APIgent

Privacy Policy

Effective date: 15 May 2026

This Privacy Policy explains how Triptomize(“Triptomize”, “we”, “us”), operator of the APIgent service, collects, uses, discloses, and protects your personal data when you use the APIgent service (the “Service”).

We have written this policy to satisfy the transparency requirements of the EU General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA). If you are located outside these regions, equivalent rights may apply to you under local law.

1. Who we are

The data controller responsible for your personal data is Triptomize, a business established in the Netherlands and operator of the APIgent service. You can contact us about privacy matters at triptomize@codecrox.com; a precise correspondence address in the Netherlands is available on request via the same email.

Because Triptomize is established within the European Union, we do not need to appoint an Article 27 EU representative. We are not separately established in the United Kingdom and have not appointed a UK Article 27 representative; if you are a UK resident and need to exercise UK GDPR rights, please contact us at triptomize@codecrox.com.

2. Personal data we collect

2.1 Information you give us

  • Account data:your email address, display name, and (when registering with email) a password you choose, which we never store in plaintext (authentication is handled by Firebase Authentication — see §5 below).
  • Profile data from federated sign-in: if you sign in with Google, we receive a limited profile (name, email, profile picture, and a stable identifier) from Google.
  • Workspace configuration: the tools you connect, the models you configure, the spaces and threads you create, and similar settings you enter.
  • Conversation content: the prompts you send, the responses generated by the AI models, intermediate tool calls and results captured during a run, and any feedback you provide on those outputs.
  • Connected-tool credentials:the API tokens, OAuth refresh tokens, database passwords, AWS keys, and similar secrets you enter when connecting a third-party tool. These are encrypted at rest (see §7).
  • Communications with us: the contents of emails or support requests you send to us.

2.2 Information we collect automatically

  • Technical data: IP address, user-agent, device and browser information, timestamps of requests, error and performance logs generated when you use the Service.
  • Usage data: which pages, features, and tool actions you use; thread and run identifiers; durations and outcomes (success/ failure) of actions you initiate.
  • Cookies and similar technologies: see our Cookie Policy.

2.3 Information from third parties

  • Identity providers(e.g. Google for federated sign-in) send us the profile data referred to in §2.1.
  • Connected tools you authorise: we read data from your third-party tools (e.g. issues, documents, spreadsheet rows, database rows) only when you instruct the agent to do so. We do not maintain standing copies of that data outside what is needed to render the result of the run you triggered and to keep an audit record of it.

3. How we use personal data, and our legal bases

Under the GDPR we must rely on a lawful basis for each processing activity. The table below sets out, for each purpose, what we do and our basis.

  • Provide the Service — creating your account, running agent threads, processing your prompts and routing them to the AI model you select, executing the tool actions you instruct. Basis: performance of a contract with you (Art 6(1)(b)).
  • Keep the Service secure and prevent abuse — detecting attacks, enforcing rate limits, investigating misuse, auditing access. Basis: legitimate interests in operating a secure service (Art 6(1)(f)), and compliance with legal obligations (Art 6(1)(c)).
  • Communicate operationally with you — sending service messages such as security alerts, important changes, or responses to your support requests. Basis: performance of a contract (Art 6(1)(b)) and legitimate interest in supporting you (Art 6(1)(f)).
  • Improve and develop the Service — analysing aggregated usage to understand which features are valuable, debugging issues, and evaluating product changes. We use the minimum data necessary, and where cookies/analytics are involved we only do so with your consent. Basis: consent for analytics cookies (Art 6(1)(a)); otherwise our legitimate interest in product improvement (Art 6(1)(f)).
  • Marketing — only with your prior consent for any non-essential marketing communications, and always with an easy opt-out. Basis: consent (Art 6(1)(a)).
  • Comply with law — responding to lawful requests from authorities, exercising or defending legal claims. Basis: legal obligation (Art 6(1)(c)) and legitimate interest in defending claims (Art 6(1)(f)).

Where our basis is legitimate interest, we have balanced our interest against your rights and freedoms. You have the right to object to processing based on legitimate interest — see §9.

4. Special note on AI processing

When you submit a prompt or run an agent, the content you submit, the content the agent retrieves from connected tools in order to answer you, and the resulting outputs may be transmitted to the third-party AI provider whose model you have selected for that thread. Each provider acts as a separate data controller or processor under its own terms and privacy notice. We do not train AI models on your data ourselves, and we configure our integrations so that the providers we use do not train their general models on your data unless you have specifically opted in with that provider (subject to the provider’s own policies, which you should review).

The Service does not make solely automated decisions that produce legal or similarly significant effects concerning you within the meaning of GDPR Art 22. Any AI output is a draft for you to evaluate, edit, and act on at your discretion.

