Legal · Compliance
Privacy Policy
Overview
The Agentability Project is an open research initiative operated without corporate structure. We are not a registered company. This policy explains what limited personal data we collect when you use the audit tool at agentability.io, how we store it, and what rights you have over that data — including under the EU's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA).
We do not serve advertising. We do not sell your data. We do not use tracking cookies. We do not use third-party analytics platforms. The only data we collect is what is strictly necessary to operate the audit tool.
What we collect
When you submit an audit, we collect and store the following data:
| Data | Purpose | Retained |
|---|---|---|
| Email address | Rate limiting — enforces the 3 free audits per email limit | Until you request deletion |
| Audited URL | Identifies the page that was scored; enables re-audit tracking over time | Until you request deletion |
| Audit results | Stores your score and principle breakdown; used to track score changes over time | Until you request deletion |
| Audit timestamp | Records when each audit was run | Until you request deletion |
We do not collect your name, company, payment information, location, device identifiers, browser fingerprint, or any other personal data beyond what is listed above.
We do not set cookies. We do not use localStorage or sessionStorage to track you. There are no analytics pixels or tracking scripts on this site.
Where data is stored
Audit data is stored in Supabase, a hosted PostgreSQL database service. Our Supabase project is hosted in the EU region.
Audit requests are processed by an automation workflow running on a server located in Germany (Hetzner Cloud, Frankfurt). The audited page is fetched by this server at the time of the audit.
Legal basis for processing (GDPR)
If you are in the European Economic Area (EEA), our legal basis for processing your email address and audit data is legitimate interests (Article 6(1)(f) GDPR) — specifically, our legitimate interest in preventing abuse of the free audit service through rate limiting. We collect only the minimum data necessary for this purpose.
By submitting an audit, you also consent to the storage of your audit results and email for the purposes described in this policy. You may withdraw consent at any time by requesting deletion (see below).
Your rights
Under GDPR (EU / EEA residents)
You have the right to:
- Access — request a copy of all data we hold about you
- Erasure ("right to be forgotten") — request deletion of all your data
- Rectification — request correction of inaccurate data
- Portability — receive your data in a machine-readable format
- Restriction — request that we limit processing of your data
- Object — object to processing based on legitimate interests
Under CCPA (California residents)
You have the right to:
- Know what personal information we collect and how it is used
- Delete your personal information (subject to limited exceptions)
- Opt out of sale — we do not sell your data. This right is satisfied by default.
- Non-discrimination — we will not discriminate against you for exercising your rights
To exercise any of these rights, email us at the address below. We will respond within 30 days. There is no fee for requests made in good faith.
Include "Data Request" in the subject line and the email address associated with your audit(s).
Data sharing and third parties
We do not sell, rent, trade, or share your personal data with third parties for commercial purposes — ever.
We use the following sub-processors to operate the service. All are bound by their own privacy policies and data processing agreements:
- Supabase — database storage (EU region, Frankfurt)
- Hetzner Cloud — server hosting (Germany)
We do not use Google Analytics, Meta Pixel, Hotjar, Segment, Mixpanel, or any other analytics or advertising sub-processors.
Cookies and tracking
We do not use cookies. We do not use web beacons, tracking pixels, fingerprinting, or any other passive tracking technology. No consent banner is shown because there is nothing to consent to.
The only persistent browser storage this site uses is none. The audit form state is held in memory during your session only.
Data retention
We retain your audit data indefinitely unless you request deletion. The rationale is longitudinal research — comparing how products score over time as they update. Retained data is used only for this research purpose.
You may request deletion at any time and we will permanently delete all records associated with your email address within 30 days.
Security
Data is encrypted in transit (TLS 1.2+) and encrypted at rest in Supabase. Access to the database is restricted to service-level credentials; no public access is permitted. We follow Supabase's security recommendations and use row-level security where applicable.
No system is completely secure. If you discover a security issue, please report it to hello@agentability.io.
Children's privacy
This service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected data from a child, please contact us for immediate deletion.
Changes to this policy
We will update this policy if our data practices change. The effective date at the top of this page reflects the most recent update. Significant changes will be noted in a revision note at the top of this page.
Contact
For any privacy-related questions, data access requests, or deletion requests:
This is the sole contact point. There is no postal address — this is an open research initiative with no physical office.
We aim to respond to all privacy requests within 30 days. GDPR requests will be handled within the legally required 30-day window. CCPA requests will be handled within 45 days as permitted by law.