AgentPay
Get started
Draft — legal review required. AgentPay is in test mode. These legal pages were drafted by the product team and have not been reviewed by an attorney licensed in your jurisdiction. They are published in good faith to describe how the product behaves today. A fully reviewed set will replace these before any live-mode operation.

Legal

Privacy Policy

Last updated: 2026-04-22

What we collect

The table below lists every kind of personal or sensitive data we store, why, and how long.

DataWhyRetention
Email addressAccount identity, magic-link sign-in, transactional notificationsUntil you delete your account
KYB profile (legal name, DOB, address, phone)Creating your Stripe Issuing cardholder (required by card network and issuing bank)Retained as required by our card-issuing partner and applicable banking regulations (up to 7 years)
Saved payment method (Stripe token, last four digits, brand)Placing auth-holds when you or your agent requests a cardUntil you remove the payment method; full PAN and CVV are never stored by us — they live in Stripe's vault
API keys (hashed)Authenticating API/MCP calls you makeUntil you revoke the key; hash persists for audit purposes for up to 1 year after revocation
Card metadata (agent_id, purpose, amount, timestamps)Audit trail, usage statistics, supportRetained with your account; scrubbed on account deletion except where required for regulatory reporting
Authorization events (amount, merchant name, decision)Activity feed and reconciliationRetained with your account; Stripe-side data may persist longer
Session cookies (httpOnly, SameSite=Lax)Keeping you signed inUp to 30 days, or until you sign out
Magic-link tokens (hashed)Passwordless sign-inHard expires after 15 minutes; consumed single-use within a 2-minute prefetch-tolerance window

What we don't collect or store

  • We do not store raw card numbers (PAN) or CVVs. Those are held by Stripe.
  • We do not collect browsing data outside our own properties.
  • We do not use tracking cookies or third-party advertising pixels. Sign-in is cookie-based; no marketing cookies are set.
  • We do not sell, rent, or trade your personal data to anyone.

Who we share with (“sub-processors”)

  • Stripe, Inc. — card issuance, payment method storage, auth-holds, webhooks. Stripe is the data controller for card-network data (PAN, CVV, authorization routing).
  • Celtic Bank — issuer of record for virtual cards; receives cardholder KYB data via Stripe Issuing.
  • Postmark — transactional email delivery (sign-in links, account notifications).
  • Our hosting and database provider — managed PostgreSQL in a US region. The provider does not access your data except for operational maintenance.

We do not add sub-processors without updating this page and, where your consent is required, obtaining it first.

How we secure your data

  • All traffic is encrypted via HTTPS.
  • API keys and magic-link tokens are stored as sha-256 hashes, never in plaintext.
  • Session cookies are httpOnly and SameSite=Lax (Secure in production).
  • Stripe webhook events are verified via Stripe's signing secret and stored idempotently.
  • Database access is restricted to the application role with least-privilege.

Our Security page has more detail.

Your rights

If you are in the European Union, United Kingdom, California, or another jurisdiction with data-protection laws, you have:

  • The right to access the personal data we have about you.
  • The right to correct inaccurate data.
  • The right to delete your data, subject to our legal retention obligations.
  • The right to port your data in a machine-readable format.
  • The right to object to certain processing.
  • The right to lodge a complaint with a supervisory authority.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

Children

AgentPay is not intended for anyone under 18. We do not knowingly collect data from children.

International data transfers

We process data in the United States. If you are outside the US, your data will be transferred to and stored in the US. We rely on Standard Contractual Clauses (SCCs) for transfers subject to GDPR.

Changes to this policy

Material changes to this policy will be announced by email at least 14 days before taking effect. Minor clarifications (typo fixes, reordering) will be reflected in the “Last updated” date above.

Contact

Privacy questions or data requests: [email protected].