Skip to content
AgentryxAgentryx

Legal

Privacy Policy

Last updated 19 May 2026

Agentryx Ltd (“Agentryx”, “we”, “us”) operates the Agentryx platform at agentryx.io and its subdomains. We are the data controller for personal data processed about our customers (agency owners and their team members) and the data processor for personal data agencies upload about their own clients.

This policy explains what we collect, why, who we share it with, and the rights you have under the UK GDPR and Data Protection Act 2018.

1. Who is the data controller

Agentryx Ltd, registered in England & Wales. Contact: privacy@agentryx.io.

For the personal data agencies upload about their clients (leads, ad accounts, campaign performance), the agency is the controller and Agentryx is the processor. Clients should contact their agency directly for data requests about that data.

2. What personal data we collect

  • Account data - name, email, password hash (held by our auth provider), workspace name and slug, role.
  • Billing data - billing email, plan, payment method tokens (held by Stripe - we never see card numbers), invoices.
  • Workspace content - client records, board cards, messages, creatives, reports, ad performance metrics, audit log entries.
  • Usage data - page views, feature interactions, error logs, IP address, user agent, timestamps. Used for security and product improvement.
  • Communications - emails you send to support, in-app messages.

3. Why we collect it (lawful bases)

  • Contract- we process account, billing and workspace data because you (or your agency) have an Agentryx subscription that we’re obliged to deliver.
  • Legitimate interests - fraud prevention, abuse mitigation, product analytics, error tracking. We minimise the data used for these purposes.
  • Legal obligation - to comply with tax, accounting and law enforcement requests where required.
  • Consent - only where we ask for it explicitly (e.g. optional marketing emails). You can withdraw at any time.

4. Cookies and similar technologies

We use the following cookies and similar technologies:

  • Essential - authentication session cookie (set by Clerk, scoped to .agentryx.io), portal session cookie (set by Agentryx, HMAC-signed), CSRF and impersonation cookies. Required for the platform to function; cannot be disabled.
  • Analytics - Vercel Analytics page-view counters and Vercel Speed Insights performance telemetry. These are gated behind a consent banner for visitors based in the UK or EEA.
  • Error tracking - Sentry SDK loads on every page to capture JavaScript errors. With consent it includes session replay (masked text + inputs); without consent it captures error stack traces only, no PII.

We do not run advertising or cross-site tracking cookies.

5. Subprocessors we share data with

We rely on the following service providers to operate Agentryx. Each is contractually bound to confidentiality and data protection terms.

  • Supabase (database, file storage) - EU region.
  • Clerk (authentication) - US, transfers covered by Standard Contractual Clauses.
  • Stripe (billing and payments) - US/UK, SCCs.
  • Vercel (hosting) - US/EU, SCCs.
  • Resend (transactional email) - US, SCCs.
  • Sentry (error tracking) - US, SCCs.
  • Upstash (rate limiting) - EU region.
  • Cloudflare (anti-abuse, Turnstile) - global edge.
  • Anthropic (Claude AI model API) - US, SCCs. Receives the transcripts, meeting summaries, and business briefs you submit for AI analysis. Anthropic does not train on data submitted via the API and retains it for at most 30 days under their default data processing terms.
  • Mux (video hosting, signed playback) - US, SCCs. Stores creative-review videos you or your clients upload.
  • Vercel Analytics & Speed Insights - US, SCCs. Aggregated page-view and Core Web Vitals telemetry on marketing pages. Gated behind consent banner for UK/EEA visitors.
  • Apify (Reddit signal harvesting) - US, SCCs. Used only for admin-side content opportunity discovery; does not process customer data.
  • GitHub (source-of-truth for our feature vault) - US, SCCs. No customer data is sent.

We do not sell personal data and we do not share it with third parties for their own marketing purposes.

6. International transfers

Some subprocessors are based in the United States. Where we transfer personal data outside the UK or EEA, we rely on the UK International Data Transfer Agreement, EU-approved Standard Contractual Clauses, or an equivalent transfer mechanism.

7. How long we keep data

  • Active workspaces - for as long as the subscription is active.
  • Cancelled workspaces - soft-deleted for 30 days, then permanently deleted (except where law requires longer retention).
  • Billing records - kept for 7 years to satisfy UK accounting obligations.
  • Logs and analytics - 90 days.

8. Your rights

Under the UK GDPR you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • ask us to delete your data (subject to legal-hold exceptions);
  • export your data in a machine-readable format;
  • restrict or object to certain processing;
  • withdraw consent where consent is the lawful basis;
  • lodge a complaint with the Information Commissioner’s Office (ico.org.uk).

To exercise any of these rights, email privacy@agentryx.io. Client portal users can also request deletion from inside their portal settings.

9. Security

Data is encrypted in transit (TLS) and at rest. Workspaces are isolated by row-level security. Access to production systems is restricted and audited. We monitor for anomalous access and rotate keys on a regular schedule.

10. Children

Agentryx is a B2B service not intended for people under 18. We do not knowingly collect personal data from children.

11. Changes to this policy

We’ll update this policy as our practices evolve. Material changes will be announced by email to account owners at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent change.

12. Contact

Privacy questions: privacy@agentryx.io
General contact: hello@agentryx.io