Privacy Policy

Last updated: 2026-06-24.

> This is starter content based on industry-standard templates. Have it reviewed by qualified counsel before relying on it for compliance.

Who we are

AgentRoost is operated by a small team in the European Union. We host AI agent workspaces on bare-metal hardware in the Netherlands. Our address and contact details are on our contact page.

What we collect

When you create an account, we store:

  • Your email address (to authenticate you, deliver receipts, and send security notifications).
  • Your hashed password (we never see or store the plaintext).
  • Your IP address (for fraud prevention and rate-limiting).
  • Login provider identifiers if you connect Google, Microsoft, Discord, or Casper Wallet.
  • Workspace metadata: name, status, billing tier, and aggregate outbound-byte counters per workspace (used to enforce the fair-use bandwidth cap described in our terms — we count totals, not destinations or payloads).

When you pay, our payment processor (Polar.sh) sees:

  • Your card details. We do not. We receive only the success event and a customer reference.

We run privacy-respecting analytics (Google Analytics 4), but only after you accept the cookie banner — it is denied by default and you can opt out at any time. We do not run advertising trackers, and we do not sell or share your data with anyone except the named processors listed below.

Processors we use

  • Polar.sh (payments — merchant of record) — see their privacy policy.
  • SendGrid (transactional email — activation, password reset, change-email confirmation) — see their privacy policy.
  • Cloudflare (CDN, DDoS protection, Turnstile bot challenges) — see their privacy policy.
  • Google Analytics (privacy-respecting traffic analytics — only active after you consent via the cookie banner; advertising features and data sharing are turned off) — see their privacy policy.
  • cspr.click CDN (only if you sign in with a Casper Wallet) — see their terms.
  • Hetzner (the physical hosting provider for our bare-metal servers in the Netherlands).

How long we keep your data

  • Account data: until you delete your account.
  • Workspace data: until you delete the workspace. After deletion, copies in our backups roll off within 30 days.
  • Server logs: 30 days, after which they are aggregated and the per-IP details are dropped.
  • Billing records: 7 years (Turkish + EU tax record-keeping requirement).

Your rights under GDPR

You have the right to:

  • Access your data — visit Settings → Delete account → Download data to get a JSON export.
  • Correct wrong information — change your email/profile in Settings.
  • Delete your data — use the Delete Account flow in Settings. This permanently removes your account and all workspaces.
  • Object to processing — email us; we'll honor reasonable objections within 30 days.
  • Lodge a complaint with your national data protection authority.

Cookies

We use strictly-necessary cookies (session, authentication, language, and DataProtection encryption keys for ASP.NET) plus, only with your consent, Google Analytics cookies. Turnstile may set a short-lived bot-detection cookie. See our cookie policy.

Security

Workspace containers run with an egress firewall blocking internal IPs, cloud metadata services, and known-malicious networks (Spamhaus DROP list refreshed daily). DataProtection encryption keys are persisted across deployments so your session stays valid. 2FA is available in Settings → Two-factor and we strongly recommend turning it on.

Changes to this policy

If we materially change this policy we'll notify active customers via email before the change takes effect. The "Last updated" date at the top of this page is always current.

Contact

Questions about your data? Use the email on our contact page. Please put "Privacy" in the subject line so we route it to the right person.