Privacy Policy

Last updated: 8 April 2026

This Privacy Policy describes how AgentData collects, uses, and protects personal data. We are committed to transparency about our data practices.

1. Who we are

AgentData is a trading name of Mitus Trading Ltd, a company registered in England and Wales (company number 07828387), with its registered office at Building 18, Gateway 1000 Arlington Business Park, Whittle Way, Stevenage, England, SG1 2FP.

Data Protection Contact: privacy@agentdata.run

ICO Registration: [Pending]

In this policy, “AgentData”, “we”, “us”, and “our” refers to the service operated at agentdata.run.

2. What this policy covers

This policy applies to:

  • The AgentData website at agentdata.run
  • The AgentData REST API
  • The AgentData MCP server
  • Any related tools, integrations, or extensions

This policy is issued in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where applicable, the EU General Data Protection Regulation (EU GDPR) and the California Consumer Privacy Act (CCPA).

We process data relating to three groups of people:

  • Visitors— people who browse agentdata.run without an account
  • Users— people who create an AgentData account to use our services
  • Business Profiles— individuals and companies whose publicly available professional information appears in our database

3. Data we collect from visitors

When you visit agentdata.run, we collect:

  • Pages viewed and interactions (via Vercel Analytics, which is privacy-friendly and does not use cookies or collect personal data)
  • IP address (processed by our hosting provider Vercel for security purposes, not stored by us)

We do not use advertising cookies, social media tracking pixels, or cross-site tracking of any kind.

4. Data we collect from users

When you create an AgentData account, we collect:

  • Account data: email address, name (if provided), authentication method (email/password or Google OAuth)
  • Payment data: processed and stored by Stripe. We do not store card numbers or bank details. We store your Stripe customer ID for billing purposes.
  • Usage data: lookups performed, API calls made, exports purchased, features used, timestamps
  • Communication data: support emails, feedback you send us

How we use this data

  • To provide and maintain your account and access to the service
  • To process payments and manage subscriptions
  • To send transactional emails (welcome, receipts, usage alerts, export delivery)
  • To monitor and prevent abuse of the service
  • To improve the service based on aggregate usage patterns

Legal basis (UK GDPR Article 6)

  • Contract performance (Art. 6(1)(b)): processing your account data and payments is necessary to provide the service you signed up for
  • Legitimate interest (Art. 6(1)(f)): usage analytics, abuse prevention, and service improvement
  • Consent (Art. 6(1)(a)): marketing communications, if you opt in (we do not currently send marketing emails)

How long we keep it

  • Account data: retained while your account is active. Deleted within 30 days of an account deletion request.
  • Payment records: retained for 7 years as required by UK tax law.
  • Usage logs: retained for 12 months, then anonymised.

5. Data we collect about business profiles

AgentData maintains a database of company intelligence sourced from publicly accessible web pages. This section also serves as our transparency notice under UK GDPR Article 14, as this data is not collected directly from the individuals concerned.

What we collect

  • Company name, domain, and website metadata
  • Technology stack (detected from publicly available technical signatures on web pages)
  • Publicly listed professional email addresses (from contact pages, team pages, about pages, and other public content)
  • Professional names and job titles, where publicly displayed
  • Professional social media profile URLs (LinkedIn, Twitter/X, GitHub), where publicly linked
  • Web signals (whether a company has a public pricing page, blog, careers page, API documentation, or free trial)
  • Industry classification (generated by automated analysis from publicly available company descriptions — see Section 6)

What we do NOT collect

  • Personal or consumer email addresses (e.g. personal Gmail, Hotmail)
  • Phone numbers
  • Physical or postal addresses of individuals
  • Financial information
  • Health or medical data
  • Political opinions, religious beliefs, trade union membership, or other special category data under UK GDPR Article 9
  • Any data from password-protected or login-required pages

Sources

All data is collected from publicly accessible web pages. We do not purchase data from third-party brokers. We do not access private databases or leaked data.

Legal basis

We process business profile data under legitimate interest (UK GDPR Article 6(1)(f)).

We have conducted a Legitimate Interest Assessment which concluded that:

  • Purpose: the processing serves a specific and legitimate B2B intelligence purpose — enabling businesses to identify potential customers, partners, and technology trends using publicly available information
  • Necessity: the processing is necessary for this purpose; the data cannot reasonably be obtained by other means at the scale required to provide a useful service
  • Balancing: the processing does not override the interests, rights, or freedoms of the individuals concerned because:
    • The data is already publicly available on the open web
    • The data is limited to professional and business context only
    • We do not process sensitive or special category data
    • Individuals can object and request removal at any time, and we honour all such requests promptly
    • We provide clear information about our processing (this policy)
    • Our processing is proportionate and expected in a B2B context

This is the same legal basis used by established B2B data providers operating in the UK and EU.