5. Who we share personal data with

We do not sell your personal data, and we do not share it for cross-context behavioural advertising. We share your personal data with the following categories of recipients, each engaged under contracts that require them to protect the data:

  • Cloud infrastructure providers — Amazon Web Services, Inc. and its EU/UK affiliates, which host the application, databases, and the encrypted secrets store.
  • Authentication — Google LLC (Firebase Authentication), which manages your sign-in credentials and federated identity flow.
  • AI model providers — depending on the model you select for a given thread, your prompts and the relevant context may be sent to and processed by Anthropic, OpenAI, Google (Gemini), or DeepSeek. You can change or restrict providers in your workspace model settings.
  • Connected tools you authorise — when you direct the Service to call a third-party tool (Jira, Slack, GitHub, Google Workspace, a database, etc.), we transmit the data necessary to perform that call to that tool. The tool processes data under its own terms.
  • Operational service providers — for email delivery, error monitoring, customer support, fraud prevention, and similar functions. A current sub-processor list is available on request from triptomize@codecrox.com.
  • Professional advisers — lawyers, accountants, and auditors, when needed for the lawful operation of our business.
  • Authorities and other parties — when required by law, court order, or to protect our rights or those of others.
  • Successors — in connection with a merger, acquisition, or sale of assets, subject to the acquiring party honouring this policy.

6. International transfers

Some of the recipients listed in §5 are located outside the European Economic Area or the United Kingdom, notably in the United States. Where we transfer personal data internationally we rely on a valid transfer mechanism under GDPR Chapter V — for example the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or an adequacy decision such as the EU–US Data Privacy Framework where the recipient is certified. You can request a copy of the relevant safeguards by contacting triptomize@codecrox.com.

7. Security

We take security seriously. In particular:

  • Connections to the Service are protected by Transport Layer Security (TLS).
  • Connected-tool credentials are encrypted at rest in our secrets store (AWS Secrets Manager in production environments) and are decrypted only in memory at the moment we make a call to the corresponding tool on your behalf.
  • Access to personal data is limited to personnel who need it to perform their role, and is logged.
  • We operate environment separation between production and non-production systems and apply security patches regularly.

No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security. If you believe you have discovered a security vulnerability, please contact us at triptomize@codecrox.com.

8. How long we keep personal data

  • Account data: for as long as your account is active, plus a reasonable period after closure to handle queries and meet legal obligations (typically up to 12 months unless a longer period is required by law).
  • Conversation content and run history: until you delete the thread or close your account.
  • Connected-tool credentials: until you remove the connection or close your account, at which point they are deleted from our secrets store.
  • Security and audit logs: typically up to 12 months, longer where required to investigate an incident or to comply with law.
  • Billing records (if you have paid us): for the period required by tax and accounting law (typically up to 7 years).

9. Your rights

Under the EU GDPR and UK GDPR, you have the following rights, subject to legal limits and exceptions:

  • Access — a copy of the personal data we hold about you;
  • Rectification — correction of inaccurate or incomplete data;
  • Erasure— deletion of your personal data in certain circumstances (the “right to be forgotten”);
  • Restriction — to restrict processing in certain circumstances;
  • Portability — to receive personal data you provided to us in a structured, commonly used, machine-readable format and to transmit it to another controller;
  • Objection — to object to processing based on our legitimate interests, and at any time to direct marketing;
  • Withdraw consent — where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing;
  • Lodge a complaint— with your local data protection supervisory authority. In the UK this is the Information Commissioner’s Office (ico.org.uk). In the EU you can identify your authority at edpb.europa.eu/about-edpb/about-edpb/members_en.

If you are a California resident, in addition to the rights above you have the right to know what personal information we have collected about you, to delete that information, to correct inaccurate information, to opt out of any “sale” or “sharing” of personal information (we do not sell or share personal information for cross-context behavioural advertising), to limit the use of sensitive personal information, and to non-discrimination for exercising your rights.

To exercise any of these rights, email triptomize@codecrox.com. We will respond within the time limits required by applicable law (typically within one month under the GDPR). We may need to verify your identity before acting on a request. You may also authorise an agent to act on your behalf, subject to verification.

10. Children

The Service is not directed to children. We do not knowingly collect personal data from anyone under sixteen (16), or the higher minimum age set by applicable law in your country. If you believe a child has provided us with personal data, please contact triptomize@codecrox.com and we will take appropriate steps.

11. Cookies

Our use of cookies and similar technologies, and your choices about them, are described in our Cookie Policy.

12. Third-party links

The Service may include links to third-party sites or open third-party tools in connection with your instructions. We are not responsible for the privacy practices of those parties. Review their notices before sharing data with them.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will notify you, for example by email or by a prominent notice in the Service, before they take effect. The “Effective date” above always reflects the version currently in force.

14. How to contact us

Privacy queries: triptomize@codecrox.com.
Postal address: a precise correspondence address in the Netherlands is available on request via the email above.
Triptomize has not appointed a Data Protection Officer; please send data-protection inquiries to the email above.

Legal-review notice. This document is published as a working draft prepared by Triptomize. It has not yet been reviewed by qualified legal counsel and should be treated as informational until that review is complete. For questions please contact triptomize@codecrox.com.