQL) infrastructure. We implement the following security measures:

  • API keys are SHA-256 hashed before storage (we never store raw keys)
  • Passwords are hashed using bcrypt via Supabase Auth
  • All data transmission is encrypted via TLS/HTTPS
  • Row-Level Security (RLS) enforces organization-level data isolation
  • Webhook secrets are used for HMAC-SHA256 payload signing

While we take reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

5. Data Retention

We retain your data as follows:

  • Account data: Retained as long as your account is active
  • Agent activity data: Retained according to your plan's retention period (24 hours for free tier)
  • Webhook delivery logs: Retained for 30 days

When you delete your account, we will delete or anonymize your data within 30 days, except where retention is required by law.

6. Third-Party Services

We use the following third-party services to operate:

  • Supabase: Database hosting, authentication (data stored in their infrastructure)
  • Vercel: Application hosting and CDN
  • Google: OAuth authentication provider (if you choose Google login) and analytics via Google Analytics 4
  • GitHub: OAuth authentication provider (if you choose GitHub login)
  • Sentry: Error monitoring and performance tracking
  • Resend: Transactional email delivery (confirmation emails, invitations)

Each of these services has their own privacy policies. We encourage you to review them.

7. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights under GDPR:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate personal data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Restriction: Request restriction of processing of your personal data
  • Portability: Request transfer of your data in a machine-readable format
  • Objection: Object to processing of your personal data

To exercise any of these rights, contact us at privacy@agentledger.co. We will respond within 30 days.

Legal basis for processing: We process your data based on (a) contract performance (providing the Service), (b) legitimate interest (security, service improvement), and (c) consent (optional analytics).

8. Your Rights (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of personal information (we do not sell your data)
  • Non-discrimination for exercising your privacy rights

9. Cookies

We use the following types of cookies:

  • Essential cookies: Authentication and session management. These are necessary for the Service to function and cannot be disabled.
  • Analytics cookies: Google Analytics 4 (GA4) sets cookies (e.g., _ga, _ga_*) to distinguish unique users and measure engagement. This data is used solely to understand how the Service is used and improve it. We do not use this data for advertising or profiling.

We do not use advertising, retargeting, or third-party tracking cookies.

10. International Data Transfers

Your data may be processed in countries outside your country of residence, including the United States (where our hosting providers operate). We ensure that appropriate safeguards are in place for any international data transfers in compliance with applicable data protection laws.

11. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service with a new "Last updated" date. For significant changes, we may also notify you by email.

13. Contact

For privacy-related inquiries or to exercise your data rights:

privacy@agentledger.co

AgentLedger
Dublin, Ireland