AgentBrief: curated daily news for the agentic web. Sign up now →

Privacy Policy

Effective date: March 8, 2026
Last updated: March 8, 2026

This policy describes what information agentcommunity.org (“we” or “the Service”) collects, why we collect it, who we share it with, and what rights you have over it. The Service is operated by Open Agent Registry, Inc., a Delaware corporation.

If something in this policy is unclear, email us at privacy@agentcommunity.org and we will explain it.

1. What we collect and why

Account and registration data

When you sign up (via Google, GitHub, or email one-time password), we collect:

  • Email address (from your OAuth provider or entered directly)
  • Name and profile information, if your OAuth provider shares it

During registration, you may also provide:

  • Full name, organization name, job title, and organization function
  • Country, geographic regions of operation
  • Contact phone number
  • Organization website, logo URL, description, and legal address
  • Company agent description (what agents you are building or plan to build)
  • Preferred .agent domain name(s)

We use this data to manage your membership, process your .agent domain pre-registration, and demonstrate community support in our ICANN application.

Charter agreement data

When you accept the .agent Community Charter, we record your IP address along with a cryptographic hash of the charter version you agreed to and a timestamp. We keep this for legal compliance and non-repudiation purposes. See Section 5 for retention details.

IP addresses

We collect your IP address in several contexts:

  • Charter agreement signing (stored as raw IP, retained 36 months, then anonymized)
  • Authentication requests (hashed with SHA-256, used for rate limiting)
  • Newsletter subscription (stored in subscription metadata)

For rate limiting, we send hashed IP and email values to Upstash Redis. These are ephemeral and expire automatically (within 10 minutes for most limits).

Email tracking

When we send you an email (welcome messages, endorsement requests, reminders, campaigns), we record the email subject, Resend message ID, delivery status, and timestamps for events like delivery, opens, clicks, bounces, and complaints. We also store a SHA-256 hash of your email address and IP address alongside the tracking record. We do not store the full email body.

If your email hard-bounces or you file a complaint, we add you to a suppression list so we do not email you again.

Document signing

Organizations that go through the endorsement process sign documents via DocuSeal, a third-party e-signature service. We send DocuSeal your name, email, organization name, and form fields relevant to the endorsement (like year established and professional count). DocuSeal sends us back signing status, timestamps, and document URLs. We store this in our database.

Cookies

We set the following cookies:

CookiePurposeDuration
Supabase auth sessionKeeps you logged inSession
reg_intentHolds registration info during auth flow (httpOnly)10 minutes
invite_codeTracks referral source7 days
_ga, _gidGoogle Analytics (see below)Up to 2 years

During the OAuth flow, we may also set short-lived cookies for pending registration fields (domain, registration type, name, organization name). These are cleared after registration completes.

Analytics

We use Google Analytics 4 (measurement ID: G-NM99G6DPGB) to understand how people use the site. GA4 collects page views, referrer URLs, device and browser information, and events we define (like domain searches, join button clicks, and form interactions). This data is processed by Google under their privacy policy. We do not send Google your name or email.

We also use Vercel Analytics to measure page load performance (Web Vitals). This collects timing data, not personal information.

2. Third-party services that receive your data

ServiceWhat they getWhy
Supabase (US)All account and registration dataDatabase and authentication
Google OAuthOAuth handshake dataLogin
GitHub OAuthOAuth handshake dataLogin
Resend (US)Email address, email contentEmail delivery
DocuSealName, email, org detailsDocument signing (endorsements)
Upstash Redis (US)Hashed email and IPRate limiting
Google AnalyticsPage views, events, device infoUsage analytics
Vercel (US)Application trafficHosting and performance metrics

We do not sell your personal information. We do not share it for advertising purposes. The services listed above receive data only as needed to operate the Service.

3. International data transfers

Our infrastructure is hosted in the United States. If you are located outside the US, your data will be transferred to and processed in the US. By using the Service, you consent to this transfer. We rely on standard contractual protections where applicable.

4. How we protect your data

  • Supabase enforces Row-Level Security (RLS) policies, so users can only access their own data through the browser client.
  • Admin operations use a separate service-role key that is never exposed to the browser.
  • Authentication cookies are httpOnly to prevent client-side script access.
  • IP addresses in email tracking logs are hashed with SHA-256, not stored in cleartext.
  • Webhook debug logs mask email addresses (e.g., j***@example.com).
  • The site enforces HSTS with a two-year max-age and preload.

No system is perfectly secure. We take reasonable measures to protect your information, but we cannot guarantee absolute security.

5. Data retention

  • Charter agreement IP addresses: retained for 36 months from collection, then anonymized.
  • Account data (email, registration details): retained as long as your account is active.
  • Email tracking records: retained indefinitely for deliverability management.
  • Hard bounce and complaint suppression entries: retained permanently to prevent re-mailing.
  • Rate limiting data in Redis: expires automatically within minutes.
  • Audit logs (activity_log, registrations_audit): retained indefinitely for compliance.

6. Your rights

You can:

  • Unsubscribe from emails by clicking the unsubscribe link in any email, or by visiting /unsubscribe.
  • Request deletion of your personal data by emailing privacy@agentcommunity.org. We will anonymize your IP address and remove non-essential personal data. Some data required for legal compliance (like charter agreement records) may be retained in anonymized form.
  • Request a copy of the personal data we hold about you.
  • Correct inaccurate information in your profile by logging in, or by emailing us.

If you are a resident of the European Economic Area, you may also have rights under the GDPR including the right to restrict processing and the right to data portability. Contact us to exercise these rights.

7. Children

The Service is not directed at anyone under 16. We do not knowingly collect information from children. If you believe a child has provided us with personal data, contact us and we will delete it.

8. Changes to this policy

If we make material changes to this policy, we will update the effective date at the top and post the revised version on this page. For significant changes, we may also notify you by email.

9. Contact

Open Agent Registry, Inc.
Email: privacy@agentcommunity.org
Website: agentcommunity.org

    Privacy Policy - .agent Community