Privacy Policy

01 Information we collect

Account information

You sign in with Google. We receive your email address and display name from Google's OAuth response, and we store those to identify your account. We do not receive or store your Google password.

Device tokens

To deliver approval requests to your phone in real time, we register a device token with Apple Push Notification service (APNs) or Firebase Cloud Messaging (FCM). The token is associated with your account and is rotated by the operating system periodically.

Agent action logs

When one of your agents asks for permission, we record the approval request and its outcome so you can audit what happened later. A typical log entry contains:

• The name of the agent and the integration involved (e.g. "GitHub", "Google Calendar")
• A short, human-readable description of the action ("Schedule meeting for Tuesday 2pm")
• The decision — allowed, denied, or auto-allowed by rule — and a timestamp

Logs do not contain the contents of your prompts, files, calendar bodies, or message bodies. We only store the metadata required to render your approval history.

02 What stays on your device

The following never leaves your device and is never transmitted to our servers:

• Biometric data. Face ID and Touch ID are handled by iOS / macOS. We only receive a yes/no signal from the operating system.
• Private signing keys. Approvals are signed locally using keys stored in the Secure Enclave. We only ever see the resulting signature.
• Your prompts. The contents of the messages you send to your agents are not routed through IamAgent.

03 Analytics

Our marketing website uses Cloudflare Web Analytics, a privacy-respecting, cookie-free analytics service. It records aggregate metrics like page views, referrers, and approximate country — it does not fingerprint visitors and does not set tracking cookies. We do not use Google Analytics, Meta Pixel, or any cross-site advertising trackers.

04 How we use information

We use the information described above only to:

• Authenticate you and keep your session active
• Deliver approval-request push notifications to your devices
• Show you a history of decisions your agents asked for
• Diagnose bugs and prevent abuse of the service
• Send rare service emails (security incidents, major product changes) — never marketing

05 Sharing & sale of data

We do not sell your personal information to third parties. We do not share it with advertisers or data brokers. The only third parties that touch your data are the infrastructure providers we use to run the service — Cloudflare (hosting and analytics), Google (sign-in), Apple and Google (push notifications) — and only to the minimum extent needed for them to perform that function.

If we are ever required by valid legal process to disclose information, we will do so only to the extent legally required and, where permitted, notify you first.

06 Children's privacy

IamAgent is not directed to children. We do not knowingly collect personal information from anyone under the age of 13. If you believe a child has provided us with personal information, please contact us at [email protected] and we will delete it.

07 Data retention

Account information is kept as long as your account is active. Agent action logs are retained for 90 days by default; you can shorten this in your settings or trigger an immediate purge at any time. Device tokens are removed automatically when you sign out or uninstall the app.

08 Your rights

You can, at any time:

• Export a copy of your account data and approval history
• Delete individual log entries or wipe all logs
• Delete your account entirely — this removes your profile, device tokens, and all logs within 30 days from backups
• Withdraw consent for non-essential processing

Depending on where you live, you may also have rights under GDPR, CCPA, or similar laws to access, correct, or restrict processing of your data. Email us and we will respond within 30 days.

09 Security

Data in transit uses TLS 1.3. Data at rest is encrypted on managed storage. We follow the principle of least privilege internally, and the design of the product — signatures generated on-device, secrets in the Secure Enclave — means that compromising our servers does not compromise your approvals.

10 Changes to this policy

If we materially change how we handle your data, we'll update the effective date above and notify active users by email at least 14 days before the change takes effect.