Privacy Policy

Last updated: April 2026

AGNT ("we," "us," or "our") is operated by ICM Motion GmbH, a company registered in Germany. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the AGNT platform, including our web application, Telegram bot, WhatsApp integration, and related services (collectively, the "Service").

By using the Service, you consent to the data practices described in this policy. If you do not agree with any part of this policy, please discontinue use of the Service immediately.

1. What We Collect

We collect the following categories of personal data:

Account Information

Name and email address (encrypted at rest using Fernet symmetric encryption). Phone number (hashed using HMAC-SHA256; we cannot reverse your phone number from the stored hash).

Chat Messages

Messages you send to your AGNT agent via Telegram or WhatsApp are stored in encrypted Redis sessions to maintain conversation context. Sessions are ephemeral and expire automatically. We do not retain chat transcripts indefinitely.

Photos You Submit

Food photos submitted for calorie scanning are processed in real time to extract nutritional information. Images are not stored long-term; they are deleted after processing. Product photos submitted for dupe search (price comparison) are processed for identification and similarly deleted after processing.

Location Data

Location is collected only when you explicitly share it for venue recommendations or transport booking. We do not track your location in the background.

Booking & Transaction History

We store records of venue bookings you make through the Service, including venue name, date, party size, and booking status. This enables reminders, history, and ratings.

Payment Information

Payments are processed entirely by Stripe. We do not store your credit card number, CVC, or full payment details on our servers. We retain only a Stripe customer ID and transaction references for billing purposes.

Usage & Device Data

We collect standard technical data such as IP address, browser type, device type, operating system, and pages visited. This data is used for security, analytics, and service improvement.

2. How We Use Your Data

We use the information we collect to:

Provide and operate the Service, including AI-powered venue discovery, booking management, calorie scanning, product comparison, transport booking, and social features.
Process your requests and deliver responses through your chosen messaging channel (Telegram or WhatsApp).
Process payments and manage subscriptions via Stripe.
Send transactional communications such as booking confirmations, reminders, and account notifications.
Generate nutritional breakdowns from food photos and maintain your food diary with daily summaries.
Identify products from photos and find price alternatives across e-commerce platforms.
Improve and personalize the Service, including training and refining recommendation quality (using aggregated, de-identified data only).
Monitor for abuse, fraud, and technical issues using error tracking and logging.
Comply with legal obligations and respond to lawful requests from authorities.

3. Third-Party Services & Data Sharing

We share data with the following third-party service providers strictly to operate the Service. We do not sell your personal data.

Provider	Purpose	Data Shared
Stripe	Payment processing	Email, payment details (handled by Stripe)
Telegram Bot API	Messaging	Messages, user ID, photos sent in chat
WhatsApp / Meta	Messaging	Messages, phone number, photos sent in chat
Anthropic (Claude)	AI processing	Chat context, user queries (no long-term storage by Anthropic per API terms)
Nutritionix / Edamam / USDA	Nutrition analysis	Food descriptions extracted from photos
Shopee, Tokopedia, Lazada	Product search	Product identifiers and search queries
Lalamove	Courier booking	Pickup/delivery addresses, contact details
Sentry	Error tracking	Anonymized error reports, device/browser metadata

Each third-party provider processes data under their own privacy policy. We encourage you to review their respective policies.

4. Data Storage & Security

We take the security of your data seriously and employ industry-standard technical and organizational measures:

Encryption at rest: Personal identifiers (name, email) are encrypted using Fernet symmetric encryption before storage.
Phone number hashing: Phone numbers are stored as HMAC-SHA256 hashes. We cannot recover your phone number from the stored value.
Chat encryption: Chat sessions are stored in encrypted Redis instances with automatic expiration.
Photo processing: Food and product photos are processed in memory and not retained after analysis is complete.
Payment isolation: All payment data is handled by Stripe in PCI-DSS compliant infrastructure. Card details never touch our servers.
Access controls: Internal access to personal data is restricted to authorized personnel on a need-to-know basis.
Infrastructure: Our backend services run on encrypted cloud infrastructure with TLS 1.2+ for all data in transit.

While we implement robust safeguards, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but commit to promptly notifying affected users and relevant authorities in the event of a data breach, in accordance with applicable law.

5. Data Retention

Account data: Retained for as long as your account is active. Upon account deletion, personal data is purged within 30 days, except where retention is required by law.
Chat sessions: Automatically expire from Redis. Typical session lifetime is 24 hours of inactivity.
Photos: Deleted immediately after processing. Not stored in any database or file system.
Booking history: Retained for the lifetime of your account to provide history, ratings, and recommendations.
Transaction records: Retained for a minimum of 7 years as required by German tax and commercial law.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Under the EU General Data Protection Regulation (GDPR)

Access: Request a copy of the personal data we hold about you.
Rectification: Request correction of inaccurate or incomplete data.
Erasure: Request deletion of your personal data ("right to be forgotten").
Restriction: Request restriction of processing in certain circumstances.
Data portability: Receive your data in a structured, machine-readable format.
Objection: Object to processing based on legitimate interests or direct marketing.
Withdraw consent: Where processing is based on consent, withdraw at any time without affecting the lawfulness of prior processing.
Complaint: Lodge a complaint with a supervisory authority (e.g., the German Federal Commissioner for Data Protection).

Under Southeast Asian Data Protection Laws

If you are located in Indonesia (UU PDP), Thailand (PDPA), Singapore (PDPA), or the Philippines (DPA), you have comparable rights including access, correction, deletion, and the right to withdraw consent. We process your data in compliance with applicable local data protection regulations.

To exercise any of these rights, email us at privacy@agnt.ai. We will respond within 30 days (or sooner where required by law). We may ask you to verify your identity before processing your request.

7. International Data Transfers

ICM Motion GmbH is based in Germany. Your data may be transferred to and processed in countries outside your country of residence, including countries in the European Economic Area (EEA) and Southeast Asia. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission or adequacy decisions.

8. Cookies & Local Storage

We use a minimal set of cookies and local storage:

Authentication cookie (agnt_token): An httpOnly, secure cookie used to maintain your login session. Strictly necessary for the Service to function.
Service worker cache: As a Progressive Web App, we cache static assets locally for offline access and performance.
Push notification subscription: If you opt in, we store a VAPID push subscription to deliver booking reminders and notifications.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not participate in cross-site tracking or real-time bidding.

9. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@agnt.ai and we will delete such data promptly.

10. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Service you requested, including account management, bookings, and AI agent interactions.
Consent (Art. 6(1)(a) GDPR): Where you explicitly opt in, such as location sharing and push notifications. You may withdraw consent at any time.
Legitimate interests (Art. 6(1)(f) GDPR): Service improvement, security monitoring, and fraud prevention, balanced against your rights.
Legal obligation (Art. 6(1)(c) GDPR): Retention of transaction records as required by German commercial and tax law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via the Service, email, or a prominent notice on our website. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us:

ICM Motion GmbH

Data Protection Inquiries

Email: privacy@agnt.ai

You also have the right to lodge a complaint with your local data protection authority. For Germany, this is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI).