🔒 Privacy Policy
Last updated: June 2026
Google API Services — Limited Use Disclosure
AgenticFactor's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Information received from Google APIs is used exclusively to fulfil the specific agent task that the user explicitly configured and initiated within their account. This data is accessed on-demand within an isolated, sandboxed execution environment and is not stored beyond what is needed to complete that task, unless the user explicitly saves an output to their account.
AI Training — Strict Prohibition
We never use your data to train, fine-tune, or develop AI models.Data fetched from Google (Gmail, Drive, Calendar, Sheets), Meta (Facebook, Instagram), LinkedIn, Twitter/X, Slack, or any other connected third-party service is used solely as execution context within the user's tenant-isolated sandboxed agents at the time of task execution. This data is never retained for, or transferred to, any AI model training pipeline — including Anthropic Claude, OpenAI, or Google Gemini. Third-party LLM providers receive only the minimum prompt context required to generate code or reasoning for the specific agent step; they do not receive raw personal data from your connected accounts unless you explicitly include it in your mission description.
1. Who We Are
Agentic Factor (“AgenticFactor”, “we”, “us”, “our”) is a SaaS platform that enables businesses and individuals to build and run autonomous AI agent teams. Our registered business address is:
Agentic FactorThrissur, Kerala, India — 680 001
Email: hello@agenticfactor.io
2. Information We Collect
Account Data: Email address, name, and profile picture collected when you sign up via Google or Zoho OAuth.
Mission Data: Mission descriptions, agent configurations, uploaded files (PDF, DOCX, TXT), discovery question responses, and agent-generated outputs that you explicitly save.
Credential Data: OAuth access tokens and refresh tokens for third-party services you connect (e.g., Google, Slack, LinkedIn), and API keys you supply for services such as Stripe or SendGrid. All tokens and keys are encrypted at rest using AES-256-GCM with per-tenant derived keys and are never logged or transmitted in plaintext.
Usage Data: Credit consumption, API call counts, agent execution logs (stdout/stderr from sandboxed environments), and session information.
Payment Data: Subscription plan and payment status. Payment card details are processed exclusively by Razorpay under their PCI-DSS compliance and are never stored on our servers.
Third-Party API Data (Limited Use): When your agents execute tasks, they may transiently access data from your connected accounts (e.g., email threads from Gmail, calendar events, LinkedIn profile information). This data is processed only within isolated E2B sandboxes during the task run and is not retained after the task completes unless you explicitly save the agent's output.
3. How We Use Your Data
We use your data strictly to:
- Provide, operate, and improve the Platform and its features
- Execute the specific autonomous agent missions you configure and initiate
- Process payments and manage your subscription and credit balance
- Send transactional emails (mission notifications, OTP, billing receipts)
- Detect, investigate, and prevent abuse, fraud, or security incidents
- Generate anonymised, aggregated analytics to improve service reliability
- Respond to your support requests and legal obligations
We do not use your data for: advertising, selling data to third parties, behavioural profiling, or AI/ML model training of any kind.
4. Specific Use of Third-Party API Data
For each connected integration, data accessed via their APIs is used only for the purpose described:
- Google (Gmail, Drive, Calendar, Sheets): Read/write emails, files, events, or spreadsheet data as explicitly instructed by the user's configured agent task. Access is scoped to the minimum permissions required for the specific task.
- Meta — Facebook & Instagram: Post content to Pages or Business accounts, and read basic page metrics, as directed by the user's mission. We do not access personal Facebook profiles beyond what the Page management permission provides.
- LinkedIn: Read the authenticated user's profile (name, sub/URN) and post content to their feed or company page as instructed by the user's mission. We do not access connection lists, messages, or analytics beyond what is required for the task.
- Twitter / X: Post tweets or read recent tweets as instructed by the user's mission. We access only the scopes granted during OAuth authorisation.
- Slack: Send messages to channels or read channel history as directed by the user's mission. We access only the channels and scopes the user explicitly authorises.
- GitHub: Create issues, read repositories, or interact with the GitHub API as directed by the user's mission.
- Notion: Create or read pages and databases as directed by the user's mission.
- Zoho: Used for account authentication and OAuth login.
- Discord: Send messages to servers as directed by the user's mission.
- Stripe: Payment processing for Platform subscriptions; Stripe handles all card data directly.
- Razorpay: Payment processing for Indian customers; Razorpay handles all card data directly.
- SendGrid: Delivery of transactional emails (mission notifications, OTP) on behalf of the Platform. No user personal data is shared with SendGrid beyond the recipient email address and message content.
- Twilio: SMS or voice notification delivery if configured by the user's mission.
- Apollo.io: Lead enrichment and contact lookup if used within a user's mission. Data accessed is limited to publicly available business contact information.
- Hunter.io: Email address lookup and verification if used within a user's mission.
