Privacy Policy | AgentShield

1. Introduction

AI Insurance Inc. ("AgentShield," "we," "us," or "our") is committed to protecting the privacy and security of your personal and business data. This Privacy Policy explains what information we collect, how we use it, with whom we share it, and the rights and choices you have regarding your data.

This policy applies to all users of the AgentShield platform, website, and related services (collectively, the "Service"). By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

If you have any questions about this policy, please contact us at privacy@agentshield.ai.

2. Information We Collect

We collect the following categories of information to provide and improve the Service:

Account Information

When you create an account, we collect:

Email address
Full name
Company name
Company website
Industry
Account credentials (passwords are hashed and never stored in plain text)

Agent Data

To provide risk monitoring and guardrail enforcement, we collect data about your AI agents, including:

Agent configurations and parameters
Permissions and access scopes assigned to agents
Connected APIs and third-party integrations
Guardrail settings and policy definitions

Activity Data

We collect data generated by your AI agents' operations, including:

Agent actions and decision logs
Risk scores calculated by our algorithms
Alert history and notification records
Incident records and guardrail enforcement events

Usage Data

We automatically collect information about how you interact with the Service:

Pages visited and features used
Session duration and frequency
Browser type, operating system, and device information
IP address and approximate geographic location

Payment Information

Payment processing is handled entirely by Stripe. We do not store your full credit card numbers, CVV codes, or other sensitive payment details on our servers. We retain only the information necessary to manage your subscription, such as the last four digits of your card, card brand, and billing address.

3. How We Use Your Data

We use the information we collect for the following purposes:

Provide Risk Monitoring and Scoring. We analyze agent activity data to generate risk scores, detect anomalies, and provide real-time risk assessments for your AI agent deployments.
Generate Alerts and Enforce Guardrails. We use agent data and activity logs to trigger alerts when unusual or high-risk behavior is detected, and to enforce guardrail policies you have configured.
Assess Coverage Eligibility. We use your risk profile, agent configurations, and activity history to generate informational coverage eligibility assessments. These are not insurance offers.
Improve Our Algorithms and Service. We use aggregated and anonymized data to refine our risk scoring models, improve guardrail effectiveness, and enhance platform features.
Send Important Account Notifications. We send transactional emails related to your account, including security alerts, billing confirmations, service updates, and material changes to our Terms or Privacy Policy.
Provide Customer Support. We use your account and usage data to respond to support requests, troubleshoot issues, and resolve disputes.
Comply with Legal Obligations. We may process your data as necessary to comply with applicable laws, regulations, or legal proceedings.

4. Data Sharing

We do not sell your personal data. We share your information only with the following categories of third parties, and only to the extent necessary:

Payment Processors

Stripe processes subscription payments on our behalf. Stripe receives your payment details directly and is governed by their own privacy policy. We do not have access to your full payment card details.

Infrastructure Providers

We use third-party hosting, storage, and infrastructure services to operate the platform. These providers process data on our behalf under strict contractual obligations and security requirements. They do not have independent rights to use your data.

Law Enforcement & Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or enforceable governmental request. We may also disclose information when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, or to investigate fraud or security incidents.

We will make reasonable efforts to notify you of law enforcement requests for your data, unless we are legally prohibited from doing so or believe that notification would jeopardize an investigation or the safety of individuals.

5. Data Security

We take the security of your data seriously and implement industry-standard measures to protect it:

Encryption at Rest. All stored data, including agent activity logs, risk scores, and account information, is encrypted at rest using AES-256 encryption.
Encryption in Transit. All data transmitted between your browser and our servers, and between our internal services, is encrypted using TLS 1.2 or higher.
Access Controls. We enforce strict role-based access controls. Only authorized personnel with a legitimate business need can access customer data, and all access is logged and audited.
Regular Security Audits. We conduct regular security assessments and vulnerability scans to identify and remediate potential threats.
Incident Response. We maintain an incident response plan and will notify affected users promptly in the event of a data breach, in accordance with applicable law.

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security vulnerabilities or incidents.

6. Data Retention

We retain your data for as long as your account is active and as needed to provide the Service. Specifically:

Active Accounts. All data associated with your account is retained for the duration of your active subscription.
After Account Deletion. When you delete your account or request deletion, we will remove your personal data and agent activity data within 90 days. Some data may be retained longer if required by law, for legitimate business purposes (such as resolving disputes), or to enforce our Terms.
Aggregated Data. We may retain anonymized and aggregated data indefinitely for analytical and service improvement purposes. This data cannot be used to identify you.
Backup Systems. Data may persist in encrypted backup systems for a limited period after deletion. Backups are rotated and purged on a regular schedule.

