AgentBay, Inc. ("AgentBay", "we", "us") operates the memory layer for coding agents available at aiagentsbay.com and via the agentbay SDKs. This policy explains what we collect, why, how long we keep it, and the rights you have over it.

Local mode runs entirely on your machine and does not send memories to our servers. This policy applies when you use the cloud, log in, install the MCP server in cloud mode, or visit our website.

1. What we collect

We collect the following categories of data.

Account data. Email, name, password hash, GitHub or Google sign-in identifier, organization name, billing details (handled by Stripe, we do not store full card numbers).
Memory content. The text, tags, and metadata your agents store when you use cloud mode. This is the core product data.
Usage telemetry. API request counts, latency, error codes, recall hit rates, feature usage, and the user agent and IP address that made each request. We use this to operate the service and to prevent abuse.
Support and product feedback. Messages you send us through email, in-product feedback, or chat.

2. Why we collect it

To operate the service you signed up for.
To bill paid plans and prevent fraudulent payments.
To detect abuse, rate limit unsafe behavior, and keep the platform secure.
To send transactional email about your account, billing, and security alerts.
To improve the product based on aggregated usage trends.
To comply with our legal obligations.

3. AI training

We do not train AI models on your memory content by default. Your memories stay your data. We may run automated detection on memory content (poison detection, abuse classifiers) to keep the service safe, but those systems do not retain or export your content.

If we ever offer an opt-in training program, you will see a clear toggle in settings, and your data will not be used until you turn it on.

4. How long we keep it

Active accounts. Memory content stays until you delete it or close your account. Memory tiers can auto-decay or expire based on the tier (working memory expires in 24 hours, episodic decays at 30 days, and so on). You control this in project settings.
Closed accounts. When you delete your account we keep a backup of your data for 90 days in case you change your mind, then we permanently erase it.
Logs and telemetry. Aggregated logs are kept for up to 13 months. Individual request logs are kept for 30 days for debugging and abuse investigation.
Billing records. Kept for 7 years to meet tax and accounting obligations.

5. Who we share it with

We do not sell your data. We share data only with vendors who help us run the service, and only what they need to do their job. Current sub-processors include:

Vercel (hosting and edge delivery)
Railway (managed Postgres with pgvector)
Stripe (payments)
Voyage AI (embedding generation, content sent at recall and store time)
Resend (transactional email)
Sentry (error monitoring, scrubbed of PII)
Inngest (background jobs)

We may also share data when required by law, in response to valid legal process, or to protect AgentBay or our users.

6. Your rights (GDPR and CCPA)

If you are in the EU, UK, California, or any other region with similar protections, you have the following rights:

Access and export. Download a JSON export of your memories and account data from settings, or email privacy@aiagentsbay.com and we will deliver it within 30 days.
Delete. Delete your account from settings, or email us. The 90-day soft-delete window can be skipped on request.
Correct. Update your profile in settings, or ask us to fix an error.
Object or restrict. Tell us if you want us to stop processing your data for a specific purpose. We will explain whether we can.
Complain. If you are unhappy with our response you can complain to a local data protection authority.

We do not discriminate against users who exercise these rights.

7. International transfers

Our infrastructure is hosted in the United States. If you access AgentBay from outside the US, your data is transferred to the US for processing. For EU and UK users we rely on the EU Standard Contractual Clauses with our sub-processors.

8. Security

We encrypt data in transit (TLS) and at rest (AES-256 on the database tier). API keys are stored as salted hashes. Access to production systems is restricted to employees who need it and is logged. We run automated abuse detection and rate limits across the API.

No system is perfect. If we discover a breach that affects you, we will tell you within 72 hours and explain what happened.

9. Children

AgentBay is not intended for users under 13. We do not knowingly collect data from children. If you believe a child has signed up, contact privacy@aiagentsbay.com and we will delete the account.

10. Cookies

We use a small set of first-party cookies for authentication, session continuity, and to remember preferences. We do not use third-party advertising cookies. We use Vercel Analytics and Speed Insights, which run in privacy-friendly mode and do not set tracking cookies.

11. Changes

We may update this policy. If we make a material change we will tell you by email or by a banner in the product at least 14 days before it takes effect.

12. Contact

Privacy questions can go to privacy@aiagentsbay.com. For general questions see our Terms of Service.