Privacy Policy
This page describes what AgentGEO actually does with data, written against the source code that runs the product. Where we have no policy, it says so rather than inventing one.
Last updated: 2026-07-17
Who we are
AgentGEO is an access layer that fetches raw answers from AI surfaces and returns them to your agent. It does not interpret them.
AgentGEO is an independent project operated by an individual developer. It is not a registered company, and there is no legal entity or registered address behind it. Contact is by email only: for anything on this page, write to keronelau@gmail.com.
The service is a data plane. You send a prompt; we ask a managed AI-scraper provider to run it against surfaces such as ChatGPT, Perplexity, Gemini, Google AI Overview, Google AI Mode and Copilot; we return the answer text, citations and provider metadata. Rankings, sentiment and reporting happen in your own agent, not on our servers.
Your account identity
Clerk holds your identity. Our database holds one opaque identifier derived from it.
Sign-in is handled by Clerk, using either an email address and password or “Continue with Google”. When you use Google sign-in, Google returns your basic profile (such as your email address and name) to Clerk. Clerk is the system of record for that identity — your email address, your password credential, and your OAuth profile live in Clerk, not in our database.
Our API receives a signed Clerk session token, verifies it against Clerk’s public keys, and reads exactly one claim from it: sub, your Clerk user ID. Your workspace is then keyed as user_<sub>. That derived string is the only piece of your identity stored in our database — every row you own is tagged with it. We do not copy your email address, name or profile picture into our own storage.
Because Clerk holds your identity, Clerk’s own privacy practices apply to it in addition to this policy.
Your queries leave our system
This is the most important disclosure on this page. Read it before you send anything sensitive.
api.brightdata.com), and your prompt travels with it. Bright Data is a third-party company we do not control, with its own privacy terms. Do not put anything in a query that you are not willing to hand to a third-party vendor.Each provider request carries four fields, and a fifth only for ChatGPT. This is the whole of it:
prompt— your query text, verbatimurl— the AI surface to run it againstcountryandlanguage— the locale you selectedweb_search— only for ChatGPT, and only when you set it
Nothing that identifies you accompanies that request. We do not send your Clerk user ID, your workspace ID, your email address, your API key or your IP address to Bright Data. The request authenticates as AgentGEO, using our own provider credential. From Bright Data’s side, the prompt is not attributed to you by us — but a prompt can of course identify you by its own content, which is why the warning above matters.
Bright Data returns the answer text and citations. We normalize that response into a stable record shape and store it (see below). We do not analyse, score, or train on it.
What we store
Everything below lives in a Cloudflare D1 database, tagged with your workspace ID. This list is the complete set of tables.
| Table | What is in it |
|---|---|
| runs | The full record of every fetch: your query text, the surfaces, country and language, run status, records delivered and credits charged — plus each answer returned, including the answer text, its citations (title, URL, position), fetch timestamp, latency, the provider's record ID, and a small set of provider fields (url, prompt, model, web_search_triggered, prompt_sent_at). Note that the provider echoes your prompt back, so it is stored here twice. |
| schedules | Recurring fetches you create: name, query text, surfaces, country, language, cadence, delivery method, status, and last/next run timestamps. |
| saved_queries | Queries you save for reuse: name, query text, your tags, and last-run timestamp. |
| api_keys | One row per key you mint: its ID, the name you gave it, a masked prefix, a SHA-256 hash of the key, its scope, its monthly credit budget, and created/last-used/revoked timestamps. The key itself is not stored — see below. |
| usage_events | The billing ledger: one row per run, carrying the run ID, the query text again, the surface count, records delivered, credits charged, whether the run was live or demo, and the timestamp. |
| workspace_settings | Your workspace name, default country, webhook URL, webhook signing secret, spend-cap settings, plan, and short-lived internal counters used to enforce spend caps. |
| webhook_deliveries | A log of outbound webhook attempts: the event name, your destination URL, the related run/schedule, delivery status, attempt count, and the last error message. |
The site and the API run on Cloudflare (Workers, D1 and Cloudflare’s edge network). As our hosting and network provider, Cloudflare handles the connection data any web host handles, such as IP addresses and request metadata, under its own terms. We have Cloudflare Workers observability enabled, so our API’s operational logs are retained in Cloudflare. Those logs record identifiers (such as schedule IDs) and error messages; we do not write query or answer text to them deliberately, though we cannot promise an error message never contains a fragment of a request.
This site runs no analytics, advertising, or third-party tracking scripts. There is no Google Analytics, no ad pixel, no session recorder, and no behavioural profiling. We do not sell data, and we do not share it with anyone beyond the sub-processors named on this page.
