Legal
Privacy Policy
Last updated: June 2026 · Contact: contact@agentguard.it.com
Short version: AgentGuard collects AI usage metadata from your company's devices to power activity monitoring and audit logs. We store data on EU servers, never sell it to third parties, and give you full control under GDPR.
1. Who We Are
AgentGuard is operated by Noah Goerg. For privacy-related questions, contact us at contact@agentguard.it.com.
2. What Data We Collect
Chrome Extension — How It Works
The AgentGuard Chrome extension requests access to all websites (<all_urls>) solely to check each page's hostname against a fixed list of approximately 45 known AI tool domains (e.g. chatgpt.com, claude.ai, gemini.google.com). For any website that is not on this list, the extension removes itself immediately at page load and takes no further action. No data from non-AI websites is read, stored, or transmitted.
The extension only transmits data to AgentGuard servers after a company administrator has entered a valid company code. Without a company code, the extension operates in a fully local, offline mode — events are stored only in the browser's local storage and never sent externally. Employees can verify or remove the company code at any time via the extension popup.
Data Categories Collected
When a company code is configured, the following data is collected from the employee's device:
- AI usage events — the tool name (e.g. ChatGPT, Claude), event type (page visit or API call), timestamp, and page path (e.g. /chat). No message content, prompt text, or query-string parameters are captured.
- Request size — approximate size of outbound API request bodies in kilobytes, for calls to AI API endpoints only. No request content is captured.
- Device token — a randomly generated anonymous identifier created once when the extension is first installed. This token has no link to any employee name, email address, or other personal identifier.
- Department — the department label selected by the employee during onboarding (e.g. "Engineering").
- Company code — a unique identifier used to associate events with your company's dashboard account.
We do not collect: message content, prompt text, uploaded file contents, browsing history outside AI tool domains, or any biometric data.
3. How Data Is Stored
All data is stored using Supabase (supabase.com), hosted on servers located in the EU (North EU — Stockholm, Sweden). Data is protected by:
- Encryption at rest using AES-256
- Encryption in transit using TLS 1.2 or higher
- Row-level security policies restricting access by company code
4. Data Retention
Event logs are retained for 12 months from the date of collection. After this period, records are automatically deleted. You may request earlier deletion at any time by contacting contact@agentguard.it.com.
5. How We Use Your Data
Data is used solely for the following purposes:
- Generating activity reports and audit logs for your company's dashboard
- Calculating certification eligibility (90-day monitoring period)
- Sending optional weekly summary emails to the designated company administrator
- Enforcing AI tool blocking policies configured by the company administrator
6. Data Sharing
We do not sell, rent, or share your data with any third parties for advertising or marketing purposes. The only sub-processors involved are:
- Supabase (supabase.com) — cloud database and authentication, hosted in the EU (Stockholm, Sweden). Privacy policy
- Resend (resend.com) — transactional email delivery for all outbound emails: weekly AI usage summary emails to company administrators, contact form submissions from the landing page, and certification notification emails. Only the data necessary to deliver each email (e.g. name, company name, email address) is processed. No employee monitoring data is ever sent to Resend. Privacy policy
- Stripe (stripe.com) — payment processing for subscriptions. Only billing information for the account holder is processed by Stripe. No employee monitoring data is ever sent to Stripe. Stripe is certified under the EU–US Data Privacy Framework. Privacy policy
7. Your Rights Under GDPR
As a data subject under the General Data Protection Regulation (GDPR), you have the following rights:
- Right of access — request a copy of all data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data ("right to be forgotten")
- Right to data portability — receive your data in a machine-readable format (JSON/CSV)
- Right to object — object to processing in certain circumstances
- Right to restrict processing — request that we limit how we use your data
To exercise any of these rights, contact us at contact@agentguard.it.com. We will respond within 30 days.
8. Chrome Extension Permissions
The AgentGuard Chrome extension requests the following browser permissions and uses them exclusively as described:
- Access to all websites — used only to check each page's hostname against a fixed list of ~45 AI tool domains. Non-AI pages are unaffected.
- Browser tabs — used to detect navigation to AI tool websites and to navigate users away from admin-blocked sites. No tab content or browsing history is read.
- Storage — used to store activity events locally in the browser before (optionally) syncing to the company dashboard.
- Web requests — used in read-only mode to detect outbound API calls to AI service backends (e.g. api.openai.com). No request content is read or modified.
- Scripting — used to inject the monitoring script into AI tool tabs that were already open when the extension was installed.
- Alarms — used to periodically re-sync the company's blocked-tool policy and to keep the background service worker alive.
The extension does not inject scripts into banking, health, or any other sensitive websites. It does not read, transmit, or store the content of any web page.
9. Cookies
The AgentGuard dashboard uses session cookies only to keep you logged in during your browser session. We do not use tracking cookies, advertising cookies, or any third-party analytics scripts. Session cookies are deleted when you close your browser or log out.
The AgentGuard landing page uses localStorage to remember your cookie consent preference. No persistent tracking identifiers are set.
10. Legal Basis for Processing
We process data under the following legal bases as defined in GDPR Article 6:
- Contract performance (Art. 6(1)(b)) — processing is necessary to deliver the AgentGuard service you have subscribed to
- Legitimate interests (Art. 6(1)(f)) — risk scoring and audit logging serve the legitimate interest of your company's AI governance compliance
11. Changes to This Policy
We may update this privacy policy from time to time. The "Last updated" date at the top of this page will reflect any changes. Continued use of AgentGuard after a policy update constitutes acceptance of the revised terms.
12. Contact
For any privacy-related inquiries, data subject requests, or complaints, contact:
Noah Goerg — contact@agentguard.it.com