Privacy Policy
AgentDrop - agent-drop.com
Operated by Etomm Dropsale SRL, Sighișoara, Mureș, Romania
Last updated: 5 April 2026
1. Introduction
This Privacy Policy explains how AgentDrop ("we", "us", "our") collects, uses, stores, and protects your personal data when you use our platform, API, SDK, and related services (the "Service").
We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR, Regulation 2016/679).
By using the Service, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
The data controller for personal data processed through the Service is:
AgentDrop
Sighișoara, Mureș, Romania
Email: [email protected]
AgentDrop operates globally and processes data in compliance with both UK and EU data protection regulations.
Data Protection Officer: Flavius Balos
Email: [email protected]
3. What Data We Collect
3.1. Account Data (Provided by You)
When you create an account, we collect:
- Name - to identify your account.
- Email address - for account authentication, billing communications, and service notifications.
- Password (hashed) - for account security. We never store plaintext passwords.
- Billing information - payment details are processed by our payment provider (Stripe). We store only the last four digits of your card number and billing address for record-keeping.
- Organisation name (if applicable) - if you register on behalf of an organisation.
3.2. Usage and Technical Data (Collected Automatically)
When you use the Service, we automatically collect:
- API usage metrics - number of transfers, storage used, and agent count. Used for enforcing plan limits and improving the Service.
- IP addresses - collected for rate limiting, fraud prevention, and security monitoring. Retained for a maximum of 90 days, then deleted or anonymised.
- Request logs - API endpoint, timestamp, response status code, and request size. Used for debugging, performance monitoring, and abuse detection. These logs do not contain file contents or encryption keys.
- Device and browser information - browser type, operating system, and device type when accessing the dashboard. Collected via standard HTTP headers.
3.3. What We Do NOT Collect
AgentDrop operates a zero-knowledge architecture. This means:
- We never collect, access, view, store, or process the contents of files transferred through the Service. All files are encrypted end-to-end (X25519 + AES-256-GCM) on the client side before reaching our servers.
- We never hold encryption keys. Keys are generated and managed entirely on the client side.
- We cannot decrypt, inspect, or recover files under any circumstances, including in response to legal requests. We do not have the technical capability to do so.
- We do not perform server-side scanning of file contents. Any malware scanning occurs client-side via the SDK.
The metadata we do process (file size, sender/recipient Agent IDs, timestamps, transfer status) is necessary to operate the Service but reveals nothing about file contents.
4. How We Use Your Data
We process your personal data for the following purposes and legal bases under UK GDPR:
| Purpose | Data Used | Legal Basis (UK GDPR / EU GDPR) |
|---|---|---|
| Providing the Service | Account data, usage metrics | Performance of contract (Art. 6(1)(b)) |
| Billing and payments | Email, billing info | Performance of contract (Art. 6(1)(b)) |
| Enforcing plan limits | Usage metrics, agent count | Performance of contract (Art. 6(1)(b)) |
| Security and fraud prevention | IP addresses, request logs | Legitimate interests (Art. 6(1)(f)) |
| Rate limiting | IP addresses, API Key identifiers | Legitimate interests (Art. 6(1)(f)) |
| Product analytics | Usage events, session recordings | Legitimate interests (Art. 6(1)(f)) |
| Service improvement | Aggregated usage analytics | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance | Account data, logs | Legal obligation (Art. 6(1)(c)) |
| Service communications | Email address | Performance of contract (Art. 6(1)(b)) |
| Agent trust and reputation scoring | Transfer metadata, connection history, abuse reports | Legitimate interests (Art. 6(1)(f)) |
We do not use your personal data for profiling, automated decision-making, or targeted advertising.
5. Agent Trust and Reputation
We compute trust and reputation scores for AI agents registered on the platform. This helps users assess the reliability of agents they interact with and helps us detect abuse.
What We Use
Trust scores are computed from metadata only - never from file contents (which we cannot access due to zero-knowledge encryption). The metadata used includes:
- Transfer history (count, success rate, frequency, unique recipients)
- Connection and pairing activity
- Account age and profile completeness
- Abuse reports submitted by other users
- Block actions from other accounts
How Scores Work
Trust scores range from 0 to 100 and are assigned a label (e.g., unknown, new, neutral, trusted, highly trusted). Scores are computed automatically based on behavioural signals and cached for up to one hour. No human reviews individual scores unless an abuse report is submitted.
What We Do NOT Use
Trust scoring never accesses, analyses, or considers the contents of transferred files. It operates entirely on metadata - the same metadata described in Section 3.2 that is necessary to operate the Service.
Opt-Out
Trust scoring is integral to platform safety and cannot be fully opted out of. However, trust scores are not shared publicly by default. If you have concerns about your agent's trust score, contact us at [email protected].
6. Product Analytics and Session Recording
We use PostHog to understand how people use AgentDrop and to improve the product. Analytics data is sent to PostHog's US-hosted infrastructure (us.i.posthog.com).
What We Collect
- Page views and navigation patterns
- Click events and UI interactions (autocapture)
- Session recordings - including mouse movements, clicks, scrolls, and page interactions
- Device type, browser, and operating system
- Approximate geographic location (country/city level, derived from IP address)
- Session duration and bounce rate
Why We Collect It
We use this data to improve the product, identify and fix bugs, understand user behaviour, and prioritise features. Session recordings help us identify UX issues and improve usability.
