Privacy Policy
Effective date: March 24, 2026
Reducibl (“we,” “us,” or “our”) operates the Agentic Control Plane website (agenticcontrolplane.com) and the GatewayStack platform, including associated cloud services, documentation, and open-source tooling. This Privacy Policy describes how we collect, use, and protect your information when you use our services.
1. Information We Collect
Information you provide
- Account information. When you create an account for Agentic Control Plane Cloud, we collect your name, email address, and organization name. Authentication is handled by Firebase Authentication; we do not store passwords.
- Contact information. When you email us or submit a form, we collect the information you provide (name, email, message content).
- Payment information. If you subscribe to a paid plan, payment processing is handled by Stripe. We do not store credit card numbers or bank account details on our servers. Stripe receives your payment method details, billing address, and email. See Stripe’s privacy policy.
Information collected automatically
- Analytics data. We use Plausible Analytics (self-hosted at analytics.reducibl.com) to collect anonymized usage statistics. Plausible is a privacy-first analytics platform that does not use cookies, does not track individuals across sites, and does not collect personal data. All analytics data is aggregated and cannot be used to identify individual users.
- Server logs. Our infrastructure providers (Google Cloud Platform, Firebase) may collect standard server logs including IP addresses, request timestamps, and HTTP metadata. These logs are used for security monitoring and debugging, and are retained for up to 30 days.
Information processed through GatewayStack Cloud
If you use Agentic Control Plane Cloud (our managed gateway service), the gateway processes API requests on your behalf. This includes:
- API request metadata. Tool name, user identifier, timestamp, latency, and success or failure status. This metadata is stored in audit logs.
- Request and response content. The gateway processes request arguments and response payloads in memory to execute tool calls. By default, request and response content is not stored. Workspace administrators may optionally enable truncated input/output previews in audit logs (limited to 1,500 characters).
- OAuth tokens. When you connect third-party services (such as GitHub, Jira, Slack, or Google Workspace), we store OAuth access and refresh tokens on your behalf. Tokens are encrypted using AES-256-GCM with KMS-managed encryption keys before storage. Tokens are stored per user, per workspace, per provider.
We process this data solely to provide the gateway service (identity verification, policy enforcement, audit logging, and executing tool calls on your behalf). We do not use your data to train AI models, and we do not share your data with any third party for model training purposes. Data transiting the gateway is processed only to fulfill your requests.
AI model provider data flow
Agentic Control Plane acts as a gateway between your AI client (such as Claude, ChatGPT, or Cursor) and third-party APIs. When your AI client calls a tool through the gateway, the response data flows back to your AI client and may be processed by your chosen AI model provider according to their own terms. Agentic Control Plane does not control which AI model provider you use and is not responsible for how your AI provider processes data after it leaves our gateway.
2. How We Use Your Information
We use the information we collect to:
- Provide, maintain, and improve our services
- Authenticate users and enforce access policies
- Execute tool calls and manage OAuth integrations on your behalf
- Generate audit logs for your compliance needs
- Scan request content for PII detection and content classification (as a security feature to help protect sensitive data)
- Respond to support requests and communications
- Monitor service health and prevent abuse
- Comply with legal obligations
We do not sell your personal data. We do not use your data for advertising. We do not share your data with third parties for their marketing purposes.
3. Sub-Processors and Third-Party Services
We use the following third-party services to operate our platform:
| Service | Purpose | Data processed |
|---|---|---|
| Firebase Authentication (Google) | User authentication | Email, name, profile photo, login metadata |
| Google Cloud Platform (Cloud Run, Firestore) | Application hosting, database | Account data, workspace configuration, encrypted OAuth tokens, audit logs |
| Google Cloud Key Management Service | Encryption key management | Manages keys used to encrypt OAuth tokens (does not access token values) |
| Google Cloud Secret Manager | Secure credential storage | Connector credentials, encryption keys |
| Stripe | Payment processing | Email, billing address, payment method details |
| Plausible Analytics (self-hosted) | Privacy-first website analytics | Anonymized page views, referrers, device type (no cookies, no personal data) |
| Cloudflare | DNS and CDN | IP addresses, request headers |
| GitHub | Source code hosting, issue tracking | Public contributions, issue content |
When you connect third-party integrations (such as GitHub, Jira, Slack, Salesforce, Google Workspace, Linear, Notion, or others), the gateway calls those services’ APIs on your behalf using your OAuth tokens. Each third-party service operates under its own privacy policy. We select providers that align with our commitment to data minimization and user privacy.