Retention — we have no automatic deletion
Stated plainly, because it is a real limitation and not a feature.
What you can delete yourself, today, from the console or the API:
- Schedules and saved queries — deleted outright, row removed.
- API keys — revoked, not deleted. The key stops working immediately, but the row (its name, masked prefix and hash) stays in the table.
Run history and usage events have no delete endpoint. To have them removed, email keronelau@gmail.com. We would rather tell you this than describe a retention schedule we have not built.
API keys
The plaintext key is shown once and is not recoverable from our database.
When you create an API key we generate it, return the plaintext value to you exactly once, and store only a SHA-256 hash of it alongside a masked prefix (for example ag_live_9f2…8c1d) so you can tell your keys apart. We cannot show you the key again, and we cannot recover it — if you lose it, revoke it and mint a new one.
Authenticating with a key means we hash the presented token and look for a matching, unrevoked row. We also stamp a last-used timestamp on the key each time it is used.
Webhooks
If you configure a webhook, you are asking us to send your data somewhere.
Setting a webhook URL in your workspace settings tells us to POST the complete run envelope — including the query and the full answer text — to that URL when a scheduled run finishes. Each request is signed with HMAC-SHA256 using your workspace signing secret so your receiver can verify it came from us, and delivery is attempted up to three times — an immediate POST, then two retries with a short backoff.
You choose the destination, so you own what happens to the data once it arrives. We log one row per delivery in the webhook_deliveries table, written after the last attempt: the destination URL, the final outcome, how many attempts it took, and the last error if it never got through. We do not log a row per attempt, and the row does not contain the payload.
Sub-processors and other recipients
Every third party that touches your data. The first three we engage and control by contract; the AI surface operators we do not — they receive your prompt because running it against them is the thing you asked for.
| Recipient | What it handles |
|---|---|
| Bright Data | Runs your prompt against AI surfaces and returns the answer. Receives your query text, country and language. Receives nothing that identifies you. |
| Clerk | Authentication and identity. Holds your email address, credentials and — if you use Google sign-in — the profile Google returns. |
| Cloudflare | Hosting, edge network, the D1 database, and our API's operational logs. Handles connection data such as IP addresses. |
| Two separate roles. If you choose 'Continue with Google', Google authenticates you and returns your basic profile to Clerk. Separately, if you select Gemini, Google AI Overview or Google AI Mode as a surface, Google operates that surface and receives your prompt text as described above. | |
| OpenAI, Microsoft, Perplexity | The operators of the remaining surfaces (ChatGPT, Copilot, Perplexity). We have no contract or connection with them: Bright Data enters your prompt into the surface you selected, so the operator of that surface receives your prompt text and handles it under its own terms. Only the surfaces you select receive anything. |
If we add a sub-processor, this list changes and the “last updated” date at the top moves.
Access, export and deletion
The real process is: email us and it is done by hand. There is no self-serve button, and we will not pretend otherwise.
Email keronelau@gmail.com from the address on your account and tell us what you want:
- A copy of your data. You can pull most of it yourself through the API, with one catch worth knowing:
GET /v1/runslists your runs but strips the answers out of each one, so it is not a full export.GET /v1/runs/<id>returns a single run complete with its answer text, andGET /v1/usagereturns your billing ledger. There is no bulk-export endpoint — for everything at once, email us. - Deletion of your workspace data. We delete the rows keyed to your workspace ID by hand. We have not built an automated path for this, and we are not going to quote you an SLA we cannot enforce in code.
- Deletion of your account identity. That lives in Clerk; tell us and we will remove it there.
Depending on where you live, you may have statutory rights over your personal data — for example to access, correct, export, or erase it, or to object to its processing. Exercise them by emailing us; we will not ask you to justify the request. We have not completed a formal compliance certification of any kind, and this page makes no such claim.
Security issues, product questions and account support go to the same address: keronelau@gmail.com.
Changes to this policy
It changes when the code changes.
This policy describes the system as it exists on the date at the top of the page. When we change what we collect, where it goes, or how long we keep it, we update this page and move that date. If a change materially affects data we already hold about you, we will email the address on your account.
Contact
One address, one human.
Privacy questions, access requests, deletion requests and complaints: keronelau@gmail.com.
AgentGEO is an independent project operated by an individual developer, with no registered company or business address. Email is the only contact channel.
Want to see exactly what we return?
The docs spell out every field in every record, including what we store per run.
Read the docs