Privacy Policy

AgentLattice, Inc. ("AgentLattice," "we," "us," or "our") operates an identity and access management platform for AI agents. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information.

This policy applies to agentlattice.com and all associated services. By using our services, you agree to the collection and use of information as described here.

AgentLattice is designed from the ground up to be a data-minimizing service. We process action metadata — not the content of your agents' actions. The distinction matters: we know that an agent performed a file write operation; we do not know what was written.

Information you provide directly:

• Account registration information: name, email address, organization name
• Billing information: processed by Stripe; we store only the last 4 digits of your payment card, card type, and expiry month/year
• Support and correspondence: messages you send us via email or in-app support
• Configuration data: workspaces, policies, agent identities, and delegation settings you create

Information generated automatically:

• Agent action metadata: agent identifier, action type category (e.g., "file write," "API call"), resource category, policy evaluation result (allow/deny/escalate), timestamp, and session context
• Audit log records: tamper-proof hashed records of all policy evaluations and human-in-the-loop approvals
• Usage metrics: API request counts, error rates, and feature usage for billing and service improvement
• Technical logs: IP addresses, browser or SDK version, and request metadata retained for up to 30 days for security and debugging

AgentLattice is a metadata platform. We explicitly do not access, store, or process:

• The content or payload of your agents' actions (file contents, API request/response bodies, database records, email content, code, documents)
• Prompt text or LLM conversation history
• Credentials, secrets, or API keys your agents use to call downstream services
• Personal data about the end users your AI systems interact with, unless you explicitly submit such data as part of account or policy configuration

Our SDK instruments the boundary of your agent's actions — it captures the action category and outcome, not the underlying data. If you are evaluating AgentLattice for GDPR or HIPAA workloads, this architecture is the relevant fact: we are not a processor of your customers' personal data.

• Providing the service: processing policy evaluations, maintaining audit logs, routing human-in-the-loop approvals, and operating the dashboard
• Billing and account management: processing payments, sending invoices, and notifying you of subscription changes
• Security and fraud prevention: detecting anomalous usage patterns, investigating potential abuse, and protecting the integrity of the service
• Service improvement: analyzing aggregate, anonymized usage patterns to improve reliability and develop new features
• Legal compliance: retaining records as required by applicable law and responding to lawful requests from authorities
• Communications: sending product updates, security notices, and support responses. You may opt out of non-essential communications at any time

We do not sell your data. We do not use your data to train AI or machine learning models without your explicit written consent.

If you are located in the European Economic Area, United Kingdom, or Switzerland, our legal bases for processing your personal data are:

• Contract performance (Article 6(1)(b)): processing necessary to provide the services you have subscribed to, including account management, policy enforcement, and audit logging
• Legitimate interests (Article 6(1)(f)): service security, fraud prevention, aggregate analytics for product improvement, and legal defense — where our interests are not overridden by your rights
• Legal obligation (Article 6(1)(c)): retaining records required by applicable law
• Consent (Article 6(1)(a)): for optional communications and any processing not covered by the above bases; you may withdraw consent at any time

Enterprise customers requiring a Data Processing Agreement (DPA) for GDPR Article 28 compliance may request one at privacy@agentlattice.com. A DPA template is available on our Security page.

We share your information only in the following circumstances:

• Subprocessors: we use a limited set of vetted third-party vendors to operate the service, including cloud infrastructure (Supabase, Vercel), email delivery (Resend), and payment processing (Stripe). A full list is available on our Subprocessors page.
• Business transfers: in connection with a merger, acquisition, or sale of substantially all assets, subject to the acquirer assuming equivalent privacy obligations
• Legal requirements: when required by law, court order, or lawful government request; we will notify you unless prohibited by law
• Protection of rights: to prevent fraud, enforce our terms, or protect the safety of users or third parties

We do not sell, rent, or share personal data with third parties for their own marketing purposes.

• Audit logs: retained for 12 months from the date of creation, then deleted unless you request extended retention under an enterprise plan
• Account data: retained for the duration of your subscription and for 90 days after termination, during which you may request a data export
• Billing records: retained for 7 years as required for tax and financial compliance
• Technical logs: retained for up to 30 days, then deleted
• Support correspondence: retained for 3 years to maintain context for ongoing relationships

After the applicable retention period, data is securely deleted or anonymized. Deletion timelines may be extended where required by law.

GDPR rights (EEA, UK, Switzerland):

• Access: request a copy of the personal data we hold about you
• Rectification: request correction of inaccurate or incomplete data
• Erasure: request deletion of your personal data, subject to legal retention obligations
• Portability: receive your data in a structured, machine-readable format
• Restriction: request that we limit processing of your data in certain circumstances
• Objection: object to processing based on legitimate interests; we will assess whether our interests are overridden by yours
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing

CCPA rights (California residents):

• Know: request disclosure of the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties with whom we share it
• Delete: request deletion of personal information, subject to applicable exceptions
• Correct: request correction of inaccurate personal information
• Non-discrimination: we will not discriminate against you for exercising your privacy rights

Note: AgentLattice does not sell or share personal information for cross-context behavioral advertising as defined by the CCPA. We do not have actual knowledge of selling or sharing personal information of consumers under 16 years of age.

To exercise any of these rights, contact privacy@agentlattice.com. We will respond within 30 days (GDPR) or 45 days (CCPA). Identity verification may be required for sensitive requests.

AgentLattice is headquartered in the United States. If you are located outside the United States, your information may be transferred to and processed in the U.S. and other countries where our subprocessors operate.

For transfers of personal data from the EEA, UK, or Switzerland to the U.S., we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. Our DPA template includes the applicable SCCs. You may request a copy at privacy@agentlattice.com.

We apply industry-standard technical and organizational measures to protect your data, including encryption in transit (TLS 1.2+), encryption at rest (AES-256), tamper-proof audit log hashing, and access controls enforced by role-based permissions. For a detailed description of our security posture, see our Security page.

No system is completely secure. If you discover a potential security issue, please report it to security@agentlattice.com.

We use strictly necessary cookies to maintain authenticated sessions and prevent cross-site request forgery. We do not use advertising cookies, third-party tracking pixels, or behavioral analytics that follow you across other websites.

We use first-party, privacy-preserving analytics to measure aggregate page traffic and product usage. These do not track individual users across sessions.

The Services are not directed to children under 13 years of age, and we do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us at privacy@agentlattice.com and we will promptly delete it.

We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 30 days before the changes take effect. The "effective date" at the top of this page reflects when the most recent version took effect.

Your continued use of the Services after the effective date of any changes constitutes acceptance of the revised policy.

For privacy-related questions, requests, or complaints, contact us at:

AgentLattice, Inc.
Attn: Privacy
548 Market St PMB 78213
San Francisco, CA 94104
privacy@agentlattice.com

If you are located in the EEA and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local supervisory authority. A list of EEA data protection authorities is available at edpb.europa.eu.