Privacy Policy

Last updated: 29 April 2026.

1. Who we are

Agent Broker (sole proprietor: Basil Mubarak Ali Al Shukaili, Sultanate of Oman). Privacy contact: basilalshukaili@gmail.com.

2. What we collect

• Account data: agent identity tokens, billing email, company name (if provided).
• Operational metadata: request timestamps, operation names, response codes, latency. Used for billing, abuse prevention, and debugging.
• Business data passed by your agent: phone numbers and email addresses are never stored in plaintext; we keep only an HMAC-SHA256 hash for compliance audit. Free-text message bodies are retained for 30 days at most, then deleted.

3. What we never collect

• End-user payment card details — Polar holds these on its PCI‑DSS Level 1 infrastructure; we receive only a redacted token.
• Biometric or special-category data.
• Recordings of voice calls (Vapi-side retention is configurable; we do not pull them into our systems).

4. How we use the data

• To deliver the Service you requested.
• To bill you accurately and produce signed receipts.
• To prove compliance with TCPA, GDPR, CASL, PDPL, and equivalents on request from a regulator or recipient.
• To detect abuse and enforce the Terms of Service.

5. Legal bases (GDPR / UK GDPR)

• Contract: processing necessary to deliver the Service you signed up for.
• Legitimate interests: abuse prevention, security logging, service improvement.
• Legal obligation: tax records, regulatory disclosures.

6. International transfers

Our application is hosted in Frankfurt, Germany (EU). Sub-processors may store data in the United States (Twilio, Resend, Polar, Cal.com). Where required, we rely on EU Standard Contractual Clauses and the Data Privacy Framework.

7. Sub-processors

• Render (Frankfurt) — application hosting.
• Twilio — SMS / voice carrier.
• Vapi — voice AI agent fallback.
• Resend — transactional email delivery.
• Cal.com — calendar API for booking flows.
• Polar — Merchant of Record for billing.

8. Retention

• Operational logs: 90 days.
• Free-text message bodies: 30 days.
• Compliance hashes: 7 years (statute of limitations for TCPA).
• Billing records: 7 years (Omani tax law).

9. Your rights

You may request access, correction, deletion, restriction, or portability of your data. EU/UK residents may also lodge a complaint with their supervisory authority. Email basilalshukaili@gmail.com — we respond within 30 days.

10. CCPA notice (California residents)

We do not sell personal information. You may request what we hold about you and ask for deletion at the address above.

11. Children

The Service is not directed at children under 16. We do not knowingly collect data from them.

12. Changes

Material changes to this policy will be announced on this page at least 30 days before they take effect.