Privacy

Privacy policy.

How we collect, use, store, and protect your data — in plain English. Last updated 2026-05-20.

1. Who we are

AgentsTeam is operated by Auren Labs, Inc. ("Auren Labs," "we," "us"), a Delaware corporation with operations in the United States. When you sign up for or use AgentsTeam, you are entering into an agreement with Auren Labs. For privacy questions, data requests, or anything in this policy that's unclear, write to privacy@agentsteam.app (or contact@agentsteam.app if email to the first address bounces).

2. What data we collect

We collect only what is needed to run your account and let the AI team do useful work for you.

2a. Account data

Name, work email, company name, role at company.
Password hash (bcrypt with a per-user random salt) — we never store, log, or transmit your plaintext password.
Billing details — handled by our payment processor (Stripe). We store only the last 4 digits of your card, the brand, and the country code.
Authentication metadata — sign-in timestamps, IP address for the last sign-in, and the browser's user-agent string. Used to detect anomalous sign-ins and to populate the sessions list (when available).

2b. Operational data

Brands, locations, business information, and team configuration you create in AgentsTeam.
Voice-training inputs (tone preset, signoffs, signature phrases, never-say list, sample replies).
Channel credentials — OAuth access and refresh tokens for the services you connect (e.g., Google Business Profile, Facebook). All tokens are encrypted at rest with AES-256-GCM using a key held outside the database.

2c. Google user data

When you connect Google Business Profile, we read information you have authorized through Google's OAuth consent screen. See §4 below for the full Limited Use disclosure.

2d. Customer review and reply content

Reviews and customer messages pulled from connected channels (Google, Facebook, etc.).
Drafts produced by the AI team, your edits, and the final dispatched replies.
Action logs — who acted (agent or human), when, what was sent.

2e. Cookies and similar technologies

We use a small set of strictly-necessary cookies:

Session cookies issued by Supabase Auth so you stay signed in.
A theme-preference cookie so the marketing site remembers light/dark mode.
A first-time-visit cookie used to suppress the welcome state once you've completed onboarding.

We do not set third-party advertising cookies, Google Analytics cookies, Meta Pixel, or any cross-site tracking technology on either the marketing site or the signed-in application.

3. How we use your data

Run the product — fetch reviews, draft replies, dispatch your approvals, write the audit log, page you when a crisis review hits.
Train your voice profile — adapt drafts to the tone you defined. Voice profiles are scoped to your account; they are never used to train models for other tenants and never used to train Anthropic's foundation models.
Operate the service — billing, customer support, security monitoring, fraud prevention.
Improve AgentsTeam — aggregate, anonymized metrics to find bugs and prioritize features. No customer content is read by Auren Labs employees for product improvement without your explicit, in-product consent.
Comply with law — respond to valid legal requests; protect rights, property, or safety; enforce our Terms.

4. Google user data (Limited Use)

AgentsTeam's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

4a. Scopes we request

When you connect Google Business Profile to AgentsTeam, we request the following OAuth scope:

https://www.googleapis.com/auth/business.manage — needed to (i) list the GBP accounts and locations you manage, (ii) read review content and listing metadata for those locations, and (iii) post replies to reviews on your behalf when you approve them in AgentsTeam.

We do not request Gmail, Drive, Calendar, Contacts, or any other Google scope.

4b. How we use Google user data

Read the reviews and location metadata you authorize, classify them with our own AI pipeline (sentiment, theme, severity), and present them to you in the AgentsTeam workspace.
Draft contextually appropriate replies in the voice you have trained AgentsTeam in.
Dispatch replies — only when you explicitly approve them, or when you have explicitly enabled an auto-reply rule that meets our hard safety floors (no replies to ≤3-star reviews, no replies to crisis-flagged reviews, no replies above a per-location daily cap).

4c. What we do NOT do with Google user data

We do not sell your Google user data.
We do not transfer Google user data to advertising platforms, data brokers, credit bureaus, or any third party for purposes outside the user-facing AgentsTeam features described above.
We do not use Google user data to train, fine-tune, or improve any generalized AI/ML model (our own, Anthropic's, or any third party's). The only model-personalization that touches Google user data is your own per-tenant voice profile, scoped to your AgentsTeam account.
We do not allow Auren Labs employees to read Google user data except (i) with your explicit consent, (ii) for security investigations of specific incidents, or (iii) when required by law.

4d. Revoking Google access

You can revoke AgentsTeam's access to your Google account at any time at myaccount.google.com/connections. Once revoked, our subsequent calls fail cleanly, the corresponding connection in AgentsTeam is marked as expired, and we stop pulling new reviews for the affected locations. Existing review and reply data already stored under your account is handled per our retention rules (§8) and can be deleted on request (§9).