- OpenAI / Anthropic Claude / Google Gemini: LLM API calls for code generation and reasoning within agent steps. Only the minimum prompt context needed for the specific task is sent. No raw personal data from connected accounts is sent to LLM providers.
- E2B: Sandboxed Python execution environments for running agent code. Sandboxes are ephemeral and destroyed after each task.
- Supabase (Inngest): Background job orchestration and database hosting.
- SMTP2GO: Outbound email delivery for certain notification types.
5. Data Storage & Security
Database: All data is stored in Supabase (PostgreSQL) hosted on AWS, with Row Level Security (RLS) ensuring complete tenant isolation — no tenant can access another's data.
Credential Encryption: OAuth tokens and API keys are encrypted with AES-256-GCM using per-tenant derived keys before storage. Keys are never logged.
Data in Transit: All communications between your browser, our servers, and third-party APIs are protected by TLS 1.3.
Code Execution Isolation: Agent code runs in ephemeral E2B sandboxes — isolated containers with no filesystem or network access beyond what the task requires and no access to other tenants' data or the host system. Sandboxes are destroyed after each agent step completes.
Embeddings: If you use the knowledge-base feature, document content is vectorised using OpenAI embeddings and stored in pgvector. Original uploaded files are not retained after processing unless explicitly saved by you.
Access Controls: Production database and infrastructure access is restricted to authorised personnel only and is protected by MFA.
6. Meta Platform Data — Deletion Instructions
If you have connected a Facebook Page or Instagram Business account to AgenticFactor and wish to request deletion of all associated data held by AgenticFactor (OAuth tokens, stored outputs related to your Meta account), you may do so in either of the following ways:
- Self-serve (Instant): Log in to your AgenticFactor account → go to Connectors → locate the Facebook or Instagram connector → click “Disconnect”. This immediately revokes our stored access token and removes all associated credential data from our database.
- Email Request: Send an email to hello@agenticfactor.io with the subject line “Meta Data Deletion Request” and your registered email address. We will confirm deletion within 72 hours and purge all associated data within 30 days.
We do not retain Facebook or Instagram user data after disconnection. Mission output data (e.g., post IDs returned by the Facebook API) is deleted along with your mission data upon account deletion.
7. Your Rights & Data Control
You have the following rights over your data:
- Access: View all your mission data, connected integrations, and usage history from your account dashboard.
- Correction: Update your profile information at any time via account settings.
- Deletion: Request full account and data deletion by emailing hello@agenticfactor.io. All data is permanently purged within 30 days.
- Portability: Export your mission data and outputs in JSON format from the dashboard.
- Revoke OAuth Access: Disconnect any connected service at any time from the Connectors page. This immediately invalidates our stored access token for that service.
- Withdrawal of Consent: You may withdraw consent for data processing at any time by deleting your account.
- GDPR Rights (EU/EEA Users): If you are located in the EU or EEA, you additionally have the right to lodge a complaint with your local Data Protection Authority and to object to or restrict processing in certain circumstances. Our lawful basis for processing your data is: (a) contract performance — to provide the services you requested; (b) legitimate interests — for security and fraud prevention; (c) consent — for optional communications.
To exercise any of these rights, contact us at hello@agenticfactor.io.
8. Data Sharing & Disclosure
We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:
- Service Providers: Third-party vendors listed in Section 4 who process data on our behalf under data processing agreements.
- Legal Requirements: If required by applicable law, court order, or government authority.
- Business Transfer: In the event of a merger, acquisition, or sale of assets, user data may be transferred. You will be notified in advance.
- Safety: To protect the rights, property, or safety of AgenticFactor, our users, or the public.
9. Data Retention
Active account data (missions, agent configurations, outputs) is retained while your account is active. OAuth tokens for connected services are retained until you disconnect the service. Upon account deletion, all personal data is permanently removed within 30 days. Anonymised, aggregated usage metrics (no personal identifiers) may be retained indefinitely for service improvement.
10. Cookies
We use only strictly necessary cookies for authentication (Supabase session token) and CSRF protection. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie consent banner is required as only essential cookies are used.
11. Children's Privacy
The Platform is intended for users aged 18 and above. We do not knowingly collect personal data from children under 13. If we become aware of such collection, we will delete it immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to your registered address and by a notice on the Platform at least 14 days before the change takes effect. Continued use of the Platform after that date constitutes acceptance of the updated policy.
13. Governing Law
This Privacy Policy is governed by the laws of India. Any disputes arising under this policy shall be subject to the exclusive jurisdiction of the courts in Thrissur, Kerala, India.
14. Contact & Registered Address
For privacy-related questions, data requests, or to exercise any of your rights:
Agentic FactorThrissur, Kerala, India — 680 001
Email: hello@agenticfactor.io