Legal

Privacy Policy

Last updated: 31 March 2026 - AgentCore LTD - Company No. 17114811

1. Who We Are

AgentCore LTD is a company incorporated in England and Wales (Company No. 17114811), with its registered office at 20 Wenlock Road, London, England, N1 7GU. We operate Trust Agent.

We are the data controller for the personal data described in this policy. Contact us at info@trust-agent.ai.

2. What Data We Collect

We collect only what is necessary to provide the service:

Account data: Your name and email address, provided when you register or sign in (including via Google OAuth).
Subscription and billing data: Payment records processed via our payment provider. We do not store card numbers.
Session metadata: Timestamps, session duration, role used, token counts, and response latency. We log metadata only - never message content.
Wellbeing signals: Session frequency, duration, and recency patterns used to compute a Wellbeing Score. No message content is analysed.
Device and technical data: Browser type, operating system, and IP address for security and fraud prevention.

What we never collect: Session message content is processed in memory and immediately discarded. It is never stored on our servers, in logs, in analytics, or anywhere else.

3. The Brain - Your Companion Memory

Your Brain is the memory your companion builds about you across sessions. It is stored in a proprietary encrypted file format (.tagnt) using AES-256-GCM encryption with a key derived from your account credentials.

The Brain file is stored on your own device and synchronised to your personal cloud storage (Google Drive, Apple iCloud, or Microsoft OneDrive). It is never stored on Trust Agent servers. We cannot read, decrypt, or access your Brain data.

If your subscription lapses, your Brain file remains untouched on your cloud storage. It belongs to you permanently.

4. Google User Data

Trust Agent uses Google OAuth for sign-in and Google Drive for Brain file synchronisation. This section describes exactly how we handle Google user data.

4.1 Data Accessed

Authentication (openid, email, profile scopes): Your name and email address, used solely to create and identify your Trust Agent account.
Google Drive (drive.file scope only): We request the narrowest possible Drive scope. The drive.file scope permits us to read and write only files that our application explicitly creates. We create exactly one file: your encrypted Brain file (.tagnt format). We do not access, read, list, or interact with any other file in your Google Drive.

4.2 Data Usage

Name and email: Used to create your Trust Agent account, send transactional emails, and identify you across sessions. We do not use your email for marketing without your explicit consent.
Google Drive access: Used exclusively to sync your encrypted Brain file to your own Google Drive after each session. We write one file. We read one file. No other Drive data is accessed.

4.3 Data Sharing

We do not share, sell, transfer, or disclose any Google user data to any third party. Your name and email are stored in our secure database (Neon PostgreSQL, hosted on AWS eu-west-2, London). The Brain file written to your Google Drive is AES-256-GCM encrypted - Trust Agent cannot read its contents.

4.4 Data Storage and Protection

Your name and email are stored in an encrypted PostgreSQL database hosted in AWS eu-west-2 (London, UK).
No Google user data is stored in logs, caches, analytics systems, or third-party services.
The Brain file written to your Google Drive is encrypted before it leaves your device.
We do not use Google user data to train machine learning models.
We comply with the Google API Services User Data Policy, including the Limited Use requirements.

4.5 Data Retention and Deletion

Delete your account at any time via Settings - Privacy - Delete Account. All personally identifiable data is permanently deleted within 30 days.
Your Google Drive Brain file is under your sole control. We do not delete it on your behalf.
Revoke Trust Agent access at any time via myaccount.google.com/permissions.

Trust Agent's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5. How We Use Your Data

Provide and improve the Trust Agent service
Process your subscription and billing
Send transactional emails (account, billing, notifications)
Detect and prevent fraud and security threats
Comply with legal obligations
Compute anonymised platform statistics

We do not use your data for advertising. We do not sell your data.

6. Legal Basis for Processing (UK GDPR)

Contract: Processing account data and session metadata to provide the service.
Legitimate interests: Security monitoring, fraud prevention, and service improvement.
Legal obligation: Retaining billing records as required by UK tax law.
Consent: Marketing communications (where you have opted in).

7. Third-Party Services

Stripe / Revolut: Payment processing.
Resend: Transactional email delivery.
LiveKit: Real-time voice session infrastructure. Not stored.
ElevenLabs: Text-to-speech. Processed in real-time, not stored.
Deepgram: Speech-to-text. Processed in real-time, not stored.
AWS (eu-west-2): Cloud infrastructure.
Render: Application hosting.
Neon: PostgreSQL database (eu-west-2, London).

We do not share data with any other third parties or data brokers.

8. Your Rights

Under UK GDPR, you have the right to:

Access: Request a copy of your personal data.
Rectification: Correct inaccurate data.
Erasure: Delete your account and all associated data.
Portability: Export your Brain file (already in your own cloud storage).
Restriction: Restrict processing of your data.
Objection: Object to processing based on legitimate interests.

Email info@trust-agent.ai or use Settings - Privacy. We respond within 30 days.

You may also lodge a complaint with the ICO at ico.org.uk.

9. Cookies

We use only essential cookies for authentication. No advertising cookies, tracking pixels, or third-party analytics cookies.

10. Data Retention

Account data: Retained while active. Deleted within 30 days of account deletion.
Session metadata: Retained for 90 days, then deleted.
Billing records: Retained for 7 years (UK law).
Brain file: Your cloud storage. Not subject to our retention policy.

11. Children's Privacy

Child accounts (under 18) require a parent or guardian via Family plan. Subject to server-enforced 45-minute daily limits, content filtering, and guardian dashboard visibility (never content).

We comply with the UK Children's Code (AADC) and KCSIE 2024.

12. Changes to This Policy

We notify you of material changes by email and in-app notice. Continued use after notification constitutes acceptance.

13. Contact Us

Email: info@trust-agent.ai
Post: AgentCore LTD, 20 Wenlock Road, London, England, N1 7GU
In-app: Settings - Privacy - Contact Us

We aim to respond within 5 business days.

AgentCore LTD - Company No. 17114811 - 20 Wenlock Road, London, England, N1 7GU

Registered in England and Wales - Governed by UK GDPR and the Data Protection Act 2018