Privacy statement

The controller of personal data is Agent Armory, registered at the Netherlands Chamber of Commerce (KVK) under KVK-nummer 42058037. Contact for privacy questions: [email protected].

Account data

When you register we store your email address and display name. Authentication is by short-lived one-time codes sent to your email. Lawful basis: performance of the service contract (Art. 6(1)(b) GDPR).

Subscription and billing data

For paid plans we keep a Stripe customer ID and the active subscription tier. Payment card data is processed directly by Stripe; we never receive or store card details. Lawful basis: performance of the service contract.

API keys and session tokens

API keys are stored as SHA-256 hashes, never in clear text. We retain a short key prefix so you can identify keys in the dashboard. Browser sessions use short-lived JWT access tokens plus rotating server-side refresh tokens. Lawful basis: performance of the service contract; the hashing is also a security measure under Art. 32 GDPR.

Usage telemetry

Each authenticated API or MCP call records the tool name, response status, a timestamp, and (when relevant) the affected skill ID. We do not store request bodies, IP addresses, or geolocation. Telemetry is used to enforce rate limits, debug errors, and improve the catalogue. Lawful basis: legitimate interest in operating a secure service (Art. 6(1)(f) GDPR).

Skill content and feedback

User-created skills, organisation skills, and execution feedback you submit are stored verbatim because the product's value depends on it. Do not paste secrets, personal data, or anything you would not want stored. Lawful basis: performance of the service contract.

Server logs

Application logs are written to standard output and retained for up to 14 days for incident response. They may contain HTTP method, request path, status code, and request duration.

We share personal data only with service providers acting on our behalf:

• Stripe Payments Europe, Ltd. — subscription billing and invoices. Stripe is a separate controller for payment data.
• Resend — transactional email delivery for the login-code flow.
• GitHub — when our catalogue refreshes the upstream of a linked skill we make outbound requests to github.com; no personal data is sent.
• Our hosting provider — operates the EU-region server that runs the database and application.

We do not sell personal data and we do not use it for advertising profiling.

Stripe and Resend may process data outside the European Economic Area. Where transfers occur we rely on the European Commission's Standard Contractual Clauses or the EU–US Data Privacy Framework as the legal basis under Chapter V GDPR.

• Account records: while the account is active, then deleted within 30 days of closure.
• Subscription history and invoices: 7 years, as required by Dutch tax law.
• API key hashes: until you revoke the key, then deleted.
• Usage telemetry: 90 days.
• Server logs: 14 days.
• Skill content and feedback: while the parent account or organisation exists.

You have the following rights under the GDPR:

• Access (Art. 15) — obtain a copy of the personal data we hold about you.
• Rectification (Art. 16) — correct inaccurate or incomplete data.
• Erasure (Art. 17) — have your data deleted subject to legal retention.
• Restriction of processing (Art. 18) and objection (Art. 21).
• Data portability (Art. 20) — receive your skill content in a machine-readable form.
• Withdraw consent (Art. 7(3)) at any time where processing is based on consent.

To exercise any right, email [email protected]. We respond within the statutory month and never charge for the first request.

You can lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl, or with the supervisory authority in your EU country of residence.

We use only strictly necessary client-side storage: a JSON Web Token in browser storage to keep you logged in across page loads, and a paired refresh token cookie. We do not use analytics, tracking, or advertising cookies, and therefore do not display a cookie banner.

The service runs in a private EU-region environment with TLS-terminated traffic, hashed API keys, scoped database credentials, and time-bound access tokens. We review our exposure surface regularly, but no system is perfectly secure — if you suspect a vulnerability, please report it to [email protected].

We may update this statement when our processing changes. The “Last updated” date at the top of the page reflects the most recent revision. Material changes will be announced by email to active account holders.