7. Your Rights

Under the General Data Protection Regulation (GDPR) and other applicable data protection laws, you have the following rights regarding your personal data:

Right of Access. You have the right to request a copy of the personal data we hold about you, along with information about how we process it.
Right to Rectification. You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
Right to Erasure ("Right to Be Forgotten"). You have the right to request deletion of your personal data, subject to certain legal exceptions (e.g., data we are required to retain by law).
Right to Data Portability. You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
Right to Withdraw Consent. Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before consent was withdrawn.
Right to Restrict Processing. You have the right to request that we restrict the processing of your personal data under certain circumstances.
Right to Object. You have the right to object to the processing of your personal data for direct marketing purposes or where processing is based on our legitimate interests.

To exercise any of these rights, please contact us at privacy@agentshield.ai. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request.

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in your jurisdiction.

8. CCPA / CPRA Rights (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information:

Right to Know. You have the right to request information about the categories and specific pieces of personal information we have collected about you, the sources from which we collected it, the purposes for which we use it, and the third parties with whom we share it.
Right to Delete. You have the right to request deletion of your personal information, subject to certain legal exceptions (e.g., data required to complete transactions, detect security incidents, or comply with legal obligations).
Right to Correct. You have the right to request correction of inaccurate personal information we hold about you.
Right to Opt-Out of Sale or Sharing. We do not sell or share your personal information for cross-context behavioral advertising purposes. If our practices change, we will provide a clear "Do Not Sell or Share My Personal Information" link.
Right to Limit Use of Sensitive Personal Information. If we collect or use sensitive personal information (as defined by CPRA) beyond what is necessary to provide the Service, you have the right to limit such use.
Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights, including by denying you goods or services, charging different prices, or providing a different level of quality.

To exercise these rights, contact us at privacy@agentshield.ai with "CCPA Request" in the subject line. We will verify your identity and respond within 45 days. You may designate an authorized agent to make requests on your behalf by providing written authorization.

Categories of Personal Information Collected: Identifiers (name, email, IP address), commercial information (subscription data), internet activity (usage logs), professional information (company details), and inferences (risk scores, eligibility assessments).

Business Purposes for Collection: Provide risk monitoring services, enforce guardrails, assess risk profiles, billing and account management, customer support, security and fraud prevention, and legal compliance.

9. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal bases for processing your personal data include:

Contract Performance. Processing is necessary to provide the Service under our Terms of Service, including account management, risk monitoring, guardrail enforcement, and billing.
Legitimate Interests. We process data based on our legitimate interests in improving the Service, detecting security threats, preventing fraud, and conducting analytics to enhance risk scoring models. We balance these interests against your rights and freedoms and provide opt-out mechanisms where appropriate.
Consent. Where required by law, we obtain your explicit consent before processing certain categories of data, such as optional marketing communications. You may withdraw consent at any time.
Legal Obligation. We process data when required to comply with legal obligations, such as responding to valid legal requests, tax reporting, and regulatory compliance.

If you have questions about the legal basis for processing your data, contact privacy@agentshield.ai.

10. Data Controller / Processor Roles

For purposes of GDPR and other data protection laws, the roles are as follows:

AgentShield as Data Controller. We act as a data controller for account information, billing data, and platform usage data. We determine the purposes and means of processing this data.
AgentShield as Data Processor. We act as a data processor for your AI agent activity data. You (the customer) are the data controller of the agent activity logs, risk scores, and incident records generated by your agents. We process this data on your behalf according to your instructions and configurations.
Your Responsibilities. As the data controller of agent activity data, you are responsible for ensuring that your use of the Service complies with applicable data protection laws, including obtaining necessary consents from individuals whose data may be processed by your AI agents.

For Enterprise customers, we offer formal Data Processing Agreements (DPAs) that define these roles and responsibilities in detail. Contact camden@agentshield.ai to discuss a DPA.

11. Subprocessors and Third-Party Services

We engage the following categories of third-party service providers ("subprocessors") to help us deliver the Service. These providers process data on our behalf under strict contractual obligations, including confidentiality, security, and data protection requirements:

Hosting and Infrastructure: Render (web hosting), Neon (PostgreSQL database), Cloudflare (CDN and DDoS protection)
Payment Processing: Stripe (subscription billing and payment processing)
Email Delivery: Postmark or similar transactional email service (account notifications, security alerts)
Analytics and Monitoring: Internal analytics only; no third-party analytics services (Google Analytics, Mixpanel, etc.) are used

We select subprocessors based on their security practices, compliance certifications (e.g., SOC 2, ISO 27001), and data protection commitments. We require all subprocessors to adhere to GDPR, CCPA, and other applicable data protection standards.

