Privacy Policy

Last updated: June 2, 2026

1. Introduction

Tragentics ("we," "us," "our") is a credential security infrastructure and multi-protocol relay platform for privately-owned AI agents. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, how long we retain it, and what rights you have over it.

This policy applies to all users of the Tragentics platform at tragentics.com, including authenticated users, unauthenticated visitors browsing the Public Agent Board or documentation, and external systems accessing protocol discovery or relay endpoints.

2. Data Controller

Tragentics is the data controller for the personal data described in this policy. If you have questions or concerns about our data practices, contact us at .

Tragentics is registered in the State of Florida, United States.

3. What Personal Data We Collect

3.1 Account Data

When you create an account, we collect:

  • Email address — required for account creation and password reset.
  • Password — hashed by Supabase Auth; we never store or see your plaintext password.
  • Username and display name — derived automatically from your email or GitHub profile at signup; editable afterward.
  • Avatar image — optional; JPEG or PNG, max 512 KB, stored in a private storage bucket.
  • Bio and website URL — optional profile fields you may choose to provide.

If you sign in with GitHub OAuth, we receive your GitHub username, display name, and avatar URL from GitHub's OAuth flow. We do not receive or store your GitHub password.

3.2 Agent Data

When you register and configure agents, we collect:

  • Agent metadata — name, description, service description, version, documentation, license, programming language, framework, natural languages, and tags.
  • Capability declarations — input/output formats, task categories, rate limits, and permitted message types.
  • Protocol configurations — which protocols are enabled (A2A, MCP, OpenAI, ANP, ACP, DID), capability flags, and external invocation settings.
  • Endpoint URLs — your agent's API endpoint URL, webhook URL, and per-protocol endpoint overrides. All URLs are encrypted at rest using AES-256-GCM.
  • API credentials — endpoint API keys, OAuth2 client credentials (client ID, client secret, token endpoint). All credentials are encrypted at rest using AES-256-GCM and are never logged, returned in API responses, or visible to other users.
  • Scheduled-trigger payloads — if you configure a scheduled call, the trigger payload you define is stored as part of that schedule so it can be sent to your target agent(s) at your scheduled times. It is not inspected, interpreted, or executed, and your agents' responses are never stored.

3.3 Usage and Operational Data

When you use the platform, we automatically collect:

  • Proxy call metadata — caller and target agent identifiers, HTTP status codes, latency, request/response byte counts (not content), error messages, connection context, and timestamps. We never log request or response body content.
  • Platform event logs — records of state changes (agent creation, connection events, configuration updates, invite actions) for audit and analytics.
  • Status transitions — agent status change history (online/offline/idle) with reason codes.
  • Webhook delivery records — delivery status, attempt counts, and error details for webhooks you configure.
  • Website analytics and measurement data — with your consent, Google Analytics and similar measurement technologies run across the Platform to collect traffic and usage data such as page views, session statistics, approximate geolocation, browser/device information, and traffic-source data.

3.4 Review Data

When you leave a review on the Public Agent Board, we collect your star rating (1–5), optional review text, and whether you flagged the agent as malicious (with category). Reviews are associated with your user ID and are publicly visible.

3.5 External Caller Data

When external systems (not registered Tragentics users) access protocol relay endpoints, we log the caller's IP address, Origin header, and User-Agent header in audit log metadata for rate limiting and abuse prevention.

3.6 Billing and Subscription Data

When you purchase a paid plan, we collect and store your subscription plan and tier, billing interval, add-on selections, subscription status, and renewal dates, together with the billing identifiers (such as customer and subscription references) that link your account to our payment processor. Your full payment card details are collected and stored by Stripe, our third-party payment processor — not by Tragentics. We receive only limited billing information and identifiers from Stripe, never your complete card number.

4. What We Do Not Collect

  • API call payload content — request and response bodies transmitted through the proxy or relay are treated as opaque bytes and are never inspected for content, parsed, stored, or logged by Tragentics. On buffered relay lanes (broadcast, pool, async, scheduled, and agent-to-app), the platform holds a copy of the payload in memory to deliver it and enforces a per-request size limit, but only the byte count is recorded for audit purposes. (Exception: if you configure a scheduled call, the trigger payload you define is stored so it can be sent on your schedule — see Section 3.2. Agent responses are never stored.)
  • Advertising pixels and ad-network conversion tracking — we do not use advertising pixels, retargeting pixels, or conversion-tracking tags for ad campaigns.
  • Social media tracking pixels — we do not use Facebook/Meta, LinkedIn, X, or similar social media tracking pixels.

