Skip to main content
Legal

Privacy Policy

Last updated: 2026-05-08

1. Who this applies to

This policy describes how AgentBundle (the “Service”, “we”, or “us”) collects, uses, and shares information about you when you use the AgentBundle website, dashboard, and APIs. AgentBundle is operated by AgentBundle LLC, a New Jersey limited liability company.

If you have questions about this policy, email hello@agentbundle.dev.

2. What we collect

We collect only what we need to operate the Service. Specifically:

Account information

  • Work email address, name, and password hash (bcrypt) when you sign up directly
  • OAuth identifiers from Google or GitHub if you sign in via OAuth (no passwords stored in that case)
  • Organization name and role (Owner, Admin, Member)

Agent definitions you create

  • Prompts, skills, MCP server connections, guardrails, tags, version metadata
  • The agent definition is the “customer content” — see our Terms for IP terms

Operational metadata

  • Audit events (every publish, install, edit, role change) with actor + timestamp + before/after diff
  • Billing records and Stripe customer/subscription identifiers (we do not store full card numbers — Stripe does)
  • Server logs (request paths, IP addresses, user-agent strings) for security and debugging, retained briefly

Communications you send us

3. What we do not collect

This is the part most relevant to AI-platform customers. Read it carefully — it is the deliberate design of the Service.

  • We do not store conversation transcripts from your AI runtimes (Claude Code, Cursor, GitHub Copilot, OpenCode, Gemini, Codex, Windsurf, etc.). When an agent you authored runs in one of those tools, the conversation flows directly between you and that runtime — AgentBundle is not in the data path.
  • We do not store agent inputs or outputs at runtime. AgentBundle stores the agent definition (the prompt template, configuration, attached skills/MCPs), not the live invocations of it.
  • We do not operate an LLM and do not run AI inference as part of the core platform.
  • We do not train any AI model on your data. Not your agent definitions, not your audit events, not your communications with us. We do not operate a model to train.
  • We do not collect customer data beyond what is listed in Section 2. No tracking pixels, no analytics fingerprinting, no third-party advertising cookies.

4. How AI is used in AgentBundle

The Service performs two automated checks on every agent publish:

  1. Secret scanning — pattern matching against known credential formats (API keys, tokens, certificates). This runs on our infrastructure and uses rules and regular expressions, not AI inference.
  2. Prompt-injection scanning — pattern matching against known jailbreak and override patterns. Same execution model — rules-based, no AI inference.

Neither scanner sends your data to a third-party AI provider. Both produce deterministic detections that block the publish if a match is found.

When agents you publish are executed at runtime, that happens inside the IDE or runtime you connect (Claude Code, Cursor, etc.). Those runtime invocations are between you and the AI provider operating that runtime (Anthropic, OpenAI, Google, etc.). AgentBundle does not see, intercept, or store the resulting traffic.

4.1 MCP servers and skills you configure

Your agents can connect to MCP (Model Context Protocol) servers and to “skills” you define — for example, GitHub, Linear, internal databases, or custom scripts. These connections are configured by you and run at the agent’s runtime, not on AgentBundle. When an agent calls one of these connections, the relevant data flows directly between the runtime and the service you configured; AgentBundle stores the connection’s metadata (URL, authentication scheme, allowed scopes) but does not see, route, or store the data those connections exchange at runtime. Your use of MCPs and skills is governed by the terms and privacy policies of the operators of those services. AgentBundle does not appoint them as sub-processors and is not responsible for what they do with the data you send them.

5. How we use information

We use the information we collect to:

  • Operate, maintain, and improve the Service
  • Authenticate you and enforce role-based access
  • Process payments and manage your subscription
  • Detect, investigate, and prevent abuse, fraud, and security incidents
  • Communicate with you about your account, security events, and changes to the Service
  • Comply with legal obligations

We do not sell personal information. We do not share personal information with third parties for their own marketing.

5.1 Email we send you

We send transactional email related to your account — sign-up confirmation, security alerts, billing receipts and notices, system status, and policy changes. These are part of the Service and cannot be unsubscribed from while your account is active. We may also occasionally send product update emails (new features, changes to plans). Product update emails always include an unsubscribe link, and unsubscribing affects only that category — transactional email continues. We do not send marketing email on behalf of third parties.

6. Sub-processors

We rely on the following sub-processors to operate the Service. Each processes only the data needed for its function. All are bound by data-processing terms that prohibit using your data for their own purposes.

