AgentForge — The EU-First Marketplace for AI Agent Tools

Effective date: March 11, 2026

1. Data Controller

KOWEX Co. Holding ("we", "us", "our"), a company registered in the Czech Republic, operates AgentForge (agentforge.community). We are the data controller responsible for your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Czech data protection law.

Data protection contact: privacy@agentforge.community

2. What We Collect

We collect the following categories of personal data:

Account data: Email address and authentication credentials (password hash managed by Supabase Auth). We do not store plaintext passwords.
Usage data: API call logs including endpoints called, response status codes, timestamps, and rate-limit counters.
Technical data: IP address, user agent string, and request metadata collected automatically during API and website interactions.
Billing data: Subscription plan, payment history, and invoices. All payment card processing is handled by Stripe. We never receive, store, or have access to your full card number, CVV, or card expiration date.
Agent identity data: For AI agents that self-register via our API, we store the agent name, declared capabilities, API key (af_agent_ prefix), and associated usage logs.

3. How We Use Your Data

We process personal data for the following purposes:

Service delivery: Authenticating your account, processing API requests, and providing access to MCP servers.
Billing and payments: Managing subscriptions, processing payments through Stripe, generating invoices, and fulfilling Czech accounting obligations.
Security: Detecting abuse, preventing fraud, enforcing rate limits, and protecting the integrity of the platform.
Analytics: Aggregated, non-identifying usage statistics to understand platform performance and usage patterns.
Platform improvement: Identifying bugs, improving API reliability, and developing new features based on usage patterns.

4. Legal Basis (GDPR Article 6)

We process your personal data on the following legal grounds:

Contract performance (Art. 6(1)(b)): Processing necessary to provide the AgentForge service, manage your account, and fulfill our contractual obligations to you.
Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention, platform analytics, and service improvement. We balance our interests against your rights and do not use this basis for profiling or direct marketing.
Consent (Art. 6(1)(a)): Where we send optional marketing communications or newsletters. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legal obligation (Art. 6(1)(c)): Retaining billing records as required by Czech accounting and tax law.

5. Data Storage and Transfers

Your data is stored within the European Union. Our primary database is hosted on Supabase in the eu-central-1 region (AWS Frankfurt, Germany).

Stripe processes payment data within the EU under its own GDPR compliance framework and acts as an independent data controller for payment card data.

Vercel serves our website and API via its global edge network. While HTTP requests may be routed through non-EU edge nodes for performance, no personal data is persistently stored outside the EU. All database operations and authentication are processed within the EU region.

We do not transfer personal data to countries outside the EU/EEA without appropriate safeguards (Standard Contractual Clauses or adequacy decisions) as required by GDPR Chapter V.

6. Data Retention

We retain personal data only as long as necessary for its purpose:

Account data: Retained for the duration of your account. Deleted within 30 days of account deletion request.
Usage logs: Retained for 90 days for operational purposes, then automatically purged.
Billing records: Retained for 10 years as required by Czech accounting law (Act No. 563/1991 Coll., on Accounting).
Agent data: Retained until the agent is deactivated or the associated account is deleted. Agent usage logs follow the same 90-day retention as human usage logs.
Technical logs: IP addresses and request metadata retained for 30 days for security purposes.

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@agentforge.community. We will respond within 30 days.

Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to restriction (Art. 18): Request that we limit processing of your data in certain circumstances.
Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON).
Right to object (Art. 21): Object to processing based on legitimate interest, including any profiling.
Right to withdraw consent (Art. 7(3)): Withdraw consent for any consent-based processing at any time.
Right to lodge a complaint: You have the right to file a complaint with the Czech Data Protection Authority (UOOU - Urad pro ochranu osobnich udaju), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, www.uoou.cz.

8. Cookies

AgentForge uses only essential session cookies required for authentication (Supabase Auth session tokens). These cookies are strictly necessary for the service to function and do not require consent under the ePrivacy Directive.

We do not use tracking cookies, advertising cookies, or third-party analytics services. We do not use Google Analytics or similar tracking tools.

9. AI Agent Data

AgentForge allows AI agents to self-register via our API and obtain agent identity keys (af_agent_ prefix). For registered agents, we collect and store:

Agent name and declared capabilities
Agent API key and authentication metadata
API usage logs (endpoints, timestamps, response codes)

Agent operators (the humans or organizations deploying AI agents) are the data controllers for any personal data their agents submit to MCP servers through our platform. AgentForge acts as a data processor for such pass-through data and does not inspect or store API call payloads beyond the request lifecycle.

If you are an agent operator, you are responsible for ensuring that your agent's use of AgentForge complies with GDPR and other applicable data protection regulations, including providing appropriate notices to any data subjects whose data your agent processes.

10. Third-Party Data Processors

We use the following third-party processors who may process personal data on our behalf:

Supabase Inc. — Database hosting, authentication, and data storage (EU region, Frankfurt). Acts as a data processor under a Data Processing Agreement.
Stripe Inc. — Payment processing and subscription management. Acts as an independent data controller for payment card data. Certified under EU-U.S. Data Privacy Framework.
Vercel Inc. — Website and API hosting, edge delivery. Does not persistently store personal data. Operates under Standard Contractual Clauses for any EU data processing.

All processors are contractually bound to process data only on our instructions and to maintain appropriate security measures in accordance with GDPR Article 28.

11. Security

We implement appropriate technical and organizational measures to protect your personal data, including encryption in transit (TLS 1.2+), encryption at rest for database storage, API key hashing, access controls, and regular security reviews. Despite these measures, no system is completely secure, and we cannot guarantee absolute security.

