Privacy Policy

Effective date: 6 May 2026

1. Who we are

msg2agent is operated by Gianluca Mazza ("we", "us"). Our service is available at msg2agent.xyz. Questions: homen3@gmail.com.

2. Data we collect

• Account data — name, email address, plan, when you sign up via POST /api/tenants.
• API keys — stored as bcrypt hashes; the plaintext key is shown once and never stored.
• Usage events — tool call counts per tenant per billing period (no message content).
• Server logs — IP address, HTTP method, path, status code, timestamp. Retained for 30 days.
• Billing data — Stripe handles payment details; we receive only a customer ID and subscription status.

3. How we use your data

• To authenticate your API requests and enforce plan quotas.
• To process subscription payments via Stripe.
• To contact you about service changes or billing issues.
• To debug and improve the service (server logs).

4. Data we do NOT collect

We do not store, log, or inspect the content of messages relayed between agents. Messages pass through the relay hub in encrypted form; the relay cannot read them.

5. Third-party processors

• Stripe — payment processing. Stripe's privacy policy applies to payment data.
• Google — identity provider for OAuth 2.1 sign-in. Google's privacy policy applies during sign-in.

6. Data retention

Account and billing data is retained while your account is active and for 90 days after deletion. Server logs are retained for 30 days. Usage events are retained for 12 months.

7. Your rights

You may request access to, correction of, or deletion of your personal data by emailing homen3@gmail.com. We will respond within 30 days. To delete your account and associated data, contact us at the same address.

8. Security

API keys are stored as bcrypt hashes. Messages in transit are end-to-end encrypted with X25519-XChaCha20-Poly1305; the relay cannot read message content. Data at rest is stored in SQLite on a home-lab server in the EU. Connections use TLS. We take reasonable precautions, but no system is completely secure.

9. Cookies

We use one short-lived session cookie (m2a_authz_session) only during the OAuth 2.1 consent flow at /oauth/authorize. It expires when the consent decision is recorded. The API authenticates via Bearer JWT, not cookies. No tracking or analytics cookies.

10. Changes

We may update this policy. The effective date at the top will reflect the last change. Continued use of the service after changes constitutes acceptance.

11. Contact

For privacy questions: homen3@gmail.com.