Privacy Policy

Last updated: 2026-05-14.

> This is starter content based on industry-standard templates. Have it reviewed by qualified counsel before relying on it for compliance.

Who we are

AgentRoost is operated by a small team in the European Union. We host AI agent workspaces on bare-metal hardware in the Netherlands. Our address and contact details are on our contact page.

What we collect

When you create an account, we store:

  • Your email address (to authenticate you, deliver receipts, and send security notifications).
  • Your hashed password (we never see or store the plaintext).
  • Your IP address (for fraud prevention and rate-limiting).
  • Login provider identifiers if you connect Google, Microsoft, Discord, or Casper Wallet.
  • Workspace metadata: name, status, billing tier.

When you pay, our payment processor (LemonSqueezy) sees:

  • Your card or PayPal details. We do not. We receive only the success event and a customer reference.

We do not run third-party analytics. We do not run advertising trackers. We do not sell or share your data with anyone except the named processors listed below.

Processors we use

  • LemonSqueezy (payments) — see their privacy policy.
  • SendGrid (transactional email — activation, password reset, change-email confirmation) — see their privacy policy.
  • Cloudflare (CDN, DDoS protection, Turnstile bot challenges) — see their privacy policy.
  • cspr.click CDN (only if you sign in with a Casper Wallet) — see their terms.
  • Hetzner (the physical hosting provider for our bare-metal servers in the Netherlands).

How long we keep your data

  • Account data: until you delete your account.
  • Workspace data: until you delete the workspace. After deletion, copies in our backups roll off within 30 days.
  • Server logs: 30 days, after which they are aggregated and the per-IP details are dropped.
  • Billing records: 7 years (Turkish + EU tax record-keeping requirement).

Your rights under GDPR

You have the right to:

  • Access your data — visit Settings → Delete account → Download data to get a JSON export.
  • Correct wrong information — change your email/profile in Settings.
  • Delete your data — use the Delete Account flow in Settings. This permanently removes your account and all workspaces.
  • Object to processing — email us; we'll honor reasonable objections within 30 days.
  • Lodge a complaint with your national data protection authority.

Cookies

We use only strictly-necessary cookies: session, authentication, language, and DataProtection encryption keys for ASP.NET. Turnstile may set a short-lived bot-detection cookie. See our cookie policy.

Security

Workspace containers run with an egress firewall blocking internal IPs, cloud metadata services, and known-malicious networks (Spamhaus DROP list refreshed daily). DataProtection encryption keys are persisted across deployments so your session stays valid. 2FA is available in Settings → Two-factor and we strongly recommend turning it on.

Changes to this policy

If we materially change this policy we'll notify active customers via email before the change takes effect. The "Last updated" date at the top of this page is always current.

Contact

Questions about your data? Use the email on our contact page. Please put "Privacy" in the subject line so we route it to the right person.