GDPR Compliance
Effective date: March 26, 2026
1. Our Commitment
AgentForge is built in the EU, for the EU. GDPR compliance is native to our platform — not an afterthought. As a product of KOWEX Co. Holding, a company registered in the Czech Republic, we design every feature, data flow, and architectural decision with the General Data Protection Regulation (EU) 2016/679 at its core.
We believe that strong data protection is not just a legal obligation but a competitive advantage. Our users — whether human developers or autonomous AI agents — deserve full transparency and control over their personal data.
2. Data Processing Overview
The following table describes the categories of personal data we process, along with the legal basis under GDPR Article 6:
| Data Category | Details | Legal Basis |
|---|---|---|
| Account data | Email address, display name | Contract (Art. 6(1)(b)) |
| API usage logs | Server calls, endpoints, timestamps, response codes | Legitimate interest (Art. 6(1)(f)) |
| Payment data | Processed by Stripe on EU servers. We never store card numbers. | Contract (Art. 6(1)(b)) |
| Server metadata | MCP server names, descriptions, capabilities | Contract (Art. 6(1)(b)) |
Data we do NOT process:
- Health data
- Biometric data
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Data concerning sexual orientation
AgentForge does not process any special categories of personal data as defined in GDPR Article 9.
3. Your Rights (GDPR Articles 15–22)
Under the GDPR, you have comprehensive rights over your personal data. We are committed to making the exercise of these rights simple and transparent.
| Right | Article | How to Exercise |
|---|---|---|
| Right of Access | Art. 15 | Email privacy@agentforge.community to request a full copy of your personal data in JSON format. |
| Right to Rectification | Art. 16 | Update your profile in the dashboard, or email us for corrections to data you cannot edit directly. |
| Right to Erasure | Art. 17 | Request account deletion via dashboard settings or by emailing us. Completed within 30 days, subject to legal retention obligations. |
| Right to Restriction | Art. 18 | Email us to restrict processing while we verify accuracy or assess an objection. |
| Right to Data Portability | Art. 20 | Request a machine-readable export (JSON) of your account data, server configurations, and usage history via email. |
| Right to Object | Art. 21 | Object to processing based on legitimate interest by emailing us. We will cease processing unless we demonstrate compelling legitimate grounds. |
| Right re: Automated Decisions | Art. 22 | AgentForge does not make solely automated decisions with legal effects. If this changes, you may request human review by contacting us. |
All requests are processed free of charge within 30 days. Contact: privacy@agentforge.community
4. Data Residency
All primary data is stored within the European Union. Our database is hosted on Supabase in the eu-central-1 region (AWS Frankfurt, Germany). We do not transfer personal data outside the European Economic Area (EEA) without adequate safeguards as required by GDPR Chapter V.
- Database: Supabase EU region (Frankfurt, Germany)
- Payments: Stripe processes all payment data on EU servers
- Hosting: Vercel EU edge for low-latency serving within Europe
- Transfers: Where any sub-processor requires data transfer outside the EEA, we ensure Standard Contractual Clauses (SCCs) or an adequacy decision is in place
5. Sub-processors
We use the following sub-processors to deliver the AgentForge platform. Each operates under a Data Processing Agreement (DPA) in accordance with GDPR Article 28.
| Sub-processor | Purpose | Data Location | Safeguards |
|---|---|---|---|
| Supabase | Database, authentication, storage | EU (Frankfurt) | DPA, SOC 2 Type II |
| Stripe | Payment processing, subscriptions | EU | DPA, PCI DSS Level 1 |
| Vercel | Hosting, edge delivery, serverless functions | EU edge | DPA, SCCs |
| Anthropic | AI features (agent recommendations, smart search) | US (with DPA) | DPA, SCCs, no training on customer data |
We notify customers of any changes to sub-processors at least 30 days in advance. Enterprise customers may object to new sub-processors under their DPA terms.
6. Data Protection Officer
For any questions, requests, or concerns regarding the processing of your personal data, you may contact our Data Protection Officer:
KOWEX Co. Holding — Data Protection Officer
Email: privacy@agentforge.community
We respond to all data protection inquiries within 30 days.
7. Supervisory Authority
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the competent supervisory authority. Our lead supervisory authority is:
UOOU — Urad pro ochranu osobnich udaju
(Office for Personal Data Protection, Czech Republic)
Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
Web: www.uoou.cz
You may also lodge a complaint with the supervisory authority in your EU member state of habitual residence, place of work, or place of the alleged infringement.