12. Changes to This Policy

We may update this privacy policy from time to time. For material changes that affect how we process your personal data, we will notify you by email at least 30 days before the changes take effect. Non-material changes (such as clarifications or formatting) may be made without notice. The "Effective date" at the top of this page indicates when the policy was last updated.

13. Contact

For any questions, concerns, or requests regarding this privacy policy or your personal data, contact us at:

KOWEX Co. Holding

Email: privacy@agentforge.community

Czech Data Protection Authority (UOOU): www.uoou.cz

Effective date: March 11, 2026

1. Data Controller

Data protection contact: privacy@agentforge.community

2. What We Collect

We collect the following categories of personal data:

Account data: Email address and authentication credentials (password hash managed by Supabase Auth). We do not store plaintext passwords.
Usage data: API call logs including endpoints called, response status codes, timestamps, and rate-limit counters.
Technical data: IP address, user agent string, and request metadata collected automatically during API and website interactions.
Billing data: Subscription plan, payment history, and invoices. All payment card processing is handled by Stripe. We never receive, store, or have access to your full card number, CVV, or card expiration date.
Agent identity data: For AI agents that self-register via our API, we store the agent name, declared capabilities, API key (af_agent_ prefix), and associated usage logs.

3. How We Use Your Data

We process personal data for the following purposes:

Service delivery: Authenticating your account, processing API requests, and providing access to MCP servers.
Billing and payments: Managing subscriptions, processing payments through Stripe, generating invoices, and fulfilling Czech accounting obligations.
Security: Detecting abuse, preventing fraud, enforcing rate limits, and protecting the integrity of the platform.
Analytics: Aggregated, non-identifying usage statistics to understand platform performance and usage patterns.
Platform improvement: Identifying bugs, improving API reliability, and developing new features based on usage patterns.

4. Legal Basis (GDPR Article 6)

We process your personal data on the following legal grounds:

Contract performance (Art. 6(1)(b)): Processing necessary to provide the AgentForge service, manage your account, and fulfill our contractual obligations to you.
Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention, platform analytics, and service improvement. We balance our interests against your rights and do not use this basis for profiling or direct marketing.
Consent (Art. 6(1)(a)): Where we send optional marketing communications or newsletters. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legal obligation (Art. 6(1)(c)): Retaining billing records as required by Czech accounting and tax law.

5. Data Storage and Transfers

Your data is stored within the European Union. Our primary database is hosted on Supabase in the eu-central-1 region (AWS Frankfurt, Germany).

Stripe processes payment data within the EU under its own GDPR compliance framework and acts as an independent data controller for payment card data.

We do not transfer personal data to countries outside the EU/EEA without appropriate safeguards (Standard Contractual Clauses or adequacy decisions) as required by GDPR Chapter V.

6. Data Retention

We retain personal data only as long as necessary for its purpose:

Account data: Retained for the duration of your account. Deleted within 30 days of account deletion request.
Usage logs: Retained for 90 days for operational purposes, then automatically purged.
Billing records: Retained for 10 years as required by Czech accounting law (Act No. 563/1991 Coll., on Accounting).
Agent data: Retained until the agent is deactivated or the associated account is deleted. Agent usage logs follow the same 90-day retention as human usage logs.
Technical logs: IP addresses and request metadata retained for 30 days for security purposes.

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@agentforge.community. We will respond within 30 days.

Right of access (Art. 15): Request a copy of the personal data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to restriction (Art. 18): Request that we limit processing of your data in certain circumstances.
Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON).
Right to object (Art. 21): Object to processing based on legitimate interest, including any profiling.
Right to withdraw consent (Art. 7(3)): Withdraw consent for any consent-based processing at any time.
Right to lodge a complaint: You have the right to file a complaint with the Czech Data Protection Authority (UOOU - Urad pro ochranu osobnich udaju), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, www.uoou.cz.

8. Cookies

We do not use tracking cookies, advertising cookies, or third-party analytics services. We do not use Google Analytics or similar tracking tools.

9. AI Agent Data

AgentForge allows AI agents to self-register via our API and obtain agent identity keys (af_agent_ prefix). For registered agents, we collect and store:

Agent name and declared capabilities
Agent API key and authentication metadata
API usage logs (endpoints, timestamps, response codes)

10. Third-Party Data Processors

We use the following third-party processors who may process personal data on our behalf:

Supabase Inc. — Database hosting, authentication, and data storage (EU region, Frankfurt). Acts as a data processor under a Data Processing Agreement.
Stripe Inc. — Payment processing and subscription management. Acts as an independent data controller for payment card data. Certified under EU-U.S. Data Privacy Framework.
Vercel Inc. — Website and API hosting, edge delivery. Does not persistently store personal data. Operates under Standard Contractual Clauses for any EU data processing.

All processors are contractually bound to process data only on our instructions and to maintain appropriate security measures in accordance with GDPR Article 28.

11. Security

12. Changes to This Policy

13. Contact

For any questions, concerns, or requests regarding this privacy policy or your personal data, contact us at:

KOWEX Co. Holding

Email: privacy@agentforge.community

Czech Data Protection Authority (UOOU): www.uoou.cz

Privacy Policy

1. Data Controller

2. What We Collect

3. How We Use Your Data

4. Legal Basis (GDPR Article 6)

5. Data Storage and Transfers

6. Data Retention

7. Your Rights

8. Cookies

9. AI Agent Data

10. Third-Party Data Processors

11. Security

12. Changes to This Policy

13. Contact

Privacy Policy

1. Data Controller

2. What We Collect

3. How We Use Your Data

4. Legal Basis (GDPR Article 6)

5. Data Storage and Transfers

6. Data Retention

7. Your Rights

8. Cookies

9. AI Agent Data

10. Third-Party Data Processors

11. Security

12. Changes to This Policy

13. Contact