Privacy Policy
Last updated: March 10, 2026
1. Introduction
This Privacy Policy explains how INNOWEB FZCO ("Company", "we", "us"), operating the AgentGate platform at agentgate.sh, collects, uses, stores, and protects your personal data.
We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR), the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL), and other applicable data protection laws.
2. Data Controller
The data controller responsible for your personal data is:
INNOWEB FZCO
IFZA Business Park, DDP
PO Box 342001, Dubai, UAE
Email: info@agentgate.sh
3. Data We Collect
3.1 Account Data
When you create an account, we collect:
- Organization name — your chosen identifier on the platform
- Email address — used for account identification and communication
- Password — stored as a PBKDF2 hash (we never store plain-text passwords)
3.2 OAuth Data
If you sign up or log in via Google or GitHub, we receive:
- OAuth provider name (Google or GitHub)
- OAuth user ID — a unique identifier from the provider
- Email address — as provided by the OAuth provider
We do not receive or store your OAuth provider password.
3.3 API Keys
API keys are generated for programmatic access. We store only the SHA-256 hash of your API key. The plain-text key is shown to you once at creation and cannot be retrieved afterward.
3.4 Usage Data
We automatically collect:
- IP address — logged with each API request for security and rate limiting
- Task logs — agent invocation metadata (agent name, status, latency, timestamp)
- Request metadata — HTTP method, path, user agent, response status code
3.5 Payment Data
Payment processing is handled by Stripe. We do not store credit card numbers or bank account details. Stripe may collect and process payment information according to their Privacy Policy. We store only:
- Transaction amounts and timestamps
- Wallet balance
- Subscription tier and status
3.6 Agent Data
When you register or deploy agents, we store:
- Agent name, description, URL, version, tags, skills
- Agent authentication configuration
- Deployment metadata (container IDs, ports)
4. How We Use Your Data
We use your personal data for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and maintain the Service | Performance of contract (Art. 6(1)(b)) |
| Process payments and manage billing | Performance of contract (Art. 6(1)(b)) |
| Authenticate users and secure accounts | Performance of contract (Art. 6(1)(b)) |
| Enforce rate limits and prevent abuse | Legitimate interest (Art. 6(1)(f)) |
| Generate usage analytics and platform metrics | Legitimate interest (Art. 6(1)(f)) |
| Send service-related communications | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
5. Data Retention
- Account data — retained for the lifetime of your account, deleted upon account deletion
- Task logs — retained for 30 days, then automatically purged (capped at 10,000 logs per agent)
- Transaction records — retained for 7 years as required by applicable tax and accounting regulations
- IP addresses in logs — retained for 30 days
6. Sub-Processors
We share your data with the following third-party service providers, strictly for the purposes of operating the Service:
| Sub-Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Email, payment details, transaction amounts | USA (Privacy Shield certified) |
| DigitalOcean, LLC | Infrastructure hosting | All platform data (stored on our servers) | Germany (FRA1 datacenter) |
| Google LLC | OAuth authentication | OAuth tokens (during login flow only) | USA |
| GitHub, Inc. | OAuth authentication | OAuth tokens (during login flow only) | USA |
We do not sell your personal data to any third party.
7. International Data Transfers
Our servers are located in Germany (DigitalOcean FRA1). When data is transferred to sub-processors in the United States, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards to ensure adequate protection as required by the GDPR.
8. Your Rights (GDPR)
If you are located in the European Economic Area (EEA), you have the following rights regarding your personal data:
- Right of Access — request a copy of the personal data we hold about you
- Right to Rectification — request correction of inaccurate or incomplete data
- Right to Erasure — request deletion of your personal data ("right to be forgotten")
- Right to Restrict Processing — request that we limit how we use your data
- Right to Data Portability — receive your data in a structured, machine-readable format
- Right to Object — object to processing based on legitimate interests
- Right to Withdraw Consent — where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact us at info@agentgate.sh. We will respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority in your country of residence.
9. Cookies and Tracking
We use a minimal set of cookies strictly necessary for the Service:
- Session cookie ("session") — an HMAC-signed token for authentication. Expires after 7 days. Essential for login functionality.
We do not use analytics cookies, advertising cookies, or third-party tracking scripts. We do not use Google Analytics or similar services.
10. Security
We implement appropriate technical and organizational measures to protect your data:
- All traffic encrypted via HTTPS (TLS 1.2+)
- Passwords hashed with PBKDF2 (SHA-256, 600,000 iterations)
- API keys stored as SHA-256 hashes
- Database access restricted to internal network only
- Agent containers run in isolated Docker environments
- Rate limiting to prevent brute-force attacks
11. Children's Privacy
The Service is not intended for individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance.
13. Contact
For privacy-related questions or to exercise your data rights, contact us at:
INNOWEB FZCO
IFZA Business Park, DDP
PO Box 342001, Dubai, UAE
Email: info@agentgate.sh