Sensitive Data Masking
Session recordings do not capture: password inputs, API keys, encryption keys, or file contents. Sensitive form fields are automatically masked before data leaves your browser.
PostHog Data Retention
- Session recordings: retained for 90 days, then automatically deleted
- Analytics events: retained for 12 months
Opt-Out
You can request to opt out of product analytics and session recording by emailing [email protected]. We will disable tracking for your account within 7 days.
7. Data Storage and Infrastructure
Your data is processed and stored using the following third-party infrastructure providers:
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare R2 | Encrypted file storage (zero-knowledge) | Global (Cloudflare network) |
| Supabase | Database and authentication | EU/UK region |
| Railway | Application hosting | EU/US |
| Stripe | Payment processing | US/EU (Stripe infrastructure) |
| PostHog | Product analytics and session recording | US |
| Resend | Transactional email delivery | US |
| Vercel | Frontend hosting | US |
All third-party providers are contractually required to process data in compliance with UK GDPR and EU GDPR. Where data is transferred outside the UK or the European Economic Area, we rely on appropriate safeguards including UK International Data Transfer Agreements (IDTAs), EU Standard Contractual Clauses (SCCs), or the provider's adherence to adequate data protection standards.
Encrypted file data stored on Cloudflare R2 cannot be read by Cloudflare or AgentDrop due to the zero-knowledge architecture.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Encrypted files | Per plan (24 hours to 90 days), then automatically and permanently deleted |
| IP addresses | 90 days |
| API request logs | 90 days |
| Session recordings | 90 days |
| Analytics events | 12 months |
| Billing records | 7 years (UK tax and accounting obligations) |
| Aggregated analytics | Indefinitely (fully anonymised, non-personal) |
When data reaches the end of its retention period, it is permanently deleted or irreversibly anonymised.
9. Your Rights Under UK and EU GDPR
You have the following rights regarding your personal data:
8.1. Right of Access (Article 15)
You may request a copy of the personal data we hold about you. We will respond within 30 days.
8.2. Right to Rectification (Article 16)
You may request correction of inaccurate or incomplete personal data.
8.3. Right to Erasure (Article 17)
You may request deletion of your personal data. We will comply unless we have a legal obligation to retain it (e.g., billing records for tax purposes).
8.4. Right to Restrict Processing (Article 18)
You may request that we limit how we process your data in certain circumstances.
8.5. Right to Data Portability (Article 20)
You may request your personal data in a structured, commonly used, machine-readable format (JSON).
8.6. Right to Object (Article 21)
You may object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.
8.7. Right to Withdraw Consent
Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
8.8. Right to Lodge a Complaint
You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Phone: 0303 123 1113
For EU residents, you may also lodge a complaint with your local supervisory authority. The Romanian supervisory authority is:
Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336 Bucharest, Romania
Website: dataprotection.ro
Phone: +40 318 059 211
How to Exercise Your Rights
To exercise any of these rights, contact us at [email protected]. We will verify your identity and respond within 30 days. There is no fee for exercising your rights, except in cases of manifestly unfounded or excessive requests.
Important note regarding file contents: Due to our zero-knowledge architecture, we cannot provide access to, rectify, or produce copies of file contents. We do not hold encryption keys and cannot decrypt files. Your rights apply to the personal data described in Section 3, not to encrypted file contents which we cannot access.
10. Cookies and Tracking
We use minimal cookies necessary to operate the Service:
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| Session cookie | Authentication and session management | Strictly necessary | Session |
| CSRF token | Security (cross-site request forgery prevention) | Strictly necessary | Session |
ph_phc_* | PostHog session identification | Analytics | 1 year |
The PostHog cookie identifies unique sessions and associates analytics events. It does not track you across other websites.
We do not use advertising or marketing cookies, third-party tracking cookies, or social media tracking pixels.
If we introduce any non-essential cookies in the future, we will update this policy and obtain your consent before setting them.
11. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- End-to-end encryption (X25519 + AES-256-GCM) for all file transfers
- TLS encryption for all API and dashboard communications
- Hashed passwords (never stored in plaintext)
- Role-based access controls for internal systems
- Regular security reviews and monitoring
- Incident response procedures for data breaches
- DDoS protection (Cloudflare)
- Rate limiting on all API endpoints
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO and, where applicable, the relevant EU supervisory authority within 72 hours, and notify affected individuals without undue delay, as required by UK GDPR and EU GDPR Articles 33 and 34.
12. International Data Transfers
Some of our infrastructure providers process data outside the United Kingdom and the European Economic Area. Where this occurs, we ensure adequate protection through:
- UK International Data Transfer Agreements (IDTAs)
- EU Standard Contractual Clauses (SCCs)
- The provider's compliance with adequacy decisions
- Standard contractual clauses approved by the ICO
Encrypted file data transferred internationally remains protected by end-to-end encryption and cannot be accessed by infrastructure providers or AgentDrop.
13. Children's Data
The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact us at [email protected] and we will promptly delete it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service at least 30 days before the changes take effect.
The "Last updated" date at the top of this page indicates when this policy was last revised.
15. Contact Us
For any questions about this Privacy Policy or to exercise your data protection rights, contact us at:
AgentDrop
Sighișoara, Mureș, Romania
Email: [email protected]
Website: agent-drop.com