Privacy Policy

This policy covers workspace owners and team members who create or use an AgencyOS workspace, and any end-clientswhose data is processed through the Service on behalf of an agency. Where an agency uses AgencyOS to manage data about their own clients, the agency is the “data controller” andWebinhabit Corporationis the “data processor.”

2.1 Account & Workspace Data

When you register, we collect your name, email address, and (optionally) a profile photo via Google OAuth. When you create a workspace we collect the workspace name and the plan you choose.

2.2 Billing Data

Payment and subscription information is handled by Stripe. We store only a Stripe customer ID and subscription ID — we never see or store raw card numbers. For connected-agency invoice payments, Stripe processes payments directly between your clients and your connected Stripe Express account.

2.3 Service Usage Data

Tickets, time entries, invoices, estimates, CRM records, projects, tasks, messages, and any files you upload are stored in Firestore and Firebase Storage associated with your workspace. You own this data.

2.4 Email & Inbound Communications

If you enable ticket email ingestion, inbound emails (including headers, body, and attachments) are stored as ticket messages so your team can respond. We use Postmark to send transactional emails on your behalf.

2.5 Log & Technical Data

We collect standard server logs (IP address, browser type, request path, timestamps) for security, debugging, and performance monitoring. Logs are retained for 30 days.

2.6 Third-Party Integrations

When you connect optional integrations (OpenAI, Recall.ai, Google Drive, WhatsApp Business), we pass your data to those providers only as needed to fulfill the feature you configured. Your credentials for those services are encrypted at rest and never exposed in API responses.

2.7 In-Product Bug Reports

The Service includes a “Report a bug” button (powered by our in-house feedback widget) that lets workspace users send bug reports back to us. When you click that button and submit a report, the widget captures:

• the description, category, and severity you type;
• a screenshot of the page at the moment you click — you can review and annotate it before sending; nothing is transmitted until you press “Send report”;
• the page URL, page title, viewport and screen sizes, browser user-agent, and language;
• the most recent JavaScript errors, console warnings, failed network requests, and click/navigation breadcrumbs your browser captured before you opened the report (used to reproduce the bug);
• your name and email, your workspace ID, and your role, so we can follow up.

Bug reports are submitted only when you explicitly press “Send report” — there is no silent or background capture. Reports land in the support inbox operated by Webinhabit Corporation. Because the screenshot is captured from your screen, it may incidentally include data that happens to be visible at that moment (your own clients’ details, a draft message, an open invoice, etc.). We use this data solely to investigate and fix the bug you reported; we do not use it for marketing and we do not share it with other AgencyOS customers. Bug-report tickets and their attachments are retained for 12 months and then deleted, or sooner on request to privacy@agencyos.so.

• Provide, maintain, and improve the Service.
• Authenticate you and secure your workspace.
• Process subscription payments and send billing receipts via Stripe and Postmark.
• Send transactional emails — ticket notifications, invoice sends, team invitations.
• Respond to support requests submitted to privacy@agencyos.so.
• Comply with legal obligations and enforce our Terms of Service.

We do not sell your data. We do not use your workspace content for AI training without explicit opt-in.

We share data only with the following categories of third parties:

• Stripe — payment processing and Connect for agency invoice billing.
• Google Firebase / Firestore — database and file storage.
• Postmark — transactional email delivery.
• OpenAI / Recall.ai — when you explicitly enable those integrations.
• Law enforcement — when required by valid legal process.

We do not share workspace data with other AgencyOS customers.

Workspace data is retained for as long as your subscription is active and for 60 days after cancellation, after which it is permanently deleted. You may request earlier deletion by contacting us at privacy@agencyos.so. Server logs are automatically purged after 30 days.

Data in transit is encrypted using TLS 1.2+. Data at rest is encrypted using AES-256 by Google Cloud (Firebase/Firestore). Access to production systems is restricted to authorized engineers and protected by multi-factor authentication. Stripe is PCI-DSS Level 1 certified for payment data. Despite these measures, no system is 100% secure; you use the Service at your own risk.

The Service uses only functional cookies necessary for session management (Firebase Authentication tokens). We do not use advertising or tracking cookies. We do not use third-party analytics beacons.

Depending on your jurisdiction, you may have the right to access, correct, port, or delete your personal data. To exercise any of these rights, email privacy@agencyos.so. We will respond within 30 days. If you are located in the EU/EEA, you have the right to lodge a complaint with your local data protection authority.

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has created an account, contact us and we will delete it promptly.

We may update this policy from time to time. When we do, we will revise the “Last updated” date at the top and, for material changes, notify you by email or a banner inside the app at least 7 days before the change takes effect. Continued use of the Service after that date constitutes acceptance of the new policy.

Questions about this policy? Email us at privacy@agencyos.so or write to Webinhabit Corporation, 500 Westover Dr #4747, Sanford, NC 27330, USA.