Privacy Policy

Last updated: April 17, 2026

Short version:we collect your email, one cookie keeps you logged in, we don't track you, we don't sell your data. If you use x402, we also store your wallet address and transaction hashes. The long version is below.

1. Who we are

LetAgentPay ("we", "us", "our") operates the website letagentpay.com and provides a policy middleware service for AI agents. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and services.

For questions about this policy, contact us at support@letagentpay.com.

2. Data we collect

Account data

When you create an account, we collect your email address. This is the only personal information required to use LetAgentPay. We use passwordless authentication via magic links sent to your email. You may optionally provide a display name, preferred currency, and timezone.

Agent and transaction data

When you create agents and they submit purchase requests, we store: agent names and configurations, spending policies, purchase request details (amount, category, merchant, description), and approval/rejection decisions. This data is necessary to operate the service and provide audit trails.

Notification data

If you enable notifications, we store the configuration needed to deliver them: Web Push subscription endpoints and Telegram usernames.

Blockchain data (x402)

If you use the x402 protocol for on-chain payments, we additionally store: wallet addresses, blockchain network identifiers, and transaction hashes. Wallet addresses may be publicly linkable to on-chain activity.

Technical data

Our servers automatically collect standard technical information when you access the website: IP address, browser type, and request timestamps. This data is used solely for security monitoring and service operation. We do not use third-party analytics or tracking services.

3. How we use your data

  • Provide the service — authenticate your account, enforce spending policies, process purchase requests, and maintain audit logs.
  • Send transactional emails — magic link authentication, purchase notifications, and critical service alerts. We do not send marketing emails.
  • Improve and secure the service — monitor for abuse, debug issues, and improve performance.

4. Legal basis for processing (GDPR)

If you are in the European Economic Area (EEA), UK, or Switzerland, we process your data under the following legal bases:

  • Contract performance — processing necessary to provide the service you signed up for (account management, policy enforcement, purchase processing).
  • Legitimate interest — security monitoring, fraud prevention, and service improvement.

5. Cookies

We use a single, strictly necessary cookie:

CookiePurposeDurationType
access_tokenKeeps you signed in (JWT authentication)7 daysStrictly necessary

This cookie is HTTP-only and secure. It cannot be read by JavaScript and is only sent over HTTPS in production. We do not use any analytics, advertising, or third-party tracking cookies.

Because this cookie is strictly necessary for the service to function, no consent banner is required under the EU ePrivacy Directive.

6. Data sharing

We do not sell your personal data. We share data only with the following categories of service providers, solely to operate the service:

  • Email delivery — Resend (for sending magic links and notifications).
  • AI processing — Anthropic (for converting natural language policies to structured rules). Policy text and conversation context are sent; account identifiers are not included.
  • Infrastructure — hosting providers that store and process data on our behalf.

We may also disclose data if required by law or to protect our legal rights.

7. Data retention

We retain your account data and transaction history for as long as your account is active. If you request account deletion, we will remove your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention).

Server logs containing IP addresses are retained for up to 90 days.

8. Data security

We implement appropriate technical and organizational measures to protect your data, including: encrypted connections (TLS/HTTPS), HTTP-only secure authentication cookies, hashed tokens, and access controls on production systems. We do not store passwords — authentication is passwordless via magic links.

9. Your rights

Depending on your location, you may have the following rights regarding your personal data:

For all users

  • Access your personal data
  • Request correction of inaccurate data
  • Request deletion of your account and data
  • Request a copy of your data in a portable format

To exercise any of these rights, contact us at support@letagentpay.com. We will process your request within 30 days.

Additional rights for EEA/UK residents (GDPR)

  • Object to processing based on legitimate interest
  • Request restriction of processing
  • Lodge a complaint with your local data protection authority

Additional rights for California residents (CCPA)

  • Know what personal information is collected and how it is used
  • Request deletion of personal information
  • Non-discrimination for exercising your privacy rights
  • We do not sell personal information, so the right to opt-out of sale does not apply

10. International data transfers

Your data may be processed in countries outside your country of residence. When we transfer data internationally, we ensure appropriate safeguards are in place, including standard contractual clauses where required.

11. Children

LetAgentPay is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Self-hosted deployments

If you self-host LetAgentPay, you are the data controller for all data processed by your instance. This Privacy Policy applies only to the hosted version at letagentpay.com. Self-hosted operators are responsible for their own data handling practices and compliance.

13. Governing law

This Privacy Policy is governed by the laws of Germany and the European Union, including the General Data Protection Regulation (GDPR).

14. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of the service after changes constitutes acceptance of the updated policy.