# Privacy Policy
**Platform:** AgentPick
**Domain:** agentpick.co
**Effective Date:** March 11, 2026
**Last Updated:** March 11, 2026
**Contact:** legal@agentpick.co
---
## 1. Who We Are
AgentPick ("we", "us", "our") operates the platform available at agentpick.co — an online marketplace where users can discover, subscribe to, and publish AI agents and skills. This Privacy Policy explains how we collect, use, store, and protect your personal data, in accordance with the EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679.
> **Note:** AgentPick is in the process of incorporation. Until formal incorporation is complete, the platform is operated by its founders. This policy will be updated upon incorporation with full company details.
For any privacy-related questions, contact us at: **legal@agentpick.co**
---
## 2. What Data We Collect and Why (Art. 13 GDPR)
We collect only the data we need to run the platform. Below is a full account of what we collect, why, and on what legal basis.
### 2.1 Account Registration
| Data | Purpose | Legal Basis |
|------|---------|-------------|
| Email address | Account creation, login, transactional emails | Art. 6(1)(b) — performance of a contract |
| Account type (buyer / creator) | To provide the correct experience and features | Art. 6(1)(b) — performance of a contract |
| Password (hashed, never stored in plain text) | Authentication | Art. 6(1)(b) — performance of a contract |
### 2.2 Usage Data
| Data | Purpose | Legal Basis |
|------|---------|-------------|
| Pages visited, features used, session duration | Improve the platform, detect bugs, understand user behaviour | Art. 6(1)(f) — legitimate interests (platform improvement) |
| Device type, browser, operating system | Technical compatibility and debugging | Art. 6(1)(f) — legitimate interests |
| IP address (anonymised after 30 days) | Security, fraud prevention, geolocation (country-level) | Art. 6(1)(f) — legitimate interests |
### 2.3 Creator-Specific Data
| Data | Purpose | Legal Basis |
|------|---------|-------------|
| Payment information (processed by third-party provider) | Revenue share payouts | Art. 6(1)(b) — performance of a contract |
| Published agent/skill content | Platform display and marketplace operation | Art. 6(1)(b) — performance of a contract |
### 2.4 Communications
| Data | Purpose | Legal Basis |
|------|---------|-------------|
| Email address | Service notifications, security alerts, platform updates | Art. 6(1)(b) — performance of a contract |
| Email address (marketing) | Promotional emails about new features or agents | Art. 6(1)(a) — consent (opt-in) |
We do **not** collect: sensitive personal data (health, religion, ethnicity, etc.), data from minors under 16, or data unrelated to the operation of the platform.
---
## 3. How We Store Your Data
Your data is stored securely using **Supabase**, hosted in the **European Union (EU region)**. This means your data never leaves the EU, ensuring compliance with GDPR's data transfer rules.
Email communications are sent via **Resend**, a transactional email provider. Resend processes your email address solely to deliver messages on our behalf under a data processing agreement.
All data is stored using encryption at rest and in transit (TLS).
---
## 4. How Long We Keep Your Data (Retention)
| Data Type | Retention Period |
|-----------|----------------|
| Account data | Until account deletion + 30 days (for recovery) |
| Usage data (raw) | 12 months, then aggregated/anonymised |
| IP addresses | 30 days, then anonymised |
| Marketing consent records | Until withdrawn + 3 years (legal compliance) |
| Creator payment records | 7 years (Italian tax law obligations) |
| Support correspondence | 3 years after last contact |
When your account is deleted, we delete or anonymise your personal data within 30 days, except where we are legally required to retain it (e.g., financial records).
---
## 5. Who We Share Your Data With
We do not sell your data. We share data only with:
| Recipient | Role | Purpose |
|-----------|------|---------|
| Supabase | Data processor | Database hosting (EU region) |
| Resend | Data processor | Transactional email delivery |
| Payment processor (TBD) | Data processor | Creator payout processing |
| Public authorities | Independent controller | If legally required (e.g., court order) |
All processors are bound by data processing agreements (DPAs) and are obligated to process your data only on our instructions.
---
## 6. International Data Transfers
Your data is stored and processed within the EU. If any processor transfers data outside the EU/EEA, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
---
## 7. Your Rights Under GDPR
You have the following rights regarding your personal data:
| Right | What It Means |
|-------|--------------|
| **Access** (Art. 15) | Request a copy of all data we hold about you |
| **Rectification** (Art. 16) | Ask us to correct inaccurate data |
| **Erasure** (Art. 17) | Request deletion of your data ("right to be forgotten") |
| **Restriction** (Art. 18) | Ask us to limit how we use your data |
| **Portability** (Art. 20) | Receive your data in a machine-readable format |
| **Objection** (Art. 21) | Object to processing based on legitimate interests or direct marketing |
| **Withdraw Consent** (Art. 7) | Withdraw consent at any time, without affecting prior processing |
To exercise any right, email us at **legal@agentpick.co**. We will respond within **30 days**. In complex cases, we may extend this by an additional 60 days with notice.
You also have the right to **lodge a complaint** with your national data protection authority. In Italy, this is the **Garante per la protezione dei dati personali** (www.garanteprivacy.it).
---
## 8. Automated Decision-Making
We do not use fully automated decision-making (including profiling) that produces legal or similarly significant effects on you.
---
## 9. Cookies
We use cookies and similar tracking technologies. For full details, see our **[Cookie Policy](cookie-policy.en.md)**.
---
## 10. Children
AgentPick is not directed at children under 16. We do not knowingly collect data from minors. If you believe a minor has provided us with personal data, contact us at legal@agentpick.co and we will delete it promptly.
---
## 11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email (if you have an account) or via a banner on the platform. The "Last Updated" date at the top of this document reflects the most recent revision.
Continued use of the platform after changes constitutes acceptance of the updated policy.
---
## 12. Contact
**AgentPick**
agentpick.co
Email: legal@agentpick.co
For urgent data protection concerns, we aim to acknowledge your message within **48 hours**.