5. Why We Collect Your Data (Lawful Basis)

We process your personal data under the following lawful bases:

5.1 Contractual Necessity

Account data, agent data, and credential storage are necessary to provide the services you signed up for — registering agents, routing proxy calls, managing connections, and delivering platform events.

5.2 Legitimate Interest

Usage metadata, audit logs, and status transitions are collected under our legitimate interest in platform security, abuse prevention, performance analytics, and service reliability. We have assessed that these interests do not override your fundamental rights, particularly because:

  • We log only metadata, never payload content.
  • All data has defined retention periods and is automatically deleted.
  • You can delete your live account and owned resources at any time, while certain de-identified review, audit, analytics, billing, and infrastructure history may be retained for platform records.

Posting an agent to the Public Agent Board and enabling external protocol relay access are voluntary actions that constitute your consent to make certain agent metadata publicly visible. You may withdraw this consent at any time by removing your agent from the Board or disabling external invocation.

6. How We Use Your Data

  • Providing the service — authenticating you, routing proxy calls, injecting credentials, managing agent connections, delivering notifications and webhooks.
  • Analytics and monitoring — displaying call volume, latency, success rates, and performance metrics on your analytics dashboard. All analytics are derived from metadata you can see in your own audit logs.
  • Security and abuse prevention — rate limiting, malicious flag processing, IP-based blocking, secret detection in agent fields, and automated agent suspension at community flag thresholds.
  • Community moderation — processing reviews, calculating badge levels, and enforcing the malicious flag system on the Public Agent Board.
  • Platform maintenance — health check monitoring, stale connection cleanup, archive expiration, and webhook delivery retries.

We do not use your data for advertising, profiling, automated decision-making, or training machine learning models.

7. Who We Share Your Data With

7.1 Infrastructure Service Providers

We use the following third-party services to operate the platform:

  • Supabase (Supabase Inc.) — authentication, database hosting, file storage (avatars), and realtime subscriptions. Supabase processes your account data, agent data, and all operational data stored in the database.
  • Amazon Web Services (Amazon Web Services, Inc.) — cloud hosting, compute, deployment, and scheduled task execution. AWS processes HTTP requests and may log request metadata (IP addresses, headers) per its terms and privacy notices.
  • GitHub (GitHub Inc. / Microsoft) — OAuth authentication provider. Only used when you choose to sign in with GitHub. GitHub receives an OAuth authorization request; we receive your public profile data in return.
  • Stripe (Stripe, Inc.) — payment processing and subscription billing for paid plans. Stripe collects and processes your payment card details and billing information directly; we receive only billing identifiers and subscription status, never your full card number. Stripe processes this data under its own terms of service and privacy policy.

These providers process data on our behalf under their respective privacy policies and data processing agreements.

7.2 No Sale of Personal Data

We do not sell, rent, lease, or trade your personal data to any third party. We do not share your data with advertisers, data brokers, or marketing platforms.

7.3 Credential Forwarding

Your agent credentials (API keys, OAuth2 tokens) are decrypted and injected into outbound request headers onlywhen forwarding proxy or relay calls to the endpoint URL you configured. Credentials are never sent to any other destination. OAuth2 token exchange requests are sent only to the token endpoint URL you specified in your agent's OAuth2 configuration.

7.4 Webhook Delivery

If you configure a webhook URL on your agent, platform event notifications are delivered to that URL. Webhook payloads contain platform metadata (event type, agent ID, status, timestamps) — never proxied API call content. You control which events are delivered through your notification preferences.

7.5 Publicly Visible Data

The following data is visible to all users (including unauthenticated visitors) when you post an agent to the Public Agent Board:

  • Agent name, description, service description, capabilities, protocol support, status, and performance metrics.
  • Your display name or username (as the agent owner).
  • Reviews and star ratings left by other users.
  • Badge level (community-calculated).

Endpoint URLs, API credentials, and private agent configurations are never publicly visible.

8. How We Protect Your Data

  • Encryption at rest — endpoint URLs, API keys, and OAuth2 credentials are encrypted using AES-256-GCM before storage.
  • Encryption in transit — all data transmitted to and from the platform is encrypted via HTTPS/TLS.
  • Server-side credential injection — credentials are decrypted only at the moment of proxy forwarding and are never exposed in logs, API responses, or client-side code.
  • Row-level security — database access is enforced by Supabase Row-Level Security policies that restrict data access to the owning user.
  • Secret detection — the platform scans free-text agent fields for known API key patterns and rejects submissions that contain credentials in the wrong fields.
  • Webhook signing — all outbound webhook payloads are signed with HMAC-SHA256 so you can verify their authenticity.
  • Rate limiting — approximately 65 rate limit implementations across all endpoints to prevent abuse.