We maintain a current list of sub-processors on this page. If we add a new sub-processor that materially changes how personal data is processed, we will update this page and notify registered users.
4. Data Retention
- Account data is retained for as long as your account is active. You may request deletion at any time.
- OAuth tokens are retained while your integration is active. When you disconnect a service, tokens are deleted immediately. When you delete your account, all tokens are deleted.
- Audit logs generated by the gateway are retained according to your plan’s retention period (default: 90 days for standard plans). Enterprise customers may configure custom retention periods.
- Analytics data is aggregated and anonymized. No individual-level analytics data is retained.
- Server logs are retained for up to 30 days for security and debugging purposes.
5. Data Security
We implement industry-standard security measures to protect your data, including:
- TLS encryption for all data in transit
- Encryption at rest for all stored data (provided by Google Cloud Platform)
- AES-256-GCM encryption for OAuth tokens with KMS-managed envelope encryption
- OIDC-based authentication with RS256 token verification
- Role-based access controls for internal systems
- Tenant-level data isolation in our multi-tenant architecture (each workspace’s data, including OAuth tokens, audit logs, and configuration, is logically separated and inaccessible to other workspaces)
- SSRF protection on outbound requests from custom connectors
- Regular security reviews of our infrastructure and dependencies
6. Data Breach Notification
In the event of a confirmed security breach that affects your personal data, we will:
- Notify affected customers within 72 hours of becoming aware of the breach
- Describe the nature of the breach, the categories of data affected, and the approximate number of records involved
- Describe the measures taken or proposed to address the breach and mitigate its effects
- Provide a point of contact for further information
Categories of data that could be affected in a breach include: account information (email, name), workspace configuration, encrypted OAuth tokens for connected services, and audit log metadata. Request and response content is not stored by default and would only be at risk if in transit at the time of an incident.
If required by applicable law (such as GDPR), we will also notify the relevant supervisory authority within the required timeframe.
7. Your Rights
For all users
You have the right to:
- Access the personal data we hold about you
- Correct inaccurate personal data
- Delete your account and associated personal data (including all OAuth tokens and audit logs)
- Export your data in a portable format
- Object to processing of your personal data
- Disconnect any third-party integration and have its tokens deleted immediately
GDPR (European Economic Area)
If you are located in the EEA, you have additional rights under the General Data Protection Regulation, including the right to lodge a complaint with your local data protection authority. Our lawful basis for processing personal data is (a) performance of a contract (providing the services you requested) and (b) legitimate interest (security monitoring, service improvement).
Data Processing Agreements. Enterprise customers who require a Data Processing Agreement (DPA) for GDPR compliance may request one by contacting us at hello@agenticcontrolplane.com.
CCPA (California)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information
- Correct inaccurate personal information
- Opt out of the sale or sharing of personal information
We do not sell or share personal information as defined by the CCPA.
To exercise any of these rights, contact us at hello@agenticcontrolplane.com. We will respond to verified requests within 30 days.
8. Cookies
Our website does not use cookies for analytics or tracking. Plausible Analytics is cookieless by design. If you use Agentic Control Plane Cloud, session tokens may be stored in your browser’s local storage solely for authentication purposes.
9. Children’s Privacy
Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.
10. International Data Transfers
Our services are hosted on Google Cloud Platform infrastructure in the United States (us-central1 region). If you access our services from outside the United States, your data may be transferred to and processed in the United States. We rely on Google Cloud’s Data Processing Addendum, standard contractual clauses, and provider certifications to ensure appropriate data protection safeguards for international transfers.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The “Effective date” at the top of this page indicates when the policy was last revised.
12. Contact
If you have questions about this Privacy Policy or our data practices, contact us at:
Reducibl Email: hello@agenticcontrolplane.com Website: reducibl.com