Legal
Privacy Policy
Last updated: May 21, 2026
This Privacy Policy explains how AgentKey collects, uses, and protects information when you use our API routing services. It also describes your rights and how to exercise them.
01 Scope and definitions
This Policy applies to information processed by AgentKey when you use our website, console, CLI, REST API, or remote MCP endpoint (collectively, the "Service"). Capitalized terms not defined here have the meanings given in our Terms of Service.
- "Personal data" means any information relating to an identified or identifiable natural person.
- "Process" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
- "Third-Party Provider" has the meaning given in the Terms of Service — independent API providers reachable through AgentKey's routing layer.
02 Information we collect
We collect only the information needed to operate and secure the Service. Specifically:
Account information. When you sign in, we collect your email address, profile image, and a unique identifier issued by our authentication provider. We do not store your password — authentication is handled by our identity provider (see §04).
API credentials. We store hashed representations of the API keys you create, along with the key name, prefix, and creation timestamp. The full key value is shown to you once at creation and is not retrievable thereafter.
Usage logs. For each API request routed through AgentKey, we record the timestamp, endpoint path, HTTP status, response latency, credit cost, and the API key that made the call. We do not log request bodies or response bodies in normal operation.
Billing data. If you purchase credits, our payment processor (see §04) handles card details. We receive only a customer reference, the amount paid, and the transaction status — never card numbers or CVCs.
Device and installation data. When you install our CLI or skill plugin, we may receive an anonymous installation identifier and basic telemetry (CLI version, install method) so we can deliver updates and measure adoption.
Communications. If you contact us by email or community channel, we retain the content of that exchange to respond to and resolve your inquiry.
03 How we use information
We use the information described above to:
- Authenticate you and authorize your access to the Service;
- Route your API requests to the appropriate Third-Party Provider and return responses;
- Meter and bill your usage of credits;
- Detect, prevent, and investigate abuse, fraud, and security incidents;
- Provide customer support and respond to your inquiries;
- Maintain, debug, and improve the Service;
- Comply with our legal obligations and enforce our Terms of Service.
We do not sell personal data. We do not use your personal data to train machine learning models.
04 Third-party processors
We rely on a small set of established processors to operate the Service. Each handles a narrow function, processes data on our behalf under a data processing agreement, and applies its own additional privacy controls:
- Authentication. Clerk (clerk.com) — sign-in, session management, and identity. We never see your password.
- Payments. Stripe (stripe.com) — payment processing for credit purchases. Card details go directly to Stripe; we receive only transaction metadata.
- Product analytics. PostHog (posthog.com) — pseudonymous event analytics so we can understand how the console is used and prioritize improvements. See §06.
- Hosting and infrastructure. Cloud infrastructure providers used to run our servers and store data.
We periodically review these processors for security and privacy posture. We will update this Policy if we add or replace a processor that meaningfully affects how your information is processed.
05 Third-party providers
AgentKey acts as a routing layer. When you call an endpoint backed by a Third-Party Provider, your request (and any data within it) is forwarded to that provider. The provider then returns a response, which we relay back to you.
Notice: Third-Party Providers operate under their own privacy policies and terms of service. AgentKey does not control how they collect, process, or retain data on their side. If your use case involves personal data, you should independently review the policies of any provider you call.
Where Third-Party Data retrieved through the Service contains personal data, you act as the data controller for that data under applicable law. AgentKey is not a controller in respect of personal data you obtain via Third-Party Providers.
06 Cookies and analytics
We use a small number of cookies and similar technologies, limited to:
- Strictly necessary cookies set by our authentication provider to keep you signed in.
- Pseudonymous analytics events sent to PostHog to measure feature usage and console performance. We do not use these for cross-site advertising.
You can clear cookies in your browser at any time; doing so will sign you out of the console. You may opt out of analytics events by enabling "Do Not Track" or by contacting us at the address in §12.
07 Data retention
We retain information only as long as needed for the purposes described in §03, or as required by law.
- Account data is retained while your account is active.
- API key hashes are retained until you revoke the key, plus a short window for audit.
- Usage logs are retained for operational and billing reconciliation purposes, typically up to twelve (12) months, then aggregated or deleted.
- Billing records are retained as required by applicable tax and accounting laws.
When you delete your account, we delete or anonymize personal data within a reasonable period, except where retention is required by law or necessary to resolve a dispute.
08 International transfers
AgentKey and its processors operate across multiple jurisdictions. When personal data is transferred outside your country of residence, we rely on appropriate legal mechanisms (such as Standard Contractual Clauses or equivalent safeguards) where required by applicable law.
09 Your rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you;
- Correct inaccurate or incomplete personal data;
- Delete your personal data, subject to legal retention obligations;
- Restrict or object to certain processing;
- Receive a copy of your data in a portable format;
- Withdraw consent where processing is based on consent;
- Lodge a complaint with your local data protection authority.
To exercise any of these rights, contact us at the address in §12. We will respond within the timeframe required by applicable law.
10 Security
We apply administrative, technical, and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, and destruction. These include encryption in transit, hashed API credentials, principle-of-least-privilege access controls, and routine review of our processors.
NO METHOD OF TRANSMISSION OR STORAGE IS PERFECTLY SECURE. WHILE WE WORK TO PROTECT YOUR INFORMATION, WE CANNOT GUARANTEE ABSOLUTE SECURITY. IF YOU BELIEVE YOUR ACCOUNT HAS BEEN COMPROMISED, CONTACT US IMMEDIATELY.
11 Children
AgentKey is not directed to children under the age of 16 and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, please contact us so we can delete it.
12 Changes and contact
We may update this Policy from time to time. When we do, we will update the "Last updated" date above and, for material changes, provide additional notice through the Service or by email.
Questions about this Policy or requests to exercise your rights should be directed to:
AgentKey
For all inquiries: support@agentkey.app