Privacy Policy

Agents Authority ("we," "our," or "us") operates the agentic commerce infrastructure at agentsauthority.com and related services — including the merchant dashboard, MCP server, WooCommerce plugin, and APIs (collectively, the "Services"). This Privacy Policy describes how we collect, use, disclose, and protect information in connection with those Services.

By accessing or using our Services, you agree to this Privacy Policy. If you are using the Services on behalf of a business, that business also agrees to this policy.

We operate two distinct data relationships: (a) Merchant accounts — businesses that connect their stores to the Agents Authority platform; and (b) Buyer-facing agent sessions — AI-agent interactions that take place on behalf of a merchant's end customers. Each is described separately in Sections 5 and 6.

• Provision, operate, and improve the Services
• Process agent-initiated transactions and enforce spending policies
• Generate and serve your store's UCP (Universal Commerce Protocol) discovery profile
• Send transactional notifications: purchase confirmations, budget alerts, policy violations
• Detect and prevent fraud, abuse, and unauthorized access
• Comply with applicable financial regulations and legal obligations
• Respond to support requests and troubleshoot issues
• Analyze aggregate usage patterns to improve platform reliability and features
• Send product updates and announcements (you may opt out at any time)

We do not use your data to train AI models, and we do not sell your personal information to data brokers or advertisers.

We share information only in the following limited circumstances:

• Service providers: Vendors who operate infrastructure on our behalf (cloud hosting, payment processing, email delivery, analytics). Each is bound by data processing agreements and may only use your data to perform services for us.
• AI agents you authorize: When an AI agent connects to your store through our MCP server, it receives only the product and policy data you have configured for discovery. No customer PII is shared with agents by default.
• Legal requirements: When required by law, subpoena, court order, or to respond to a verified government request. We will notify you unless legally prohibited.
• Protection of rights: To protect the rights, property, and safety of Agents Authority, our merchants, and the public.
• Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets. We will notify you before your data is transferred and becomes subject to a different privacy policy.
• With your explicit consent: For any other purpose with your prior written authorization.

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes.

When you connect a WooCommerce (or other e-commerce) store to Agents Authority, we fetch and store a subset of your store data to power agent-accessible product discovery. Specifically:

• Product catalog: names, descriptions, prices, SKUs, images, and inventory levels
• Shipping zones, methods, and rates
• Active payment gateway names (not credentials)
• Store policies: return, refund, and shipping terms (if provided)
• WooCommerce REST API credentials generated by the plugin (stored encrypted at rest)

This data is used solely to serve your store's UCP discovery profile and to fulfill agent-initiated purchase requests on your behalf. You can disconnect your store at any time from the merchant dashboard, which permanently revokes API access and removes cached store data from our platform within 30 days.

Your end-customer data (buyer names, addresses, payment details) is processed by your WooCommerce store directly and is not transmitted to or stored by Agents Authority. The agent purchase flow creates orders on your WooCommerce backend — we act as an intermediary, not a data controller, for that transaction data.

Every action taken by an AI agent through your account is logged in our system. These logs include:

• Agent identifier (the ID you assigned or a system-generated ID)
• Timestamp, action type, and outcome (approved / denied / pending)
• Spending policy evaluated and the decision rationale
• Merchant and product queried (for discovery requests)
• Transaction amounts and currency
• IP address of the originating agent request

These audit logs are retained for a minimum of 7 years for financial compliance purposes. You can access your full audit log at any time from the merchant dashboard. Agent activity data is associated with your account — it is never used to profile the AI agent itself or shared with the AI agent's underlying model provider.

• Account data: retained for the life of your account plus 90 days after closure
• Transaction and audit logs: minimum 7 years (financial compliance requirement)
• API request logs: 90 days rolling
• Waitlist data: until you unsubscribe or request deletion
• Store product cache: removed within 30 days of store disconnection

After the applicable retention period, data is securely deleted or anonymized. You may request earlier deletion of non-compliance data by contacting us (see Section 15). Legal hold obligations may prevent deletion of specific records.

We implement layered technical and organizational security controls:

• Encryption in transit (TLS 1.2+) for all API and web traffic
• Encryption at rest for sensitive credentials and store data
• Role-based access controls and least-privilege principles for internal systems
• Cryptographic signing of UCP discovery profiles (EC P-256 keypairs per merchant)
• Automated anomaly detection on agent spending patterns
• Regular third-party security assessments

No system is perfectly secure. If you discover a vulnerability, please report it responsibly to hello@agentsauthority.com. We will acknowledge receipt within 48 hours.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) grants you the following rights with respect to your personal data:

• Right of access: Obtain a copy of the personal data we hold about you.
• Right to rectification: Correct inaccurate or incomplete personal data.
• Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal retention obligations.
• Right to restrict processing: Limit how we use your data in certain circumstances.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at hello@agentsauthority.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

Our legal basis for processing varies by activity: contract performance (providing the Services), legitimate interests (fraud prevention, security), legal obligation (financial record retention), and consent (marketing communications).

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:

• Right to know: Request disclosure of the categories and specific pieces of personal information we collect, use, and share.
• Right to delete: Request deletion of personal information we have collected, subject to certain exceptions.
• Right to opt out of sale: We do not sell personal information. This right is not applicable, but we honor it anyway.
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to correct: Request correction of inaccurate personal information we hold.

To submit a CCPA request, email hello@agentsauthority.com with the subject line "CCPA Privacy Request." We will verify your identity before processing the request and respond within 45 days.

We use cookies and similar technologies on our marketing website and dashboard. You can control cookies via your browser settings. The types we use:

• Strictly necessary: Session authentication, CSRF protection, and security cookies. These cannot be disabled without breaking the Services.
• Analytics: We use PostHog to understand how visitors use our marketing site and dashboard. PostHog data is processed on servers in the EU and US. You can opt out by enabling "Do Not Track" in your browser.
• Functional: Remember your preferences (theme, dashboard layout, notification settings).

We do not use third-party advertising cookies or cross-site tracking networks. No cookie data is sold.

Agents Authority is incorporated in Delaware, United States, and our primary infrastructure operates in the United States. If you access the Services from outside the US, your data will be transferred to and processed in the United States.

For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism. You may request a copy of our SCCs by contacting hello@agentsauthority.com.

Our Services are not directed to, and we do not knowingly collect personal information from, individuals under the age of 18. If we learn that we have inadvertently collected personal information from a minor, we will delete it promptly. If you believe we may have such information, please contact hello@agentsauthority.com.

We may update this Privacy Policy periodically. For material changes, we will notify you by email (to the address on your account) at least 14 days before the change takes effect. For non-material changes (typographical corrections, clarifications), we will update the "Last updated" date at the top of this page.

Your continued use of the Services after the effective date of a change constitutes acceptance of the updated policy. If you disagree with a material change, you may close your account before the change takes effect.

For privacy-related questions, requests, or complaints, reach us at: