Legal
Privacy Policy
Last updated: 31 March 2026 - AgentCore LTD - Company No. 17114811
1. Who We Are
AgentCore LTD is a company incorporated in England and Wales (Company No. 17114811), with its registered office at 20 Wenlock Road, London, England, N1 7GU. We operate Trust Agent.
We are the data controller for the personal data described in this policy. Contact us at info@trust-agent.ai.
2. What Data We Collect
We collect only what is necessary to provide the service:
- Account data: Your name and email address, provided when you register or sign in (including via Google OAuth).
- Subscription and billing data: Payment records processed via our payment provider. We do not store card numbers.
- Session metadata: Timestamps, session duration, role used, token counts, and response latency. We log metadata only - never message content.
- Wellbeing signals: Session frequency, duration, and recency patterns used to compute a Wellbeing Score. No message content is analysed.
- Device and technical data: Browser type, operating system, and IP address for security and fraud prevention.
What we never collect: Session message content is processed in memory and immediately discarded. It is never stored on our servers, in logs, in analytics, or anywhere else.
3. The Brain - Your Companion Memory
Your Brain is the memory your companion builds about you across sessions. It is stored in a proprietary encrypted file format (.tagnt) using AES-256-GCM encryption with a key derived from your account credentials.
The Brain file is stored on your own device and synchronised to your personal cloud storage (Google Drive, Apple iCloud, or Microsoft OneDrive). It is never stored on Trust Agent servers. We cannot read, decrypt, or access your Brain data.
If your subscription lapses, your Brain file remains untouched on your cloud storage. It belongs to you permanently.
4. Google User Data
Trust Agent uses Google OAuth for sign-in and Google Drive for Brain file synchronisation. This section describes exactly how we handle Google user data.
4.1 Data Accessed
- Authentication (openid, email, profile scopes): Your name and email address, used solely to create and identify your Trust Agent account.
- Google Drive (drive.file scope only): We request the narrowest possible Drive scope. The
drive.filescope permits us to read and write only files that our application explicitly creates. We create exactly one file: your encrypted Brain file (.tagnt format). We do not access, read, list, or interact with any other file in your Google Drive.
4.2 Data Usage
- Name and email: Used to create your Trust Agent account, send transactional emails, and identify you across sessions. We do not use your email for marketing without your explicit consent.
- Google Drive access: Used exclusively to sync your encrypted Brain file to your own Google Drive after each session. We write one file. We read one file. No other Drive data is accessed.
4.3 Data Sharing
We do not share, sell, transfer, or disclose any Google user data to any third party. Your name and email are stored in our own PostgreSQL database, hosted on infrastructure we operate in the United Kingdom. The Brain file written to your Google Drive is AES-256-GCM encrypted — Trust Agent cannot read its contents.
4.4 Data Storage and Protection
- Your name and email are stored in an encrypted PostgreSQL database on infrastructure we operate in the United Kingdom. We do not use third-party database-as-a-service providers.
- File uploads (avatars, attachments, audit artifacts, investor documents) are stored on object storage we operate, not on a public cloud provider.
- No Google user data is stored in logs, caches, analytics systems, or third-party services.
- The Brain file written to your Google Drive is encrypted before it leaves your device.
- We do not use Google user data to train machine learning models.
- We comply with the Google API Services User Data Policy, including the Limited Use requirements.
4.5 Data Retention and Deletion
- Delete your account at any time via Settings - Privacy - Delete Account. All personally identifiable data is permanently deleted within 30 days.
- Your Google Drive Brain file is under your sole control. We do not delete it on your behalf.
- Revoke Trust Agent access at any time via myaccount.google.com/permissions.
Trust Agent's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.
5. How We Use Your Data
- Provide and improve the Trust Agent service
- Process your subscription and billing
- Send transactional emails (account, billing, notifications)
- Detect and prevent fraud and security threats
- Comply with legal obligations
- Compute anonymised platform statistics
We do not use your data for advertising. We do not sell your data.
6. Legal Basis for Processing (UK GDPR)
- Contract: Processing account data and session metadata to provide the service.
- Legitimate interests: Security monitoring, fraud prevention, and service improvement.
- Legal obligation: Retaining billing records as required by UK tax law.
- Consent: Marketing communications (where you have opted in).
7. Third-Party Services
Application hosting, database, object storage, and email relay are all operated by Trust Agent on infrastructure we control in the United Kingdom. The only third parties we transmit user data to are those strictly necessary to deliver a feature you are using:
- Stripe / Revolut: Payment processing.
- LiveKit: Real-time voice session infrastructure. Not stored.
- ElevenLabs: Text-to-speech. Processed in real-time, not stored.
- Deepgram: Speech-to-text. Processed in real-time, not stored.
- Google Drive / iCloud / OneDrive: Your own cloud storage, under your account, where your encrypted Brain file is written. You control the key.
We do not share data with any other third parties or data brokers. We do not use Neon, AWS, or Render.
8. Your Rights
Under UK GDPR, you have the right to:
- Access: Request a copy of your personal data.
- Rectification: Correct inaccurate data.
- Erasure: Delete your account and all associated data.
- Portability: Export your Brain file (already in your own cloud storage).
- Restriction: Restrict processing of your data.
- Objection: Object to processing based on legitimate interests.
Email info@trust-agent.ai or use Settings - Privacy. We respond within 30 days.
You may also lodge a complaint with the ICO at ico.org.uk.
9. Cookies
We use only essential cookies for authentication. No advertising cookies, tracking pixels, or third-party analytics cookies.
10. Data Retention
- Account data: Retained while active. Deleted within 30 days of account deletion.
- Session metadata: Retained for 90 days, then deleted.
- Billing records: Retained for 7 years (UK law).
- Brain file: Your cloud storage. Not subject to our retention policy.
11. Children's Privacy
Child accounts (under 18) require a parent or guardian via Family plan. Subject to server-enforced 45-minute daily limits, content filtering, and guardian dashboard visibility (never content).
We comply with the UK Children's Code (AADC) and KCSIE 2024.
12. Changes to This Policy
We notify you of material changes by email and in-app notice. Continued use after notification constitutes acceptance.
13. Contact Us
- Email: info@trust-agent.ai
- Post: AgentCore LTD, 20 Wenlock Road, London, England, N1 7GU
- In-app: Settings - Privacy - Contact Us
We aim to respond within 5 business days.
AgentCore LTD - Company No. 17114811 - 20 Wenlock Road, London, England, N1 7GU
Registered in England and Wales - Governed by UK GDPR and the Data Protection Act 2018