Privacy Policy

[COMPANY_NAME] Version: 1.1 Last updated: May 2026

1. Who We Are

[COMPANY_NAME] ("we", "us", "our") operates the Floent AI Agent Platform (the "Platform"). We are based at [REGISTERED_ADDRESS], United Kingdom.

[COMPANY_NAME] is not required to appoint a Data Protection Officer under UK or EU GDPR. Privacy enquiries are handled directly by the Floent team and can be sent to [PRIVACY_EMAIL]. We will respond within 30 days.

2. What Data We Collect

2.1 Account Data

When your organisation administrator invites you to the Platform, we receive your name, email address, and the role assigned to you. Once you accept the invitation and create an account, you may also provide a display name and profile picture.

2.2 Usage Data

When you use the Platform, we automatically collect:

Pages visited and features used
Agent executions (type, timestamp, credit usage)
Device type and browser information
IP address

2.3 Files and Content You Submit

When you use AI agents on the Platform, you may submit files (such as documents or images) and form data. This content is processed by the relevant agent workflow to deliver a result. The Platform does not retain your inputs or outputs beyond what is necessary to return the result to you. Metadata about agent executions (timestamp, agent type, credit usage) is retained as described in Section 7.

2.4 Billing and Credits

We record credit transactions (top-ups and usage) associated with your organisation. Payments are currently handled by direct invoice — we do not store payment card details on the Platform. We will update this Privacy Policy and notify you in advance if we introduce automated payment processing in future.

3. How We Use Your Data

We use your data to:

Provide and operate the Platform
Authenticate you and manage your account
Process agent requests and return results
Generate organisation profile information from publicly available website content (only when explicitly initiated by an organisation administrator)
Track credit usage and maintain transaction records
Improve the Platform and understand how it is used
Send important service communications (such as low credit alerts)
Detect and prevent abuse, fraud, and security incidents
Comply with legal obligations

We do not sell your data to third parties. We do not use your data for advertising. We do not use your data to train AI models.

4. Legal Basis for Processing (UK and EU GDPR)

We process your personal data on the following legal bases:

Contract — processing necessary to provide the Platform services you have access to
Legitimate interests — improving the Platform, preventing fraud, and ensuring security
Legal obligation — where we are required to process data by law

5. Data Sharing

We share data with the following third-party service providers ("sub-processors") who process data on our behalf:

Provider	Purpose	Location
Supabase	Database hosting	EU (London)
Vercel	Platform hosting and delivery	EU (London)
Railway	Microservice hosting (agent execution)	EU (europe-west4)
Clerk	Authentication and user management	USA (with EU SCCs)
OpenAI	AI processing within agent workflows	USA (with EU SCCs)
Anthropic	AI processing within agent workflows	USA (with EU SCCs)
Resend	Transactional email delivery	USA (with EU SCCs)

All sub-processors are bound by data processing agreements and appropriate safeguards for international data transfers, including UK International Data Transfer Agreements (IDTAs) and EU Standard Contractual Clauses (SCCs) where applicable.

We will notify customers in advance of any material changes to our sub-processor list.

6. Cookies

Essential Cookies

The Platform uses essential cookies set by Clerk (authentication) and Vercel (session routing and security) which are strictly necessary for the Platform to function. These cookies do not require your consent under UK and EU GDPR.

Analytics

We use Vercel Analytics to understand how the Platform is used. Vercel Analytics is privacy-first and does not use cookies or collect personally identifiable information. No consent is required.

We do not use Google Analytics, advertising cookies, or third-party tracking cookies.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide services. Specifically:

Account data — retained for the duration of your account
Audit logs — retained for the duration of your account
Credit transactions — retained for 7 years (legal/accounting requirement)
Agent execution metadata (timestamp, agent type, credit usage) — retained for 90 days
Agent execution inputs and outputs — not retained by the Platform beyond what is necessary to return results to you

When your account is closed, we will delete or anonymise your personal data within a reasonable period, except where we are required to retain it by law (such as financial records).

8. Your Rights (UK and EU GDPR)

If you are based in the UK or EU, you have the following rights:

Access — request a copy of the personal data we hold about you
Rectification — request correction of inaccurate data
Erasure — request deletion of your data ("right to be forgotten")
Restriction — request that we limit how we use your data
Portability — request your data in a portable format
Objection — object to processing based on legitimate interests

To exercise any of these rights, please contact us at [PRIVACY_EMAIL]. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or with your local data protection authority if you are based in the EU.

9. Security

We take the security of your data seriously. We implement:

AES-256-GCM encryption for sensitive credentials stored on the Platform
HTTPS encryption for all data in transit
Database backups encrypted at rest
Authentication via Clerk with email verification
Role-based access controls limiting data access by user role
Audit logging of administrative actions
Principle of least privilege applied to internal access

No system can be guaranteed to be completely secure, but we work continuously to maintain and improve our security measures.

10. Children

The Platform is intended for business use only and is not directed at children under the age of 16. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes via email or a notice within the Platform. The "Last updated" date and version number at the top of this page will always reflect the most recent version.

12. Contact Us

For any privacy-related questions or to exercise your rights:

[COMPANY_NAME] [REGISTERED_ADDRESS] [PRIVACY_EMAIL]