Legal

Privacy Policy

How we handle personal data across Hong Kong, the EU/UK, and the United States.

Last updated: 24 June 2026

Template notice. This policy is a general starting point for AgenticOS and is not legal advice. Have qualified counsel review and adapt it (including the entity name, contact details, and subprocessor list) before you rely on it in production.
1. Who we are 2. Scope 3. Data we collect 4. How we use it 5. Legal bases 6. AI processing 7. Sharing & subprocessors 8. International transfers 9. Retention 10. Security 11. Your rights 12. Cookies 13. Children 14. Changes 15. Contact

1Who we are

AgenticOS (“AgenticOS”, “we”, “us”) operates the agentic business-operations platform at agenticos.hk. We are based in Hong Kong SAR. For most business data you provide, we act as a data processor on behalf of your organisation (the controller); for your account and our own operations we act as a data controller. Where required, our contact for privacy matters is set out in section 15.

2Scope

This policy applies to personal data processed through our website, app, and APIs. It does not cover third-party services you connect (e.g. Stripe, messaging channels, your own model keys), which are governed by their own policies.

3Personal data we collect

  • Account data — name, work email, organisation, role, and authentication data (we use passwordless sign-in; we do not store your password).
  • Business profile (“Company Brain”) — information you provide or that we gather from a URL you supply about your business, which may incidentally include personal data of your staff or customers.
  • Content & instructions — goals, missions, documents, messages, and approvals you submit to the assistant.
  • Usage & credits — actions taken, runs, tokens/tools consumed, and prepaid HKD credit balances.
  • Payment data — processed by Stripe; we receive limited billing metadata (e.g. last four digits, status), not full card numbers.
  • Technical data — IP address, device/browser, log and audit records, and cookies (section 12).
  • Communications — messages you send us for support or enquiries.

4How we use personal data

  • Provide, operate, and secure the platform and run governed agent missions you initiate.
  • Process subscriptions, credits, top-ups, and billing.
  • Maintain audit logs and enforce governance (approvals, spend caps, fail-closed controls).
  • Provide support and respond to enquiries.
  • Detect, prevent, and investigate fraud, abuse, and security incidents.
  • Comply with legal obligations and enforce our terms.
  • Improve the service. We do not sell personal data, and we do not use your business content to train third-party foundation models except as needed to perform a task you request.

5Legal bases (EEA/UK – GDPR)

Where the GDPR applies, we rely on: performance of a contract (to provide the service); legitimate interests (to secure, improve, and operate the platform, balanced against your rights); consent (for optional cookies and marketing, withdrawable at any time); and legal obligation (e.g. tax, accounting). For business data we process on your organisation’s instructions, your organisation is the controller and determines the legal basis.

6AI processing & automated activity

AgenticOS uses large language models and tools (via providers such as OpenRouter and the underlying model providers, or your own key) to perform tasks. Content relevant to a task may be sent to these providers to generate a result. The assistant operates with governed autonomy: it performs read and draft steps automatically, and pauses for your approval before any send, payment, publish, or deploy action, and when over budget or scope. AI output can be inaccurate — you remain responsible for reviewing approval-gated actions before they take effect. We do not make solely automated decisions that produce legal or similarly significant effects about an individual without a human in the loop.

7Sharing & subprocessors

We share personal data only with service providers who process it on our behalf under contract, including:

  • Cloudflare — hosting, compute, storage, and network security.
  • Stripe — payment processing and (for merchant features) Stripe Connect.
  • OpenRouter and underlying model providers — LLM inference for tasks.
  • Research/tooling providers — search, crawl, and data tools used by Market Radar and missions.

We may also disclose data to comply with law, enforce our terms, or in a merger/acquisition (with notice). A current subprocessor list is available on request.

8International transfers

We are based in Hong Kong and our providers may process data in other jurisdictions, including the EU and the United States. Where we transfer personal data out of the EEA/UK, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum). For Hong Kong data users, we take reasonable steps consistent with the PDPO when transferring data outside Hong Kong.

9Retention

We keep personal data only as long as needed to provide the service, comply with legal, tax, and audit obligations, resolve disputes, and enforce agreements. Audit logs are retained for governance and security. When your organisation closes its account, we delete or anonymise personal data within a reasonable period, subject to legal retention requirements.

10Security

We use technical and organisational measures including encryption in transit, scoped access tokens, role-based access control, least-privilege agent permissions, spend caps, and append-only audit logging. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

11Your privacy rights

Hong Kong (PDPO)

Under the Personal Data (Privacy) Ordinance (Cap. 486) you may request access to and correction of your personal data, and ask about our data policies and practices. You may opt out of direct marketing at any time at no charge.

EEA / UK (GDPR)

You have rights to access, rectify, erase, restrict, and port your personal data, to object to processing based on legitimate interests, and to withdraw consent. You may lodge a complaint with your local supervisory authority. Where we act as processor, please direct requests to your organisation, and we will assist it in responding.

United States (California – CCPA/CPRA)

California residents may request to know, delete, and correct personal information, and to opt out of “sale” or “sharing” of personal information and of targeted advertising. We do not sell your personal information. We will not discriminate against you for exercising these rights. Other US state laws may grant similar rights.

To exercise any right, contact us (section 15). We will verify your request and respond within the timeframes required by applicable law.

12Cookies

We use strictly necessary cookies for authentication and security, and limited analytics to operate the site. Where required, we request consent for non-essential cookies. You can control cookies through your browser settings.

13Children

The service is for businesses and is not directed to children. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided data, contact us and we will delete it.

14Changes to this policy

We may update this policy from time to time. We will post the updated version here with a new “last updated” date and, where appropriate, notify you of material changes.

15Contact

For privacy questions or to exercise your rights, contact privacy@agenticos.hk. (Placeholder — confirm your real privacy contact and, if applicable, your EU/UK representative and Data Protection Officer.)

See also our Terms of Use.