AgentPlugged← Back
Legal

Privacy Policy

Last updated: March 16, 2026

1. Data Controller

Identity : Innovel Studio (SASU)

Address : 58 rue de Monceau, 75008 Paris

DPO / contact email : privacy@agentplugged.ai

2. Data Collected

2.1 Account data

When registering and using the Platform, we collect: first name, last name, email address, password (hashed), billing information (via our payment provider), IP address, and connection data.

2.2 Usage data

We collect data related to Platform usage: activity logs, agent configurations, performance metrics, API requests (metadata only, not the content of exchanges with LLMs unless debug mode is enabled by the User).

2.3 Data processed by AI Agents

AI Agents created by Users may process data on behalf of the User. The Publisher acts as a data processor for this data. The User remains responsible for the lawfulness of the processing and for informing the data subjects.

2.4 Cookies and trackers

The Platform uses cookies strictly necessary for the service operation (authentication, preferences). Analytical and audience measurement cookies are only deposited with the User's explicit consent, in accordance with CNIL recommendations.

3. Purposes and Legal Basis

PurposeLegal BasisRetention Period
Account management and provision of ServicesContract performance (art. 6.1.b GDPR)Duration of contractual relationship + 3 years
Billing and accountingLegal obligation (art. 6.1.c GDPR)10 years (accounting obligations)
Customer supportContract performanceDuration of relationship + 2 years
Platform improvement and statisticsLegitimate interest (art. 6.1.f GDPR)26 months (anonymized data)
Marketing communicationConsent (art. 6.1.a GDPR)Until consent withdrawal
Security and fraud preventionLegitimate interest1 year (security logs)
Hosting and execution of AI AgentsContract performance (subprocessing art. 28 GDPR)Duration of contract + 30 days

4. Data Recipients

Personal data may be shared with the following categories of recipients:

  • a)Technical providers: infrastructure host, payment provider, LLM model providers (only the metadata necessary for request execution);
  • b)Service providers: emailing tool, analytics (if consent given);
  • c)Competent authorities when required by law.

Providers are subject to contractual confidentiality and security obligations compliant with GDPR.

5. Transfers Outside the EU

Some providers are located outside the European Economic Area. These transfers are governed by standard contractual clauses of the European Commission, in accordance with articles 44 to 49 of the GDPR. The providers concerned are: Railway (Platform hosting, United States), OpenAI (LLM models, United States), Stripe (payment, United States), Resend (transactional emailing, United States).

6. Data Security

The Publisher implements appropriate technical and organizational measures to ensure data security:

  • a)Encryption of data in transit (TLS 1.3) and at rest;
  • b)Encryption of stored third-party API keys;
  • c)Enhanced authentication and role-based access management;
  • d)Access logging and continuous monitoring;
  • e)Regular backups and disaster recovery plan;
  • f)Regular security testing.

7. Subprocessing — Data Processing Agreement (DPA)

When the Publisher processes personal data on behalf of the User (in the context of AI Agent execution), it acts as a data processor within the meaning of article 28 of the GDPR.

As such, the Publisher commits to:

  • a)Process data only on documented instructions from the User;
  • b)Ensure data confidentiality;
  • c)Implement the security measures described in section 6;
  • d)Not engage another subprocessor without prior authorization;
  • e)Cooperate with the User to respond to data subject rights requests;
  • f)Notify the User without undue delay (and no later than 72 hours) of any data breach;
  • g)Delete or return data at the end of the contract, at the User's choice.

8. Data Subject Rights

In accordance with GDPR, you have the following rights:

Right of access : obtain confirmation of the processing of your data and a copy thereof.

Right of rectification : correct inaccurate or incomplete data.

Right to erasure : request deletion of your data (subject to legal retention obligations).

Right to restriction : request suspension of processing in certain cases.

Right to portability : receive your data in a structured, commonly used and machine-readable format.

Right to object : object to processing based on legitimate interest.

Right to withdraw consent : withdraw your consent at any time for processing based on consent.

To exercise your rights, contact us at the address indicated in section 1. We will respond within a maximum of 30 days.

If you are not satisfied with our response, you may lodge a complaint with the CNIL (www.cnil.fr).

9. AI and Transparency

The Platform uses artificial intelligence models (LLMs) for the generation and execution of AI Agents. In accordance with the EU AI Act:

  • a)Deployed AI Agents do not interact directly with natural persons without their knowledge (transparency obligation);
  • b)The User is responsible for classifying the risk level of their AI Agents and for complying with the corresponding obligations;
  • c)The Publisher provides the technical documentation necessary to enable the User to fulfill their obligations.

10. Data Breach Notification

In case of a personal data breach presenting a risk to the rights and freedoms of data subjects, the Publisher will:

  • a)Notify the CNIL within 72 hours of becoming aware of the breach;
  • b)Inform the data subjects without undue delay if the risk is high;
  • c)Document the incident in a breach register.

11. Amendments

This Privacy Policy may be amended at any time. Users will be informed of any material changes by email at least 30 days before they take effect.