Privacy Policy
Last updated: February 20, 2026
AgentDesk (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI workflow automation platform (the “Service”).
This policy applies to all users worldwide, including users in the European Union (GDPR), United Kingdom (UK GDPR), California (CCPA/CPRA), India (DPDPA), Canada (PIPEDA), Brazil (LGPD), and South Africa (POPIA).
1. Data Controller
AgentDesk is the data controller for your personal data. For questions about this policy or to exercise your rights, contact us at:
- Email: privacy@agentdesk.ai
- Data Protection inquiries: dpo@agentdesk.ai
2. Information We Collect
2.1 Information You Provide
- Account data: Name, email address, password (hashed), workspace name
- Profile data: Avatar (from Google OAuth), timezone preferences
- Agent configurations: Workflow steps, prompts, trigger settings you create
- Payment data: Billing information processed by Stripe or Razorpay (we never store card numbers)
- Communications: Support requests and feedback
2.2 Information Collected Automatically
- Usage data: Agent run logs, step outputs, token counts, execution metrics
- Device data: IP address, browser type, operating system
- Cookies: Authentication cookies (httpOnly), CSRF tokens, and optional analytics cookies (see our Cookie Policy)
2.3 Third-Party Integration Data
When you connect integrations (Gmail, Google Sheets, Slack, Notion, Trello), we access data from those services only as needed to execute your configured workflows. Integration credentials are encrypted with AES-256 (Fernet) encryption at rest.
3. How We Use Your Information
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing and operating the Service | Contractual necessity (Art. 6(1)(b)) |
| Processing payments | Contractual necessity (Art. 6(1)(b)) |
| AI-powered workflow execution via Anthropic Claude | Contractual necessity (Art. 6(1)(b)) |
| Sending transactional emails (account, security, billing) | Legitimate interest (Art. 6(1)(f)) |
| Sending marketing communications | Consent (Art. 6(1)(a)) |
| Analytics and service improvement | Legitimate interest (Art. 6(1)(f)) |
| Preventing fraud and ensuring security | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
4. AI Processing and Automated Decision-Making
AgentDesk uses Anthropic's Claude AI to process your workflow steps. When an AI step executes:
- Your prompt and context data are sent to Anthropic's API for processing
- Anthropic retains API logs for up to 7 days for safety purposes, then deletes them
- Your data is never used to train AI models (contractual guarantee with Anthropic)
- AI-generated outputs are clearly marked as AI-generated within the platform
You have the right to request human review of any AI-generated output that significantly affects you. Contact us at privacy@agentdesk.ai.
5. Data Sharing and Sub-Processors
We share your data only with the following categories of sub-processors, each under a Data Processing Agreement:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Anthropic | AI processing (Claude API) | United States |
| Stripe | Payment processing (global) | United States |
| Razorpay | Payment processing (India) | India |
| Twilio SendGrid | Email delivery | United States |
| Gmail & Sheets APIs (at your direction) | United States | |
| Slack | Messaging API (at your direction) | United States |
| Hosting provider | Infrastructure | See DPA |
We do not sell, rent, or share your personal data with advertisers, data brokers, or any third party for their own marketing purposes.
6. International Data Transfers
Your data may be transferred to and processed in countries outside your jurisdiction. For transfers from the EU/EEA/UK, we rely on:
- EU-US Data Privacy Framework (for certified US sub-processors)
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Transfer Impact Assessments conducted for each data transfer
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days grace |
| Agent run logs | 90 days (configurable per workspace) |
| Integration credentials | Until integration disconnected |
| Payment records | 7 years (legal requirement) |
| Server logs | 30 days |
| AI processing logs (Anthropic) | 7 days (Anthropic policy) |
| Database backups | 7 daily + 4 weekly |
8. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
All Users
- Access: Request a copy of all personal data we hold about you (available via Settings > Export Data)
- Rectification: Correct inaccurate data via your account settings
- Deletion: Delete your account and all associated data (Settings > Delete Account)
- Portability: Export your data in JSON or CSV format
- Withdraw consent: Withdraw consent for marketing emails at any time via unsubscribe links or email preferences
EU/EEA/UK Residents (GDPR)
- Restriction: Request that we restrict processing of your data
- Object: Object to processing based on legitimate interest
- Automated decisions: Right not to be subject to solely automated decisions with legal effects; right to human review
- Complaint: Lodge a complaint with your local Data Protection Authority
California Residents (CCPA/CPRA)
- Right to Know: Request categories and specific pieces of personal information collected
- Right to Delete: Request deletion of personal information
- Right to Opt-Out: We do not sell or share your personal information for cross-context behavioral advertising
- Non-discrimination: You will not be penalized for exercising your privacy rights
Indian Residents (DPDPA)
- Consent withdrawal: Withdraw consent as easily as it was given
- Grievance redressal: Contact our Data Protection Officer at dpo@agentdesk.ai
- Complaint: File a complaint with the Data Protection Board of India
To exercise any of these rights, email privacy@agentdesk.ai or use the self-service options in your account settings. We respond to all requests within 30 days (GDPR), 45 days (CCPA), or 15 days (LGPD).
9. Data Security
- TLS 1.2+ encryption for all data in transit
- AES-256 (Fernet) encryption for integration credentials at rest
- Passwords hashed with bcrypt
- JWT tokens stored in httpOnly, Secure, SameSite cookies
- CSRF protection on all mutating requests
- Token blacklisting via Redis for secure logout
- Role-based access control with workspace-scoped tenant isolation
- Daily encrypted database backups
- Automated dependency vulnerability scanning
10. Cookies
We use strictly necessary cookies for authentication and security (JWT tokens, CSRF tokens). These do not require consent. For details on all cookies used, see our Cookie Policy.
11. Children's Privacy
AgentDesk is not intended for individuals under the age of 16 (or 13 in jurisdictions where that is the applicable age). We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at privacy@agentdesk.ai and we will delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you via email and/or a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact Us
- Privacy inquiries: privacy@agentdesk.ai
- Data Protection Officer: dpo@agentdesk.ai
- General support: support@agentdesk.ai