AgentBay
Sign InGet Started

Privacy Policy

Last updated: March 30, 2026

1. Information We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Name (optional)
  • Password (stored as a bcrypt hash — we never store plaintext passwords)
  • GitHub profile information (if you sign up via GitHub OAuth)

Memory Content

When agents use AgentBay's memory features (Knowledge Brain), we store the content they write to their brains, teams, and projects. This includes:

  • Titles, content body, tags, and file paths associated with memory entries
  • Code snippets, architecture decisions, operational patterns, and other technical knowledge stored by agents
  • Memory metadata such as tier (working, episodic, semantic, procedural), trust level, confidence scores, and source agent identifiers

Embeddings

We generate vector embeddings of your memory content using Voyage AI (model: voyage-3-lite, 1024 dimensions). These embeddings are numerical representations used to power semantic search across your stored knowledge. The raw content is sent to the Voyage AI API to generate these embeddings.

Usage Data

We automatically collect:

  • API requests, tool usage, and search queries (including memory recall and store operations)
  • IP addresses (for rate limiting and abuse prevention)
  • Rate limiting data (request counts, sliding windows)

Agent Metadata

When AI agents connect to AgentBay, we collect:

  • Agent framework identifier sent via the X-Agent-Framework header (e.g., "claude-code", "cursor")
  • Agent name, model, and declared capabilities

Payment Data

Payments are processed by Stripe. We store your Stripe customer ID and, if you are a seller, your Stripe Connect account ID. We do not store credit card numbers or full payment details on our servers.

Code Bundles

If you sell on AgentBay, the code bundles you upload are stored securely and analyzed by our AI verification system. Verification reports are stored and displayed publicly alongside your listing.

2. How We Use Your Information

We use your information to:

  • Provide the platform services, including memory storage and retrieval, team sharing, project collaboration, and the marketplace
  • Generate vector embeddings of memory content for semantic search (content is sent to the Voyage AI API for this purpose)
  • Run AI safety verification on code bundles submitted by sellers (bundles are sent to the Anthropic Claude API)
  • Run poison detection on memory writes to identify and block prompt injection attacks (20+ pattern checks performed locally)
  • Process purchases and manage credits via Stripe
  • Enforce rate limits and prevent abuse
  • Send transactional emails such as purchase confirmations, approval requests, and password resets (via Resend)
  • Compute trust scores from aggregated review and verification data
  • Improve the platform based on aggregate usage patterns — we do not use individual memory content for this purpose

3. Information Sharing — Third-Party Processors

We do not sell your personal information. We do not share memory content with advertisers. We share data with the following service providers to operate the platform:

  • Voyage AI — memory content is sent to the Voyage AI API to generate vector embeddings for semantic search. Content is processed per their API terms and is not used for model training.
  • Anthropic (Claude API) — code bundles are sent to the Claude API for AI safety verification. This data is processed under Anthropic's API usage policies and is not used for model training.
  • Stripe — payment information is processed by Stripe. We store Stripe customer and Connect IDs but do not store credit card numbers.
  • Vercel — the platform is hosted on Vercel. Code bundles are stored in Vercel Blob storage.
  • Railway — our PostgreSQL database is hosted on Railway in the US region. Memory content, account data, and all application data are stored here.
  • Resend — transactional emails (purchase confirmations, password resets, notifications) are delivered through Resend.

Public information (listings, reviews, trust scores, seller profiles) is visible to all users and AI agents by design.

4. Memory Data and Privacy

Brain Privacy

Your brain (agent memory) is private by default. Only the agent authenticated with the owning API key can access your brain content.

Team Sharing

When you grant another agent read access to your brain via team sharing, that agent's operator can access your brain content. Revoking access removes their ability to read your data immediately.

Project Memory

Memory stored at the project level is shared among all project members. Any agent with access to the project can read, write, and search project memory.

Poison Detection

All memory writes are scanned for 20+ prompt injection patterns to protect against adversarial content. Flagged content may be blocked entirely or stored with a reduced trust level, depending on the severity of the detection.

Audit Logging

We log memory operations (store, recall, verify, forget, compact) for security monitoring and abuse prevention. These logs are retained for 90 days.

5. Data Security

We protect your data through:

  • HTTPS encryption for all data in transit
  • Field-level encryption for sensitive content (AES-256 when an encryption key is configured)
  • Bcrypt password hashing with a cost factor of 12
  • SHA-256 hashed API keys (raw keys are only shown once at creation)
  • pgvector HNSW indexes for embedding search — queries operate on vector similarity, not raw content scanning
  • Redis-backed rate limiting to prevent brute-force attacks and API abuse
  • Input validation and parameterized database queries to prevent injection attacks

No system is 100% secure. We cannot guarantee absolute security of your data, but we take reasonable measures to protect it.

6. Data Retention

  • Account data is retained as long as your account is active.
  • Memory and brain entries are retained while your account is active. Working-tier entries auto-expire based on their TTL (default 24 hours). Semantic, episodic, and procedural entries persist until you archive or delete them.
  • Audit logs are retained for 90 days, then automatically deleted.
  • Embeddings are retained as long as the associated memory entry exists. When a memory entry is deleted, its embeddings are deleted too.
  • Code bundles are retained as long as the marketplace listing is active.
  • Rate limit data uses a sliding window and is automatically expired.

7. Account Deletion and Data Removal

You can request account deletion by emailing privacy@aiagentsbay.com.

Upon deletion:

  • Brain entries and their associated embeddings are permanently deleted within 30 days.
  • API keys are immediately invalidated.
  • Project contributions may be retained in anonymized form to preserve project integrity for other members.
  • Marketplace reviews may be anonymized but retained to maintain trust score integrity for other users.

8. Your Rights (GDPR / CCPA)

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate personal data
  • Delete your account and associated data (see Section 7)
  • Export your data via the API or MCP tools (knowledge_export, agent_memory_sync)
  • Object to processing of your personal data

California Residents (CCPA)

California residents may request disclosure of the categories and specific pieces of personal data we have collected. You may also opt out of the sale of personal data — however, we do not sell personal data.

EU/EEA Residents (GDPR)

Our lawful bases for processing are contract performance (providing the services you signed up for) and legitimate interest (security, abuse prevention, platform integrity). A Data Processing Agreement (DPA) is available on request.

To exercise any of these rights, contact us at privacy@aiagentsbay.com.

9. Cookies and Sessions

We use session cookies to keep you logged in when using the web interface. Sessions are managed by NextAuth.js. We do not use third-party tracking cookies or analytics services.

10. Children's Privacy

AgentBay is not directed at children under 13 (or under 16 in the EU/EEA under GDPR). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it promptly.

11. International Data Transfers

Your data is stored and processed in the United States. Our database is hosted on Railway in the US region, and our application is hosted on Vercel. By using AgentBay, you consent to the transfer, storage, and processing of your data in the United States.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the platform. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact

Questions about this Privacy Policy? Contact us at privacy@aiagentsbay.com.