Privacy Policy

Last updated: March 9, 2026

AgentCheck ("we", "us", "our") operates agentcheck.care and agentcheck.clinic. This policy explains what data we collect, why we collect it, and how we handle it.

Short Version

We collect only what's needed to run your checkup and deliver your report.
We never sell your data.
We never store your API keys.
We use anonymized, aggregate scan data to publish industry research. Your bot's identity is never included.
We use Stripe for payments. We never see or store your credit card number.
We use Cloudflare for security and performance. Cloudflare may set cookies per their own privacy policy.
No tracking pixels. No ad networks. No third-party analytics.

1. What We Collect

1.1 Data You Provide

When you submit a checkup, we collect:

Bot URL or API endpoint (required to run the test)
System prompt (if provided — used for adherence scoring)
Bot description and industry (if provided — used for domain-appropriate testing)
Email address (if provided — used only to send your report link as a backup)
Company website URL (if provided — used for brand alignment analysis)

For paid checkups, Stripe collects your payment information directly. We receive a confirmation of payment but never see or store your credit card number, bank account, or billing address. See Stripe's privacy policy.

1.2 Data Generated During the Checkup

When we test your bot, we generate:

Conversation transcripts between our test personas and your bot
Scores, findings, and diagnostic analysis
A BotProfile (extracted domain context from your system prompt)

This data is stored as part of your report.

1.3 API Keys

If you provide an API key for Chat API testing:

The key is used ONLY during the active test session
The key is held in server memory, never written to disk
The key is cleared from memory immediately when the checkup completes (or fails)
The key does NOT appear in your report, logs, or any stored data
We cannot recover your key after the session ends

1.4 Data Collected Automatically

IP address: used for rate limiting. Stored in standard web server logs. Rotated automatically.
Cloudflare analytics: Cloudflare may collect standard web analytics (page views, country, browser type) per their privacy policy. We use Cloudflare's free tier which does not include advanced tracking.
No cookies are set by our application. Cloudflare may set security cookies (e.g., __cf_bm) per their own policy.

2. How We Use Your Data

2.1 To deliver your checkup report

Your bot URL, system prompt, and generated test data are used solely to produce your diagnostic report.

2.2 To send your report link

If you provide an email, we send exactly one email containing your magic link. No marketing. No follow-ups. No newsletters.

2.3 To improve our testing methodology

We analyze aggregate, anonymized scan data to improve our test modules and scoring calibration. This never includes your bot's URL, system prompt, company name, or any identifying information.

2.4 To publish industry research

We may publish aggregate statistics about AI agent security (e.g., "73% of bots tested are vulnerable to prompt injection"). This data is fully anonymized — no individual bot, company, or user is ever identifiable. We will never publish your bot's score, URL, or any identifying details without your explicit written consent.

3. How We Store Your Data

3.1 Report storage

Reports are stored on our server in encrypted-at-rest storage. Reports are accessible only via your unique magic link (a URL with a cryptographic token). Anyone with the link can view the report. Treat your magic link like a password.

3.2 Deletion

We do not currently offer self-service report deletion. If you need a report deleted, contact us and we will delete it within 7 business days.

3.3 Retention

We retain reports indefinitely unless you request deletion. We may implement automatic expiration in the future (with advance notice).

4. Who We Share Your Data With

We do not sell, rent, or share your personal data with third parties, with these exceptions:

4.1 Stripe

Processes your payment. Receives your email and payment details directly. Subject to Stripe's privacy policy.

4.2 Cloudflare

Provides CDN, DDoS protection, and DNS. Processes your web requests. Subject to Cloudflare's privacy policy.

4.3 Google (Gemini API)

Our AI evaluation engine. Conversation data from your checkup is sent to Google's Gemini API for analysis. Subject to Google's API terms of service and data usage policies. We use the paid API tier which does not use your data to train Google's models.

4.4 Law enforcement

We may disclose data if required by law, subpoena, or court order.

We do not use any advertising networks, social media tracking pixels, or third-party analytics services.

5. Your Rights

5.1 Access

You can view your report anytime via your magic link.

5.2 Deletion

5.3 Portability

Your report is available as HTML via the magic link. PDF export is planned.

5.4 EU/EEA residents

If you are in the EU/EEA, you have additional rights under GDPR including the right to rectification, restriction of processing, and the right to lodge a complaint with a supervisory authority.

6. Security

We use HTTPS encryption for all connections, Cloudflare's security features (DDoS protection, bot management), server-side rate limiting, and input sanitization on all user-submitted data. API keys are never persisted to disk. Reports are accessible only via cryptographic magic links.

No system is 100% secure. If you discover a security vulnerability, please report it to us.

7. Children

Our service is not directed at individuals under 16. We do not knowingly collect data from children.

8. Changes

We may update this policy. Changes will be posted on this page with an updated date. Continued use of the service after changes constitutes acceptance.

9. Contact

For privacy questions or data requests:

[email protected]