Sub-processorPurposeData sharedRegion
Vercel Inc.Application hosting, edge networkAccount info, request logs, session cookiesUSA
Neon Inc.Managed PostgreSQL databaseAll customer-stored data (account, agent definitions, audit events)USA
Cloudflare Inc.DNS, CDN, R2 object storagePublic assets, package binaries, request IP addressesGlobal edge, USA primary
Stripe Inc.Subscription billingBilling contact, payment method tokens, transaction historyUSA
Resend Inc.Transactional emailEmail addresses, message contentUSA

We may use Anthropic PBC or OpenAI LLC APIs as sub-processors only for specific Service features that explicitly disclose AI usage. As of the date above, the core Service does not call either provider. If that changes, this list will be updated and material changes will be communicated to active customers.

This list is current as of the last updated date above. When we add or replace a sub-processor in a way that changes how customer data flows, we will update this page and provide reasonable advance notice — typically by email to active organization owners — before the change takes effect.

7. International transfers

The Service is operated from the United States. If you access it from outside the US, your data will be transferred to and stored in the US.

If your organization needs a Data Processing Addendum (DPA) — for example, to satisfy GDPR Article 28 obligations to your own users — email hello@agentbundle.dev. We will respond with the current state of our DPA tooling and what we can offer.

8. Data retention

  • Account and agent data — retained for the life of your account.
  • Audit events — retained for the life of the organization. We may publish a shorter retention window for lower-priced plans in the future; if we do, this section will be updated and active customers will be notified.
  • Billing records — retained as required by tax and accounting law (typically up to 7 years in the US).
  • Server logs — retained for a short period (typically up to 30 days) for security and debugging.
  • Email communications — retained for as long as needed to maintain the relationship.

When you delete your organization, we soft-delete it (hidden from the UI and queued for permanent removal). Owners can restore during the soft-delete window. After permanent removal, the data is unrecoverable from the operational database. Database backups containing the data may persist briefly per our database provider’s standard backup retention before they roll over.

9. Your rights

Depending on where you live, you may have rights under laws such as the EU/UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), or similar regimes:

  • Access — request a copy of the personal data we hold about you
  • Correction — ask us to fix inaccurate data
  • Deletion — ask us to delete your data, subject to legal retention obligations
  • Portability — receive your data in a structured, machine-readable format
  • Objection / restriction — object to certain processing or ask us to restrict it
  • Opt-out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising; this opt-out is therefore unnecessary but always honored if invoked

To exercise any of these rights, email hello@agentbundle.dev. We will verify your identity (typically by confirming control of the account email) before acting and will respond within the timeframe required by applicable law (generally 30 days, extendable once by 60 days for complex requests).

Where the right is to receive a copy or export of your data, we will provide it in the most usable format we can — currently, the existing in-product export and delete tooling, with anything not yet covered by tooling provided manually on request.

EU/UK users: you also have the right to lodge a complaint with your local data protection authority.

10. Children

The Service is not directed to children under 13, and we do not knowingly collect personal information from them. If we learn we have collected such information, we will delete it. EU/UK users: the Service is not directed to children under 16; the same deletion practice applies.

11. Security

We protect your data with:

  • TLS in transit (HTTPS enforced site-wide)
  • Encryption at rest provided by our managed database (Neon) and object storage (Cloudflare R2)
  • Server-side authorization on every request, with org-level isolation
  • Role-based access controls (Owner, Admin, Member)
  • Audit logging of every state-changing action
  • Built-in secret and prompt-injection scanners on every agent publish

A more detailed and current view of our security posture is at /security.

No service is perfectly secure. If you believe your account has been compromised or you have spotted a vulnerability, see /contact for disclosure paths.

12. Changes to this policy

We will update this policy as the Service and applicable law evolve. The “Last updated” date at the top of this page reflects the most recent revision. For material changes that affect existing customers’ rights, we will provide reasonable advance notice — typically by email to active organization owners — before the change takes effect.

If you continue to use the Service after a change takes effect, your continued use indicates acceptance of the revised policy. If you do not agree with a material change, you may close your account before the effective date.

13. Contact

Email hello@agentbundle.dev for any privacy question, request, or concern. We aim to reply promptly to routine requests; rights requests under applicable law are handled within the timelines that law requires (generally up to 30 days, extendable for complex requests as the law permits).

We are not required to appoint a Data Protection Officer (DPO) under applicable law. Privacy questions and rights requests are handled directly by the operator at the address above.

Copied to clipboard