Privacy Policy

    Effective date: March 2, 2026 · Last updated: March 4, 2026

    This Privacy Policy explains how Agensi BV i.o. ("Agensi," "we," "us," or "our") collects, uses, stores, and shares your personal data when you use the Agensi platform at agensi.io ("Platform").

    Agensi is based in the Netherlands and processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

    1. Data Controller

    The data controller responsible for your personal data is:

    Agensi BV i.o.

    Email: info@agensi.io

    Location: Netherlands (full address available upon written request)

    2. What Data We Collect

    2.1 Account Data

    When you create an account, we collect your email address, display name, and password (hashed; we never store plaintext passwords). If you sign up using a third-party provider (e.g., Google), we receive your name and email from that provider.

    2.2 Creator Profile Data

    If you register as a Creator, we additionally collect your bio, social media links (if provided), and Stripe Connect account information (processed by Stripe; see Section 5).

    2.3 Purchase and Transaction Data

    When you purchase a skill, we collect records of what you purchased, when, the price paid, and your payment method details (processed and stored by Stripe; we do not store your card number or payment credentials).

    2.4 Download Data

    When you download a skill, we record the download timestamp, the skill and version downloaded, the unique fingerprint assigned to that download, and your IP address at the time of download. This data is collected for anti-piracy and IP protection purposes (see Section 3.3).

    2.5 Skill Submission Data

    When Creators upload skills, we collect the zip file contents, SKILL.md metadata, listing descriptions, pricing, tags, version history, and changelogs. We also collect the results of the automated security scan performed on each submission, including scan scores, individual check results, and any flagged patterns.

    2.6 Bounty and Request Data

    When you submit a skill request or set a bounty, we collect the request content, bounty amount, and associated payment data. When Creators submit solutions to bounty requests, we collect the uploaded skill zip and the Creator's message. Bounty payment data is processed by Stripe.

    2.7 Communications Data

    If you send messages through the Platform's messaging system, post comments on skill requests, contact us via email, or submit a piracy report, we collect the contents of those communications.

    2.8 Technical Data

    We automatically collect limited technical data when you use the Platform, including browser type, operating system, referring URL, pages visited, and timestamps. We do not use third-party analytics tools. We do not use tracking cookies except for the referral attribution cookie described in Section 4.

    3. How We Use Your Data

    3.1 To Operate the Platform

    We use your data to create and manage your account, process purchases and deliver skills, manage Creator payouts via Stripe Connect, display Creator profiles and skill listings, send transactional emails (purchase confirmations, update notifications, piracy report outcomes), and operate the skill request board, reviews, and referral system.

    Legal basis: Performance of a contract (Article 6(1)(b) GDPR).

    3.2 To Communicate With You

    We use your email address to send transactional notifications related to your account, purchases, and skills. We do not send marketing emails unless you explicitly opt in via the newsletter subscription. You may unsubscribe from non-essential notifications at any time.

    Legal basis: Performance of a contract for transactional emails; consent for marketing emails (Article 6(1)(a) GDPR).

    3.3 To Protect Creator IP

    We use download data, including IP addresses and buyer fingerprints, to enable piracy reporting and enforcement. When a Creator submits a piracy report, we may match fingerprints in leaked content to buyer accounts. We may disclose limited account information (masked email, download date) to the Creator for enforcement purposes.

    Legal basis: Legitimate interests (Article 6(1)(f) GDPR) — protecting intellectual property and the integrity of the marketplace.

    3.4 To Enforce Our Terms

    We use account and activity data to detect and prevent abuse, fraud, and violations of our Terms of Service, including unauthorized redistribution, multi-account abuse, and referral fraud.

    Legal basis: Legitimate interests (Article 6(1)(f) GDPR).

    3.5 To Comply With Legal Obligations

    We may process your data to comply with applicable laws, regulations, or legal proceedings, including DMCA takedown requests and tax obligations.

    Legal basis: Legal obligation (Article 6(1)(c) GDPR).

    4. Cookies

    Agensi uses minimal cookies:

    Authentication cookie: A session cookie to keep you logged in. Essential for Platform functionality. No consent required.

    Referral attribution cookie: When you arrive at Agensi via a Creator's referral link, we set a cookie that stores the referral code. This cookie expires after 30 days and is used solely to attribute referral commissions. This cookie is set based on our legitimate interest in operating the referral program.

    We do not use advertising cookies, third-party tracking cookies, or analytics cookies.

    5. Third-Party Data Processors

    We share your personal data with the following third-party processors, each of whom processes data on our behalf under a data processing agreement:

    ProcessorPurposeData SharedPrivacy Policy
    Supabase (US)Database hosting, authenticationAccount data, purchase records, download records, skill datasupabase.com/privacy
    Stripe (US)Payment processing, Creator payoutsName, email, payment details, transaction recordsstripe.com/privacy
    Resend (US)Transactional email deliveryEmail address, email contentresend.com/legal/privacy-policy

    Where data is transferred outside the European Economic Area (EEA), these transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by the GDPR.

    6. Data Retention

    Account data: Retained for as long as your account is active. Upon account deletion, personal data is deleted within 30 days, except where retention is required by law.

    Transaction and purchase records: Retained for 7 years after the transaction date to comply with Dutch tax and accounting obligations.

    Download records and fingerprints: Retained for as long as the associated skill is listed on the Platform, plus 2 years after removal, to support piracy reporting and enforcement.

    Communications and support data: Retained for 2 years after the last interaction, unless a longer period is required for ongoing disputes or legal proceedings.

    Referral cookie data: Automatically deleted after 30 days.

    7. Your Rights

    Under the GDPR, you have the following rights regarding your personal data:

    Right of access: You may request a copy of the personal data we hold about you.

    Right to rectification: You may request correction of inaccurate or incomplete personal data.

    Right to erasure: You may request deletion of your personal data, subject to legal retention obligations.

    Right to restriction: You may request that we restrict the processing of your data in certain circumstances.

    Right to data portability: You may request a copy of your data in a structured, machine-readable format.

    Right to object: You may object to processing based on legitimate interests at any time.

    Right to withdraw consent: Where processing is based on consent (e.g., marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing.

    To exercise any of these rights, contact us at info@agensi.io. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.

    8. Data Security

    We implement appropriate technical and organizational measures to protect your personal data, including encryption of data in transit (TLS) and at rest, hashed password storage, signed and expiring download URLs, and access controls limiting who can access personal data. No system is completely secure. While we take reasonable precautions, we cannot guarantee absolute security.

    9. Children

    Agensi is not directed at individuals under 18 years of age. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a person under 18, we will delete it promptly.

    10. Changes to This Policy

    We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Platform and updating the "Last updated" date. Your continued use of the Platform after changes are posted constitutes acceptance of the revised policy.

    11. Contact

    For questions about this Privacy Policy or to exercise your data rights, contact us at:

    Email: info@agensi.io

    Data Controller: Agensi BV i.o.

    Location: Netherlands (full address available upon written request)

    Supervisory Authority: Autoriteit Persoonsgegevens