A copy of our Legitimate Interest Assessment is available on request to privacy@agentdata.run.

How long we keep it

Business profile data is retained for as long as it remains publicly available and accurate. Data is removed:

  • Immediately upon a valid removal request (see Section 9)
  • When the source data is no longer publicly accessible
  • When we detect the data is no longer accurate

How we inform data subjects (Article 14)

Where we hold professional contact information about an individual, we provide transparency through this publicly accessible privacy policy and our data removal page at agentdata.run/legal/data-removal. Any individual can check whether we hold data about them and request removal at any time.

6. Automated processing

AgentData uses automated technology to classify companies by industry sector and business model based on publicly available website descriptions. This automated processing:

  • Applies only to company-level data, not to individual personal data
  • Does not produce legal effects concerning any individual
  • Does not significantly affect any individual
  • Is used solely to organise and categorise company profiles within our database

This processing does not constitute automated individual decision-making under UK GDPR Article 22.

7. Third-party processors

We share data with the following service providers, each of which processes data on our behalf under appropriate data processing agreements:

ProviderPurposeLocationData processed
SupabaseDatabase hosting, authenticationEU (Frankfurt)Account data, business profiles
StripePayment processingUSPayment data
VercelWebsite hosting, serverless functionsUS/EUWeb traffic, API requests
ResendTransactional email deliveryUSEmail addresses, email content

We do not sell personal data to any third party. We do not share personal data with advertisers.

Anthropic is used for AI-powered industry classification. Only company names and publicly available website descriptions are sent for classification. No personal data, email addresses, or contact information is sent.

A full sub-processor list is available on request to privacy@agentdata.run.

8. Your rights

If you are in the UK or European Economic Area

Under the UK GDPR, EU GDPR, and the Data Protection Act 2018, you have the right to:

  • Access the personal data we hold about you (Article 15)
  • Rectify inaccurate personal data (Article 16)
  • Eraseyour personal data (Article 17, “right to be forgotten”)
  • Restrict processing of your personal data (Article 18)
  • Object to processing based on legitimate interest (Article 21)
  • Data portability— receive your data in a structured, machine-readable format (Article 20)
  • Withdraw consent at any time, where processing is based on consent
  • Lodge a complaintwith the Information Commissioner's Office (ICO) at ico.org.uk or your local data protection authority

To exercise any of these rights, contact us at privacy@agentdata.run. We will respond within 30 days. There is no fee for exercising your rights, except in cases of manifestly unfounded or excessive requests.

If you are in California

Under the California Consumer Privacy Act (CCPA):

  • You have the right to know what personal information we collect and how we use it
  • You have the right to request deletion of your personal information
  • You have the right to opt out of the sale of your personal information — AgentData does not sell personal information
  • We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact privacy@agentdata.run.

9. Data removal requests

Any individual or company can request removal of their data from our database at any time. We honour all removal requests regardless of your location.

To request removal:

Upon receiving a valid request, we will:

  1. Remove your data within 14 days (we aim for 48 hours)
  2. Add your email address or domain to our suppression list to prevent re-collection
  3. Send you a confirmation when the removal is complete

10. International data transfers

Our primary database is hosted in the EU (Supabase, Frankfurt). Some processors are based in the United States (Stripe, Vercel, Resend).

For transfers from the UK/EEA to the US, we rely on:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • The UK International Data Transfer Agreement (IDTA) where applicable
  • Processors' compliance with applicable data protection frameworks

11. Data security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of data at rest (database-level encryption via Supabase)
  • Authentication and access controls
  • Regular security reviews
  • Minimal data collection principles

In the event of a personal data breach that poses a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay, as required by UK GDPR Articles 33 and 34.

If you discover a security vulnerability, please report it to security@agentdata.run.

12. Children

Our services are intended for business professionals aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a minor, we will delete it promptly.

13. Changes to this policy

We may update this policy from time to time. Material changes will be notified via our website and, where practicable, by email. The “last updated” date at the top indicates the most recent revision.

14. Contact

For any privacy-related questions or requests:

Email: privacy@agentdata.run

Data Protection Contact: Nick Timms