Subprocessor Changes: We may add, replace, or remove subprocessors from time to time as our infrastructure evolves. Enterprise customers with DPAs will be notified of material subprocessor changes at least 30 days in advance and may object if they have reasonable data protection concerns.

For a current list of subprocessors, contact privacy@agentshield.ai.

12. International Data Transfers

AgentShield is based in the United States, and your data may be transferred to, stored in, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from those in your country of residence.

For data transfers from the EEA, UK, or Switzerland to the United States or other countries not deemed adequate by the European Commission, we rely on the following safeguards:

Standard Contractual Clauses (SCCs). We use the European Commission-approved Standard Contractual Clauses with our subprocessors to ensure adequate protection for personal data transferred outside the EEA.
Data Protection Impact Assessments. We conduct impact assessments to evaluate risks associated with international data transfers and implement supplementary measures where necessary.
Vendor Security Commitments. We require that all subprocessors adhere to GDPR-equivalent data protection standards, regardless of their location.

If you are located in the EEA, UK, or Switzerland and require a copy of the Standard Contractual Clauses or additional information about our data transfer mechanisms, contact privacy@agentshield.ai.

13. Data Processing Agreement (DPA) for Enterprise Customers

Enterprise customers who require a formal Data Processing Agreement (DPA) to meet their regulatory or contractual obligations may request one by contacting camden@agentshield.ai.

Our standard DPA includes:

Scope and Instructions: Defines the subject matter, duration, nature, and purpose of data processing activities.
Data Subject Rights: Outlines procedures for handling data subject access requests, deletion requests, and other rights exercised under GDPR or CCPA.
Security Measures: Details technical and organizational measures implemented to protect personal data, including encryption, access controls, and incident response procedures.
Subprocessor Management: Provides advance notice of subprocessor changes and allows customers to object on reasonable data protection grounds.
Data Breach Notification: Commits to notifying customers of personal data breaches within 72 hours of detection.
Audit Rights: Grants customers or their auditors the right to audit our data processing practices upon reasonable notice.
Data Deletion: Specifies procedures for returning or securely deleting customer data upon termination of the agreement.

The DPA incorporates the Standard Contractual Clauses for international data transfers and complies with GDPR, CCPA, and other major data protection frameworks.

14. Enhanced Data Retention Schedule

We retain different categories of data for different periods based on business necessity, legal requirements, and your account status:

Account Information (Name, Email, Company): Retained for the duration of your active subscription + 90 days after account deletion (to allow for reactivation and resolve disputes).
AI Agent Activity Data (Logs, Risk Scores, Incidents): Retained for 2 years from the date of collection while your account is active. Upon account deletion, this data is deleted within 90 days unless required for legal compliance or dispute resolution.
Billing and Transaction Records: Retained for 7 years to comply with tax and financial recordkeeping requirements. This includes subscription history, payment records, and invoices.
Aggregated and Anonymized Data: Retained indefinitely for research, analytics, and service improvement. This data cannot be used to identify you or your organization.
Security and Audit Logs: Retained for 1 year for security monitoring, fraud prevention, and incident investigation purposes.
Marketing Communications (if opted in): Retained until you opt out or request deletion. You can unsubscribe at any time via the link in marketing emails.

Data Deletion Process: When you request account deletion, we initiate a 30-day grace period during which you can reactivate your account. After the grace period, we permanently delete your personal data and agent activity data within 60 days. Data may persist in encrypted backups for up to 90 days total, after which it is purged from all systems.

To request immediate data deletion without the grace period, contact privacy@agentshield.ai with your account email and a clear deletion request.

15. Cookies

AgentShield uses minimal cookies, strictly limited to what is necessary for the Service to function:

Session Management Cookies. We use session cookies to authenticate your login, maintain your session state, and ensure secure access to the platform. These cookies are essential and cannot be disabled without losing access to the Service.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not participate in cross-site tracking or sell cookie data to third parties.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or the Service.

When we make material changes, we will:

Provide at least 30 days' advance notice before the changes take effect.
Notify you via email to the address associated with your account and/or through a prominent notice within the Service.
Update the "Effective Date" at the top of this policy.

Your continued use of the Service after the updated policy takes effect constitutes your acceptance of the changes. If you do not agree with the revised policy, you should discontinue use of the Service and delete your account.

17. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy Inquiries: privacy@agentshield.ai

General Support: support@agentshield.ai

Company: AI Insurance Inc.

We aim to respond to all privacy-related inquiries within 30 days.