Privacy Policy

Last updated: May 1, 2026

This Privacy Policy describes how Agent-Forge (hereinafter, "the Application", "we", "us") collects, uses, and protects the personal information of users who access the platform, including sign-in via Google OAuth. By using the Application, you agree to the practices described in this document.

Agent-Forge is a project developed and maintained by Israel López as the data controller. For any privacy-related inquiry, please write to israel.lopez.developer@gmail.com.

1. Data controller

Controller: Israel López
Contact: israel.lopez.developer@gmail.com
Project: Agent-Forge — multi-tenant AI agent platform
Repository: github.com/IsraelLopezDeveloper/Agent-Forge

2. Data we collect

2.1. Data received via Google OAuth

When you sign in with Google, the Application requests only the minimum scopes required to create and maintain your account:

openid — unique identifier of your Google account.
email — your email address.
profile — your public name and, when available, your profile picture.

We do not request access to your Gmail, Drive, Calendar, contacts, or any other sensitive data of your Google account.

2.2. Data generated through use of the platform

Internal identifiers for user, tenant, and membership.
Configuration of the agents you install and references to encrypted secrets.
Execution records (inputs, outputs, logs, duration, estimated cost).
Events emitted by the agents you run within your tenant.
Internal billing data (usage, plan, wallet balance, transactions).

2.3. Technical data

IP address, user agent, and timestamp of requests.
Session tokens (JWT) stored in your browser.

3. Purposes and legal basis

Authentication and identification — link your Google account to a user on the platform. Basis: performance of a contract (Art. 6.1.b GDPR).
Service operation — install, configure, and execute agents on behalf of your tenant. Basis: performance of a contract.
Billing and usage metering — calculate consumption and cost per execution. Basis: performance of a contract and legal obligation.
Security and abuse prevention — audit access, prevent leaks across tenants, and detect misuse. Basis: legitimate interest (Art. 6.1.f GDPR).

4. How we protect your data

Tenant isolation. All data is segregated by tenant_id and protected by PostgreSQL Row Level Security as defense in depth.
Secret encryption. Tenant secrets are stored encrypted with Fernet; they are never returned in clear via the API and never written to logs.
HMAC signatures. Calls to external agents are signed with HMAC-SHA256 over the request body.
JWT tokens. The session is stateless; membership and roles are verified on every request.
Least privilege. We request from Google only the scopes that are strictly necessary.

5. Sharing data with third parties

We do not sell, rent, or transfer your personal data to third parties for commercial purposes. We only share information with the following providers strictly necessary to operate the service:

Google (Google OAuth) — to authenticate you. See Google's privacy policy.
Infrastructure providers — hosting of database, cache, and backend (when applicable).
Payment gateways — if you activate a paid plan, billing data may be transmitted to Stripe or an equivalent provider.
External agents that you install — when running an external agent, the input data you provide is sent to that agent's HTTP endpoint, under your own control.

We also do not use the data obtained from Google to train general-purpose AI models or for advertising.

6. Compliance with the Google API Services User Data Policy

Agent-Forge's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

7. Data retention

Account data: while your account remains active.
Execution records and events: as long as needed for audit, billing, or incident resolution.
After account deletion: personal data is deleted or anonymized within a reasonable period, except for legal retention obligations.

8. Your rights

Under the GDPR and equivalent regulations, you may exercise the following rights at any time:

Access to your personal data.
Rectification of inaccurate data.
Erasure ("right to be forgotten").
Restriction of, or objection to, processing.
Data portability.
Withdraw the consent granted to Google at myaccount.google.com/permissions.

To exercise them, write to israel.lopez.developer@gmail.com indicating the right you wish to exercise and a means of identification. You may also file a complaint with the Spanish Data Protection Agency (aepd.es) or your local supervisory authority.

9. Cookies and local storage

The Application uses browser local storage (localStorage or sessionStorage) to keep your session active via a JWT token. We do not use advertising tracking cookies or third-party analytics on this landing page.

10. Minors

Agent-Forge is not directed to children under 14, and we do not knowingly collect data from minors. If you believe a minor has provided us with personal data, please contact us to remove it.

11. Changes to this policy

We may update this Privacy Policy in the future. The date of the latest revision appears at the top of the document. If changes are material, you will be notified through the platform itself or by email.

12. Contact

For any question about this policy or the processing of your personal data, please contact the controller at israel.lopez.developer@gmail.com.