Privacy Policy

Effective Date: March 21, 2026 · Last Updated: March 21, 2026

This Privacy Policy describes how Agent21 LLC ("Agent21," "we," "us," or "our") collects, uses, and protects your information when you use Agent21.ai (the "Platform"). By using the Platform, you consent to the practices described in this policy.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Full name and email address.
  • Password (stored as a SHA-256 hash; we never store plaintext passwords).
  • Account role and subscription plan.

1.2 Company Data

When you create or manage companies on the Platform, we collect:

  • Company name, slug, and description.
  • Company context documents (CLAUDE.md content you provide).
  • Annual goals, quarterly OKRs, and task configurations.
  • Team member information (name, email, role).

1.3 Agent Configurations

We store your agent setup data, including:

  • Agent names, personas, and custom instructions.
  • Agent schedules and run configurations.
  • MCP server integration settings and API key references (keys are stored encrypted).

1.4 Usage and Interaction Data

  • Chat history between you and AI agents.
  • Agent run logs, reports, and generated outputs.
  • Agent inbox messages (reports, approvals, human tasks).
  • Command history and agent interaction logs.

1.5 Technical Data

  • IP address, browser type, device information, and operating system.
  • Pages visited, features used, and session duration.
  • Error logs and performance data.

2. How AI Agents Process Your Data

2.1 Platform API Key (Trial and Pro Plans)

When you use the Platform's default API key, your prompts, company context, agent personas, and chat messages are sent to the Anthropic Claude API for processing. This data is subject to Anthropic's Privacy Policy and data handling practices. Anthropic does not use API inputs or outputs to train their models.

2.2 Enterprise Customers (Bring Your Own API Key)

Enterprise customers who provide their own Anthropic Claude API key should be aware that all AI processing requests are routed directly through their own Anthropic account. Data handling is governed by the enterprise customer's own agreement with Anthropic. Agent21 does not retain copies of API responses when a custom key is used.

2.3 What We Send to AI Models

To generate agent outputs, we send the following to the Anthropic Claude API:

  • Agent persona and instructions.
  • Company context document (CLAUDE.md).
  • Relevant conversation history.
  • Your commands or prompts.

We do not send your password, payment information, or other users' data to AI models.

3. Third-Party Integrations

When you connect third-party services through MCP server integrations or API keys (e.g., Jira, GitHub, Slack, HubSpot, Stripe), data may flow between Agent21 and those services. Specifically:

  • Agent21 transmits data to third-party services only as required to fulfill your configured integrations.
  • We do not control and are not responsible for the data practices of third-party services.
  • You should review the privacy policies of any third-party services you connect.
  • API keys for third-party services are stored encrypted and are never exposed in the user interface after initial entry.

4. Data Storage and Infrastructure

  • Database: All data is stored in Supabase Postgres with encryption at rest. Supabase infrastructure is hosted in the United States.
  • Hosting: The Platform is hosted on Vercel, with edge functions and servers located in the United States.
  • Multi-tenancy: All data is scoped to your company via Row Level Security (RLS) policies, ensuring strict isolation between companies.
  • Backups: Database backups are maintained by Supabase according to their infrastructure policies.

5. Data Retention

  • Active accounts: Your Data is retained for the duration of your active account.
  • Deleted accounts: Upon account deletion, Your Data is retained for 30 days to allow for recovery or data export, after which it is permanently purged from all systems.
  • Agent run logs: Retained for the lifetime of your account. You may request deletion at any time.
  • Technical logs: Server and error logs are retained for up to 90 days for debugging and security purposes.

6. Cookies and Local Storage

6.1 Cookies

  • sf_token (httpOnly, secure): Authentication session cookie. Essential for Platform functionality. Cannot be accessed by client-side JavaScript.

6.2 Local Storage

  • User preferences: Theme settings, active company selection, and UI state are stored in your browser's localStorage for convenience. This data never leaves your device.

We do not use advertising cookies or third-party tracking cookies.

7. Analytics

We use Vercel Analytics to understand how the Platform is used and to improve performance. Vercel Analytics collects:

  • Page views and navigation patterns.
  • Web Vitals performance metrics (LCP, FID, CLS).
  • Country-level geolocation (not precise location).

Vercel Analytics is privacy-focused and does not use cookies or collect personally identifiable information. For details, see Vercel's Analytics Privacy Policy.

8. Data Sharing

We do not sell, rent, or trade your personal information. We share data only with the following categories of service providers, solely to operate the Platform:

  • Anthropic: AI processing (prompts and context sent to Claude API).
  • Supabase: Database storage and authentication infrastructure.
  • Vercel: Application hosting, serverless functions, and analytics.

We may also disclose information if required by law, court order, or governmental authority, or to protect the rights, safety, or property of Agent21, our users, or the public.

9. Your Rights

Regardless of where you are located, you have the following rights regarding your data:

  • Access: Request a copy of all data we hold about you.
  • Export: Download your company data, agent configurations, and chat history in a machine-readable format.
  • Correction: Request correction of inaccurate personal information.
  • Deletion: Request deletion of your account and all associated data.

To exercise any of these rights, email us at legal@agent21.ai. We will respond within 30 days.

10. GDPR (European Union Users)

If you are located in the European Economic Area (EEA) or the United Kingdom:

  • Your data is processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for international data transfers.
  • Our legal bases for processing include: performance of a contract (providing the Platform), legitimate interests (improving our services, security), and consent (where applicable).
  • You have the right to lodge a complaint with your local data protection authority.
  • You may request data portability, restriction of processing, or object to processing by contacting legal@agent21.ai.

11. CCPA (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

  • Right to Know: You can request the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You can request deletion of your personal information, subject to certain exceptions.
  • Right to Opt-Out: We do not sell personal information. However, you may opt out of any future sale by contacting us.
  • Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To make a CCPA request, email legal@agent21.ai with the subject line "CCPA Request."

12. Children's Privacy

Agent21 is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected data from a person under 18, we will promptly delete that information. If you believe a minor has provided us with personal information, please contact us at legal@agent21.ai.

13. Security

We implement industry-standard security measures to protect your data, including:

  • Password hashing: All passwords are hashed using SHA-256 before storage. We never store plaintext passwords.
  • httpOnly cookies: Authentication tokens are stored in httpOnly cookies that cannot be accessed by client-side JavaScript, mitigating XSS attacks.
  • Row Level Security (RLS): Every database table is protected by RLS policies scoped to company_id, ensuring data isolation between tenants.
  • Encryption at rest: All data stored in Supabase is encrypted at rest.
  • HTTPS: All data in transit is encrypted via TLS/HTTPS.
  • API key encryption: Third-party API keys and enterprise Claude keys are stored encrypted.

While we take reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days before they take effect by email or through the Platform. The "Last Updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Platform after the updated policy takes effect constitutes your acceptance of the changes.

15. Contact

For questions or concerns about this Privacy Policy or our data practices, contact us at:

Agent21 LLC
Email: legal@agent21.ai
Jurisdiction: State of Florida, USA