Privacy

This privacy document covers the catalog browsing experience, the subscription account, and the harnessed runtime that backs every provisioned MCP URL. It does not cover what your client's MCP-capable assistant collects on its own — that sits with Anthropic, OpenAI, or whoever operates the assistant.

Account data: your email, your subscription history, the MCP URLs you've provisioned, the model keys you've optionally added under BYO. Stored encrypted at rest, scoped per-subscriber.

Run records: structured logs of every run that hits a provisioned URL — intent classifications, confidence per turn, step transitions, escalation reasons, the final outcome. Stored for ninety days on Pro, halved to forty-five with BYO keys.

Operational telemetry: load metrics, error rates, scope-violation counts. Aggregated, never tied to a single subscriber's run, used to keep the runtime healthy.

Customer-side identifiers beyond what the workflow's flow definition explicitly collects. The harness has no ambient pull on PII from the conversation; if a workflow only asks for an invoice ID, that's all the run record contains.

Raw model responses outside the harness. Only the structured fields the workflow extracted are kept. Free-form generative output is computed inline and discarded once the harness has the structured result.

Browser fingerprints, cross-site analytics, advertising identifiers. The catalog uses a single first-party analytics counter for traffic shape; nothing is shared with third parties for advertising.

Account data is used to operate the subscription, send the four kinds of email we send (welcome, billing receipt, support reply, terms-update notice), and respond to your requests.

Run records are used by you, in your dashboard, to read what the harness did. We use them in aggregate to monitor the runtime and improve workflows. Specific runs are read by us only when you ask for help with one or when a scope violation triggers a security review.

Storage region defaults to us-east. EU residency is available on request and is configured per workflow at provisioning time.

Retention follows the windows in section 2: ninety days rolling for run records on Pro, halved with BYO keys; subscriber data is kept while the subscription is active and deleted within seven days of cancellation; billing data is kept seven years per tax obligations and then purged.

You can read the data we hold about you in the dashboard and export run records as JSONL at any time. Erasure requests are honored within thirty days; identifying data tied to billing is the only thing the seven-year tax obligation overrides, and the request is partially honored against everything else.

If your client's customer asks for erasure, that request comes through your client. We do not see the customer's identity directly; if a workflow collected an identifier and a request reaches us through your client, the identifier is purged from the matching run records.

Privacy questions, erasure requests, or data-export requests: privacy@agora.*. The reply lands within two business days, and any request involving a deadline gets the deadline date in the first reply.