← Back to home
DRAFT — pending lawyer review. This Privacy Policy is a working draft prepared for founder + attorney review (CCPA, state privacy laws, GDPR/UK GDPR). It is NOT yet binding. Confirm data flows, sub-processor list, and retention periods with counsel before publishing.
Privacy Policy
Last updated: April 23, 2026 · Status: DRAFT
This Privacy Policy explains what information AgentReadyTM collects, how we use it, who we share it with, and what rights you have. By using AgentReadyTM, you agree to the practices described here.
1. Information We Collect
When you register or use the service
- Account information: your email address, a hashed password, and your business name.
- Scan inputs: business name, URL, business type, location, and (optionally) a competitor URL.
- Scan results: the AARI score and component scores for every scan you run.
- Usage data: IP address, browser type, device type, pages visited, scan frequency.
When you make a purchase
- Payment information: handled by Stripe. We don't store your full credit card number; we store a Stripe customer ID and the payment's metadata (amount, status, date).
- Billing address: collected by Stripe if needed for tax calculation.
- Purchase history: which packages / reports / subscriptions you've bought, when, and at what price.
When you buy a Done-For-You (DFY) package
To deliver DFY, we temporarily collect and use credentials you provide — typically website admin logins (WordPress / Wix / Squarespace), Google Business Profile manager access, FTP credentials, or similar. We store these in a password manager (1Password or Bitwarden Send), restrict access to the engineer working your delivery, and delete them within 14 days of delivery.
When we send you email
- Email delivery data: whether emails were delivered, opened, or clicked (via SendGrid).
2. How We Use Your Information
| Purpose | What we use |
|---|
| Provide the service — run scans, generate reports, deliver packages | Scan inputs + account info |
| Process payments | Email + payment info (via Stripe) |
| Send transactional email (scan complete, purchase receipt, password reset) | Email + account info |
| Send product updates and marketing (with your consent — you can opt out anytime) | Email |
| Debug issues, prevent abuse, protect platform integrity | Usage data + IP |
| Improve our scoring algorithm (aggregated, anonymized data only) | Scan results across the database |
| Comply with legal obligations | Any of the above, as required |
3. How We Share Your Information
We don't sell your personal information. We share it only with:
- Infrastructure providers — Vercel (hosting), Supabase (database), SendGrid (email), Stripe (payments), Sentry (error tracking). These providers process data on our behalf under data-processing agreements.
- Third-party platforms you authorize us to interact with — Google Business Profile, Apple Business Connect, Bing Places, Meta, Healthgrades, Zocdoc, etc. — but only within the specific permissions you grant during DFY delivery.
- AI model providers — Anthropic (Claude), OpenAI (ChatGPT), Google (Gemini), Perplexity — when we query them to measure AI discoverability on your behalf. These queries contain your business name, type, and location (public information); they don't contain your email or payment data.
- Legal requirements — if we're legally required (e.g., subpoena, court order), we will disclose information only to the extent required.
- Business transfers — if AgentReadyTM is acquired or merged, your data may transfer to the new owner under equivalent privacy commitments.
4. How Long We Keep Your Data
- Account information: until you close your account.
- Scan results: until you close your account, or up to 3 years for aggregated / anonymized analysis after that.
- Purchase records: 7 years (required for tax and accounting compliance).
- DFY credentials: maximum 14 days from delivery, then permanently deleted.
- Email-delivery logs: 90 days.
5. Your Rights
You have the right to:
- Access the personal information we hold about you
- Correct inaccuracies
- Delete your account and associated data (some records may be retained for legal compliance — see §4)
- Export your data in a portable format
- Opt out of marketing emails (transactional emails required to operate the service will still be sent)
To exercise any of these rights, email founders@agentready.us. We'll respond within 30 days.
California residents (CCPA)
If you're a California resident, you have additional rights under the California Consumer Privacy Act — including the right to know what personal information we sell (we don't sell any), and the right to opt out of sale. To exercise CCPA rights, email us at the address above.
EU / UK residents (GDPR)
If you're in the EU or UK, you have rights under the GDPR / UK GDPR. Our lawful basis for processing is: (a) contract performance (to provide the service you signed up for); (b) legitimate interest (to improve our service and prevent abuse); (c) consent (for marketing emails). You have the right to lodge a complaint with your local supervisory authority.
6. Cookies and Tracking
We use:
- Essential cookies: for session management (login), security (CSRF protection), and basic site functionality.
- Analytics cookies: to understand how the site is used (aggregated only, no individual tracking).
We don't use advertising cookies or cross-site tracking.
7. Children's Privacy
AgentReadyTM isn't designed for anyone under 18. We don't knowingly collect personal information from children under 13. If you believe we've collected information from a child, contact us and we'll delete it.
8. Security
We use industry-standard security measures to protect your information:
- Passwords are hashed with bcrypt; we never store plaintext passwords.
- All traffic is encrypted with TLS (HTTPS).
- Payment data is processed by Stripe (PCI-DSS Level 1 compliant); we don't store card numbers ourselves.
- DFY credentials are stored in a password manager with per-engineer access control and are deleted within 14 days of delivery.
- Database access is restricted to authorized team members and protected by strong authentication.
No security system is perfect. If a breach affects your information, we'll notify you and take corrective action as required by law.
9. International Transfers
We operate in the US, but our infrastructure providers process data in regions including Singapore (Supabase) and the US. If you're outside the US, by using AgentReadyTM you consent to your data being processed in these regions, which may have different privacy laws than your home country.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced via email to registered users at least 30 days before taking effect.
11. Contact
Questions about this Privacy Policy? Reach us at founders@agentready.us.
Note: This Privacy Policy is a reasonable starting default. Before you onboard significant paying customers, have an attorney familiar with US privacy law (CCPA, state-specific requirements) and GDPR (if you plan to serve EU/UK customers) review this document alongside your actual data-handling practices.