Legal

Privacy Policy

Effective date: 14 May 2026 · Last updated: 14 May 2026

This Privacy Policy explains how Black Salt Kft. ("we", "us", or "our"), operating the AgentHeaven service at agentheaven.ai, collects, uses, stores, and protects your personal information when you use our website or subscribe to our managed AI digital-employee service.

We are committed to handling your personal data responsibly and in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) where applicable.

The short version: We collect your name, email address, phone number, and billing address when you sign up. We use this information to provision and operate your AI digital employee, send you invoices, and contact you about your service. Your agent runs on our controlled VPS infrastructure. We do not store your source documents by default. We store session and activity logs for service operation, and we maintain a customer-specific long-term memory/wiki containing relevant business information for your agent. We do not use that memory/wiki for our own unrelated purposes, do not share it across customers, and do not sell your data. Ever.

1. Who We Are

Company: Black Salt Kft.
Trading as: AgentHeaven (agentheaven.ai)
Registered address: 1077 Budapest, Baross tér 14, Hungary
Company registration number: 01 09 450602
VAT number: HU13853619
Website: agentheaven.ai
Contact: info@agentheaven.ai

For account, billing, website, consultation, and marketing data, Black Salt Kft. acts as the data controller. For operational data that your digital employee processes on your behalf, Black Salt Kft. generally acts as your data processor and processes that data under your instructions. Our Data Processing Addendum should be used for business customers where required by GDPR Article 28.

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at the email address above.

2. What Personal Data We Collect

We collect the following categories of personal information when you sign up for our service or contact us:

Data Category	Specific Data	Why We Collect It
Identity	Full name, business name	Account identification and billing
Contact	Email address, phone number	Service communication, support, marketing updates
Address	Billing address (street, city, postcode, country)	Invoice generation and legal billing requirements
Financial	Payment method details (processed by our payment provider)	Processing your monthly subscription payment
Configuration	Onboarding notes, runbook, role description, brand voice preferences	Configuring and tuning your AI digital employee
Tool Access	OAuth tokens or API credentials you authorise us to use for connected tools (e.g., CRM, helpdesk, email, document store)	Operating the AI digital employee on your behalf; revoked and deleted on cancellation
Operational Data	Content the digital employee processes during a session (emails, tickets, documents, CRM records, etc.) — strictly the data you authorise us to access. Source documents are processed transiently and are not stored by default.	Performing the work the digital employee is configured to do
Session and Activity Logs	Session identifiers, timestamps, tool calls, system events, error logs, routing decisions, and limited excerpts or metadata needed to understand agent behaviour	Security monitoring, debugging, service reliability, support, and auditability
Customer Memory / Wiki	Customer-specific business facts, preferences, workflows, runbook notes, terminology, and other relevant information extracted from your instructions or approved agent activity	Long-term memory and self-improvement of your own digital employee only

We do not intentionally request sensitive personal data such as health information, political opinions, biometric data, or similar special-category data. Because your agent may process business communications and documents that you authorise it to access, such data may appear incidentally in source systems, session context, logs, or customer memory/wiki. You are responsible for ensuring that the data sources you connect are appropriate for the configured use case and that you have a lawful basis to provide this data to the Service.

3. How We Use Your Personal Data

We use your personal data for the following purposes:

Service delivery — Setting up, configuring, hosting, and continuously tuning the AI digital employee on your behalf.
Long-term memory for your agent — Maintaining a customer-specific memory/wiki so your digital employee can remember your business context, preferences, workflows, and prior feedback.
Logging and auditability — Recording session and activity information to troubleshoot issues, detect abuse, improve reliability, and show what the agent did during a session.
Billing and invoicing — Processing your monthly subscription payments and issuing invoices. Your billing address and name are required for legally compliant invoicing.
Customer support — Contacting you to resolve technical issues, answer questions, or communicate changes to your service.
Marketing communications — Sending you information about new features, service updates, tips, or relevant offers related to AgentHeaven. You may opt out at any time (see Section 8).
Legal and compliance — Meeting our legal obligations, such as retaining invoices for tax purposes.

4. Legal Basis for Processing (GDPR)

Under the GDPR, we rely on the following legal bases to process your personal data:

Purpose	Legal Basis
Providing the subscribed service	Performance of a contract (Art. 6(1)(b))
Billing and invoicing	Legal obligation (Art. 6(1)(c))
Customer support	Performance of a contract (Art. 6(1)(b))
Session logging, activity logging, security monitoring, and debugging	Performance of a contract (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)) in operating a secure, reliable service
Customer-specific long-term memory/wiki for your digital employee	Performance of a contract (Art. 6(1)(b))
Marketing communications to existing subscribers	Legitimate interests (Art. 6(1)(f)) — we have conducted a Legitimate Interests Assessment, available on request
Marketing communications to consultation enquirers	Consent (Art. 6(1)(a)) — by booking a consultation you consent to being contacted about the service

5. How Long We Keep Your Data

We retain your personal data only for as long as necessary:

Active subscribers: For the duration of your subscription plus 90 days afterwards for support and dispute resolution. After this period the operational data, customer memory/wiki, and tool credentials are deleted unless we agree a longer retention or export period with you; personal contact data may be retained as described below.
Source documents: Source documents accessed by the digital employee are processed transiently and are not stored by default. Copies may remain in your own connected tools, but not in AgentHeaven document storage unless explicitly agreed for a specific integration.
Session and activity logs: Usually retained for up to 90 days, unless a longer period is required for security investigation, billing dispute, legal claim, or compliance obligation.
Customer memory/wiki: Retained while your subscription is active because it is part of the configured digital employee. On cancellation, we delete it after the post-cancellation support and export window described above, unless you request earlier deletion where legally and technically possible.
Billing records: We are required to retain invoices and payment records for a minimum of 7 years to comply with tax and accounting regulations.
Marketing contact data: Until you unsubscribe or request deletion, whichever comes first.
Consultation enquiries that do not convert: Up to 12 months, then deleted.

