Privacy Policy

1. Who we are

agent-ready.dev is operated as an independent service. The data controller for the purposes of UK GDPR / EU GDPR is the operator of the service, reachable at privacy@agent-ready.dev.

2. What we collect

We collect only what we need to run the service.

• Account data - your email address, and optionally a name, provided via our authentication provider (Clerk) when you sign up.
• Billing data - if you subscribe to a paid plan, Stripe handles the card data directly (we never see or store it). We store a Stripe customer identifier and subscription identifier so we can link your account to your subscription.
• Scan data - the URLs you ask us to scan, the resulting scores and check outputs, and limited snippets of public page content (headings, metadata, canonical URLs). Scans you run while signed in are linked to your account. Anonymous scans are linked to a random share token only.
• Monitoring data - if you enable monitoring on a domain, we store the root URL, your chosen alert email, and the history of automated scans.
• Request metadata - your IP address (used transiently for rate-limiting and abuse prevention), and standard request headers. IPs are not stored in long-term logs.
• Error reports - when the service encounters an unexpected error, we capture the stack trace and request path through Sentry. We configure Sentry to exclude personally-identifying request headers (cookies, auth tokens) and user identifiers.

We do not use tracking cookies or advertising pixels. We do not sell personal data.

3. Why we process it

• To provide the service - running scans, displaying results, sending regression alerts (legal basis: contract performance).
• To take payment — managing subscriptions and invoices through Stripe (legal basis: contract performance).
• To keep the service running safely - rate limiting, blocking abuse, debugging errors (legal basis: legitimate interests in service security and integrity).

4. Who we share it with (sub-processors)

We rely on the following third parties to run the service:

• Clerk - authentication and account management (email, name).
• Stripe - payments and subscription billing (card data, email, billing address).
• Neon - our PostgreSQL database host (account data, scan results, monitoring records).
• Upstash - our Redis cache (rate-limit counters, scan cache, webhook deduplication).
• Resend - transactional email delivery for monitoring alerts.
• Vercel - hosting and edge network.
• Sentry - error reporting for debugging.

Some of these sub-processors are based outside the UK and EEA. Transfers are covered by the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or equivalent safeguards.

5. How long we keep it

• Account data - for as long as you have an account. Deleted when you delete your account.
• Scan results- kept indefinitely so share links remain valid. When you delete your account, scans linked to you are anonymised (not deleted) so previously-shared URLs don’t break for third parties.
• Monitoring records — deleted when you remove the site or delete your account.
• Rate-limit counters — maximum 30 days.
• Billing records— retained by Stripe for the period required by tax law (typically 6–7 years).
• Error reports — retained by Sentry for up to 90 days.

6. Your rights

Under UK GDPR and EU GDPR you have the right to:

• Access the personal data we hold about you.
• Correct anything that’s wrong.
• Delete your account and associated personal data (right to erasure). You can trigger this yourself by deleting your account in Clerk; we automatically receive a deletion event and purge your data.
• Export your data in a portable format.
• Object to certain processing (such as regression alerts).
• Lodge a complaint with your data protection regulator (the UK ICO, or your local EEA regulator).

To exercise any of these rights, email privacy@agent-ready.dev. We aim to respond within 30 days.

7. Cookies

We use a small number of strictly-necessary cookies:

• Clerk sets session cookies so you stay signed in. These are httpOnly and essential for authentication.
• Vercel sets a handful of infrastructure cookies (e.g. for sticky routing on preview deployments). These carry no personal data.

We do not use cookies for advertising, analytics, or tracking across sites, so we don’t show a consent banner.

8. Browser extension

We publish an official Agent Ready browser extension on the Chrome Web Store, Microsoft Edge Add-ons, and Mozilla AMO. It is a thin client for the same scanner described above and performs no additional collection on top of what is already listed in section 2.

• What it reads— only the URL of your current tab, and only when you explicitly invoke it (by clicking the toolbar icon or selecting “Scan with Agent Ready” from the right-click menu). It does not read page contents, cookies, browsing history, or any other tab.
• What it sends to us — only the URL you explicitly choose to scan, transmitted to the same scanner endpoint as the website. The handling and retention described in sections 2 and 5 apply unchanged. The extension also appends utm_source=extension to links that open agent-ready.dev so we can segment our own analytics by extension origin.
• What stays on your device — the extension keeps a local history of your last 10 scans using your browser’s built-in extension storage so the popup can re-open recent results. This list never leaves your browser. We do not sync it, receive it, or have any way to read it. Uninstalling the extension clears it.
• What it doesn’t do — no background scanning, no tracking, no telemetry, no analytics inside the extension itself. The extension is open-source under Manifest v3 and reproducible from the source archive submitted to each store.

9. ChatGPT app

We publish an official Agent Ready app for ChatGPT, built with the OpenAI Apps SDK on the Model Context Protocol. It is a thin client for the same scanner described above and performs no additional collection on top of what is listed in section 2, with one addition specific to this surface.

• What ChatGPT sends us — when you run a scan through ChatGPT, the platform passes us an opaque per-user identifier (openai/subject) and a per-conversation identifier in the request metadata. We do not receive your name, email, or the contents of your ChatGPT conversation.
• How we use it— solely as a rate-limiting key to prevent abuse of the free, unauthenticated app. The per-user identifier is held only for the short rate-limit window, is not stored with your scan results, and is not linked to any account — scans run through ChatGPT are anonymous.
• What it sends to us — only the URL you ask it to scan, handled and retained exactly as described in sections 2 and 5.

10. Security

We hold traffic to HTTPS, rate-limit abusive activity, hash and isolate authentication credentials via Clerk, and store payment details exclusively inside Stripe. Details of our security posture are available on request for business customers.

11. Changes to this policy

If we change this policy we’ll update the “Last updated” date at the top. For material changes affecting your rights we’ll email account holders.