Skip to main content

Privacy Policy

Last updated: April 2026

Overview

AgentiCraft is a service mesh for multi-agent AI. This privacy policy explains how we collect, use, and protect your data when you use our website, platform, and Telegram bot (@AgentiCraftBot).

Data We Collect

Account Data

When you register, we collect your name, email address, and optionally your organization name. If you sign in via GitHub, Google, or Telegram, we receive your profile information from those providers.

Waitlist Data

When you join the waitlist, we collect your name and email address. Referral codes are generated automatically. Your waitlist position and referral statistics are stored.

Telegram Bot Data

When you use @AgentiCraftBot, we process your messages to route them to the appropriate agent (Financial, Calendar, Grocery, Health, Briefing). Messages are classified into privacy levels (L0–L3) and routed accordingly:

  • L0 (Public): Grocery lists, task names — routed to any provider
  • L1 (Internal): Calendar events, meeting notes — routed to trusted providers
  • L2 (Confidential): Financial transactions — encrypted at rest
  • L3 (Restricted): Health data, medications — routed to local models only, never sent to external providers

API Keys

If you use BYOK (Bring Your Own Key), your API keys are encrypted with Fernet encryption before storage. We never access your keys except to route your requests.

Website Analytics

We use Vercel Analytics and Speed Insights to collect anonymous usage metrics (page views, performance). No personally identifiable information is collected through analytics.

Cookies

We use essential cookies for authentication and security:

  • next-auth.session-token: Authenticates your session (HttpOnly, SameSite)
  • next-auth.csrf-token: Prevents cross-site request forgery (HttpOnly)
  • next-auth.callback-url: Stores redirect destination after login (HttpOnly)

We do not use advertising or tracking cookies.

Your Rights (GDPR)

If you are in the European Economic Area, you have the following rights:

  • Right to access: Request a copy of your personal data
  • Right to rectification: Correct inaccurate data via your settings
  • Right to erasure: Delete your account via Settings > Security. Deletion has a 7-day grace period, after which all personal data is permanently removed and referral chains are anonymized
  • Right to portability: Export your data in a machine-readable format
  • Right to object: Object to processing by contacting us

To exercise these rights, email zaher@agenticraft.ai.

Data Processors

We use the following third-party services to operate the platform:

  • Vercel: Website hosting, analytics, and edge functions (USA)
  • Neon: Managed PostgreSQL database (USA)
  • Upstash: Redis for rate limiting (USA)
  • Resend: Transactional email delivery (USA)
  • Hetzner: VPS hosting for Platform API and Telegram bot (Finland)
  • LLM Providers: OpenAI, Anthropic, Google, and others as selected by you

Data Retention

  • Account data: Retained until you delete your account
  • Sessions: JWT tokens expire per NextAuth configuration
  • Audit logs: Retained for compliance purposes
  • Deleted accounts: 7-day grace period, then permanently erased
  • Invitation keys: Expired keys are automatically cleaned up

Data Security

We implement technical and organizational security measures including: TLS encryption in transit, encrypted API key storage (Fernet), password hashing (bcrypt), TOTP two-factor authentication, rate limiting, CSRF protection, and regular security reviews.

Data Controller

AgentiCraft is operated by Zaher Khateeb. For privacy inquiries: zaher@agenticraft.ai

Changes to This Policy

We may update this policy as our services evolve. Material changes will be communicated via email to registered users.

← Back to Home