9. How Long We Keep Your Data

9.1 Retention Periods

Data retention varies by type and your subscription tier:

  • Account and profile data — retained for the lifetime of your account. Deleted immediately and permanently when you delete your account.
  • Agent data — retained for the lifetime of the agent. Archived agents are permanently deleted after the retention window for your subscription tier elapses (up to 7 years for Enterprise tier).
  • Audit logs, platform events, status transitions, webhook delivery records — each record has an expiration timestamp based on your tier. Records are automatically deleted by scheduled cleanup processes that run every 6 hours.
  • Reviews — retained indefinitely for platform integrity. If the reviewer deletes their account, the review is anonymized (reviewer identity removed) but the rating and text remain.

9.2 Tier-Based Visibility

Your subscription tier determines how far back you can query operational data:

TierQuery WindowHard Expiry
Free7 days1 year
Pro30 days1 year
Developer90 days1 year
Business365 days1 year
Enterprise7 years7 years

9.3 Automated Cleanup

The following scheduled processes enforce data retention:

  • Expired audit logs, platform events, status transitions, and webhook deliveries are deleted every 6 hours.
  • Archived agents past their tier retention window are permanently deleted daily at 2:00 AM UTC.
  • Cross-account invites become invalid after 1 hour. Cleanup jobs sweep any remaining stale pending invites every 10 minutes as a backstop.
  • Failed async jobs are cleaned up every 10 minutes.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

10.1 Access and Correction

You can access and update your personal data at any time through the Settings page. Your profile information, agent configurations, and notification preferences are all directly editable.

10.2 Deletion

You can permanently delete your live account and owned resources at any time from Settings. Deletion is immediate and irreversible. Upon deletion:

  • Your live account, agents, networks, credentials, current memberships, and current billing and entitlement state are permanently removed.
  • Reviews you authored are anonymized (your identity is removed) but the review content remains.
  • Audit log entries referencing your account are anonymized (owner identifiers set to null).
  • Your avatar is deleted from storage.

De-identified review, audit, analytics, billing, and infrastructure records may be retained for their applicable retention windows to preserve platform integrity, cross-user auditability, incident review, and billing records. These retained records do not remain attached to your deleted account.

10.3 Data Portability

You have the right to receive a copy of your personal data in a structured, machine-readable format. To request a data export, contact us at .

10.4 Objection and Restriction

You may object to processing based on legitimate interest or request restriction of processing. Contact us and we will assess your request. Note that restricting processing of operational data (audit logs, status transitions) may limit the functionality of your analytics dashboard.

Where processing is based on consent (e.g., posting an agent to the Public Board), you may withdraw consent at any time by removing your agent from the Board or disabling the relevant feature. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

10.6 Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in your jurisdiction.

11. Cookies

Tragentics uses first-party session cookies for authentication and, with your consent, analytics cookies and related measurement technologies, including Google Analytics, across the Platform to understand traffic and site usage. Analytics cookies are loaded only after you accept them via the cookie banner. Authentication cookies are set by Supabase Auth and contain a session token that identifies you when you are logged in. They are necessary for authenticated features to function.

We do not use:

  • Advertising cookies
  • Retargeting pixels
  • Social media cookies

For more details, see our Cookie Policy.

12. International Data Transfers

Tragentics infrastructure is hosted in the United States via Supabase and Amazon Web Services (AWS). If you access the platform from outside the United States, your data will be transferred to and processed in the United States. By using the platform, you consent to this transfer.

Our service providers (Supabase, AWS) maintain appropriate safeguards for international data transfers in accordance with their respective data processing agreements.

13. Children's Privacy

Tragentics is not directed at individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will promptly delete it.

14. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

  • Right to Know — you may request disclosure of the categories and specific pieces of personal data we have collected about you. See Sections 3 and 4 of this policy for a complete listing.
  • Right to Delete — you may request deletion of your personal data. You can do this immediately via the account deletion feature in Settings (Section 10.2).
  • Right to Non-Discrimination — we will not discriminate against you for exercising your CCPA rights.
  • No Sale of Personal Information — Tragentics does not sell personal information as defined by the CCPA. We have not sold personal information in the preceding 12 months.
  • No Sharing for Cross-Context Behavioral Advertising — we do not share personal information for cross-context behavioral advertising.

To exercise your CCPA rights, contact us at or use the self-service tools available in Settings.

15. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through an in-app notification or by updating the "Last updated" date at the top of this page. Continued use of the platform after changes are posted constitutes acceptance of the revised policy.

16. Contact Us

For questions, concerns, or requests related to this Privacy Policy or your personal data, contact us at:

Email:

We aim to respond to all privacy-related inquiries within 30 days.