5. Who we share data with

We do not sell your data. We share only with sub-processors that are necessary to operate the service:

Sub-processor	Purpose	Region
Vercel, Inc.	Application hosting, CDN, serverless compute.	US
Supabase, Inc.	Database (Postgres), authentication, file storage.	US
Stripe, Inc.	Payment processing. Card details are tokenized at Stripe; we do not see or store full card numbers.	US
Connected channels you authorize	Google Business Profile, Facebook, and any other channel you connect — and only the scopes you have explicitly granted.	Varies

We may add or replace sub-processors as the product evolves. Material changes (e.g., adding a new category of sub-processor or changing the region of an existing one) will be reflected in this policy and announced as described in §12 below.

6. Security

In transit: TLS 1.3 for all HTTP traffic; HSTS preload enabled.
At rest: Database disks are encrypted by Supabase using AES-256.
OAuth tokens: additionally encrypted at the application layer with AES-256-GCM using a key held in our secrets manager, separate from the database.
Passwords: hashed with bcrypt and a per-user random salt before storage. Minimum length of 8 characters; known-breached passwords (checked against the public HaveIBeenPwned dataset via k-anonymity) are rejected at signup and reset. Password resets are time-limited single-use links sent to the email on file; we never email an existing password.
Tenant isolation: Postgres row-level security (RLS) policies enforce that your data is invisible to other tenants at the database layer. Every shared cross-table query in the application code is also funneled through a single owner-scope helper as defense in depth.
Third-party sign-in: we support Google SSO so you can authenticate without giving us a password at all.
Breach disclosure: if we discover a security incident affecting your personal data, we will notify you and any required regulators within the time frames required by applicable law (in the EU/UK: 72 hours of becoming aware of a notifiable breach).

7. Cookies and tracking

AgentsTeam uses only strictly-necessary cookies — see §2eabove for the list. We do not set advertising cookies, Google Analytics, Meta Pixel, or any cross-site tracking. We do not participate in real-time bidding or any other ad-tech identity graph. If your jurisdiction recognizes a Global Privacy Control (GPC) signal, we honor it automatically — there is no behavior to opt out of because we don't do third-party tracking in the first place.

8. Data retention

Data category	How long we keep it
Raw Google Business Profile review content (review body, reviewer name) and replies you send (including audit log entries)	Raw review content is kept up to 30 calendar days after we receive it, per the Google API Services User Data Policy; after 30 days the raw text is purged and we keep only the derived classification (sentiment, theme), your own reply, and the audit record of what was sent. Replies and audit log entries are kept for the life of your account so you can review what was sent on your behalf, and are deleted when you delete your account or workspace.
OAuth tokens (encrypted)	Until you disconnect the channel, revoke access at the provider, or delete your account.
Authentication logs (sign-in events, IPs)	90 days, then aggregated.
Billing records	Seven years, as required by US tax and accounting rules.
Backups	Database backups rotate on a 30-day schedule. Backup copies of data marked for deletion are overwritten within that window.

9. Your rights and choices

Regardless of where you live, you can ask us to:

Access a copy of the personal data we hold about you.
Correct inaccurate or out-of-date information (most fields are editable in-product).
Export your data in a machine-readable format.
Delete your AgentsTeam workspace, including all brands, locations, reviews, replies, and audit log entries, via the in-app self-serve option in /business-settings (rolling out — see §13 for status). Until self-serve deletion is available for every account, write to privacy@agentsteam.app and we will complete deletion within 30 days.
Revoke consent for any specific feature (e.g., turn off auto-reply, disconnect a channel, opt out of email digests) directly in the AgentsTeam settings.

Depending on your jurisdiction, you may also have additional rights — for example, the right to portability, to object to certain processing, to lodge a complaint with a supervisory authority, or under the California Consumer Privacy Act (CCPA), the right to know what categories of personal information we have collected, sold (we don't sell), or shared (the sub-processor list in §5). We respond to verified requests within 30 days and do not charge for the first request in a 12-month period.

10. Children's privacy

AgentsTeam is a business product and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, write to privacy@agentsteam.app and we will delete it.

11. International data transfers

AgentsTeam is operated from the United States. Our primary infrastructure (Vercel, Supabase, Anthropic, Stripe) is hosted in the US. If you access AgentsTeam from outside the US, your data will be transferred to and processed in the US. Where applicable, we rely on the European Commission's Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms with our sub-processors. You can request a copy of the relevant SCCs by writing to privacy@agentsteam.app.

12. Changes to this policy

We may update this policy from time to time. When we make a material change (for example, adding a new sub-processor category, changing a retention period, or requesting a new scope at the Google OAuth consent screen), we will (i) update the "Last updated" date at the top of this page, (ii) post a banner inside the AgentsTeam application for at least 14 days, and (iii) email account owners for changes that meaningfully expand how we process your data. Continued use of the service after the effective date constitutes acceptance of the updated policy.

13. Contact

Auren Labs, Inc.
125 212th Pl NE, Sammamish, WA 98074, USA
Privacy & Data Requests: privacy@agentsteam.app
General contact: contact@agentsteam.app

This document is a plain-English summary of our privacy practices and is not a substitute for legal advice. If anything here conflicts with applicable law, the applicable law controls and the conflicting clause is severable.