6. Sub-processors and AI Providers

We do not sell, rent, or trade your personal data. To operate the service we use the following categories of trusted third-party providers:

Agent hosting and orchestration: Your digital employee runs on VPS infrastructure controlled by us. The agent harness coordinates tool calls, session context, customer memory/wiki, and routing for your digital employee.
LLM providers (model-agnostic routing): Depending on the task type and your data-residency selection, requests may be routed to:
- Self-hosted open-source models (for example Llama, Qwen, or Hermes-family models) running on infrastructure under our control. In this mode, prompts, session context, and customer memory/wiki are not sent to a third-party LLM provider.
- Third-party LLM providers such as Anthropic (Claude) and OpenAI (GPT), operating under their respective Data Processing Agreements and transfer safeguards where applicable. Routing to these providers is used selectively for tasks that benefit from frontier-model reasoning or where you choose this mode. We do not authorise third-party LLM providers to use your customer data, session context, or customer memory/wiki to train their models.
Cloud infrastructure providers — VPS hosting (currently Hostinger and DigitalOcean) for our application servers, memory store, and self-hosted LLMs, with EU/EEA regions preferred for sensitive workloads where available.
Tool integration layer — Composio, for connecting your digital employee to the customer-authorised tools you select.
Payment processors — Stripe for card payments, and your bank plus ours when paying by bank transfer. Card data is processed directly by the payment provider and is not stored on our servers.
Email and communication tools — AgentMail for agent and service email, including invoices, support replies, and marketing emails.
Consultation booking — Cal.eu for booking the free 30-minute consultation.

All third-party providers are required to handle your data in accordance with applicable data protection law and our instructions. The current list of named sub-processors is available on our Sub-processors page.

For sensitive workloads you may opt for self-hosted or EU-only routing, in which case your digital employee will only use self-hosted open-source models on infrastructure under our control or EU-based infrastructure. This is included in all Specialist and Workforce plans, and available on Starter on request.

Customer memory/wiki is maintained for the benefit of your own digital employee only. We do not use it to train shared models, improve other customers' agents, create generic datasets, or develop unrelated AgentHeaven products. We do not disclose it to third parties except where strictly necessary to operate your selected LLM routing mode or connected-tool workflow.

We may also disclose your data where required by law, court order, or to protect our legal rights.

7. Your Rights

If you are located in the European Economic Area (EEA) or the UK, you have the following rights regarding your personal data:

Right of Access

Request a copy of the personal data we hold about you.

Right to Rectification

Ask us to correct inaccurate or incomplete data.

Right to Erasure

Request deletion of your data where we no longer have a legal basis to hold it.

Right to Restriction

Ask us to limit how we use your data in certain circumstances.

Right to Portability

Receive your data in a structured, machine-readable format.

Right to Object

Object to processing based on legitimate interests, including direct marketing.

To exercise any of these rights, contact us at info@agentheaven.ai. We will respond within 30 days. In some cases we may ask you to verify your identity before fulfilling your request.

You also have the right to lodge a complaint with your local data protection supervisory authority at any time.

8. Marketing Communications & Opt-Out

By subscribing to AgentHeaven or booking a consultation, you agree to receive service-related emails (invoices, onboarding information, support updates). These are essential to your subscription and cannot be opted out of while your account is active.

For optional marketing communications (new features, tips, promotional offers), you may opt out at any time by:

Clicking the "Unsubscribe" link at the bottom of any marketing email, or
Emailing us at info@agentheaven.ai with the subject line "Unsubscribe".

We will action all opt-out requests within 5 business days.

9. Cookies and Local Storage

Our website uses only essential cookies and browser local storage entries necessary for basic functionality (such as remembering your selected language). We do not use third-party advertising cookies or tracking cookies that collect personal data without your knowledge.

If you arrive on our website via a paid advertising campaign and Meta Pixel or Google Analytics is active, third-party cookies or similar identifiers may be set to attribute the visit and conversion. Where required by law, these tools should only run after consent. You can opt out of Meta tracking through your browser settings or via Meta's advertising controls. More detail is available in our Cookie Policy.

Fonts and other static assets are self-hosted on our own infrastructure — no third-party font CDN, no Google Fonts request.

10. Data Security

We take the security of your personal data seriously. Our baseline measures are described in our Security Measures. We implement appropriate technical and organisational measures, including:

Encrypted storage of credentials, tool tokens, and operational data, with per-customer isolation
Per-customer isolation for customer memory/wiki and session data
Transient handling of source documents unless document storage is explicitly agreed for a specific integration
Restricted access to personal data on a need-to-know basis
Use of reputable, security-certified infrastructure providers
Audit logging of access to customer configuration and credentials

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach that poses a risk to your rights, we will notify you and the relevant supervisory authority as required by law.

11. International Transfers

Your personal data is primarily processed on VPS infrastructure controlled by AgentHeaven, with EEA hosting preferred for sensitive workloads where available. We may transfer data outside the EEA in the following cases:

Frontier LLM providers (USA) — When a digital-employee task is routed to a US-based provider such as Anthropic or OpenAI, transfers are covered by Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c) and the provider's Data Processing Agreement. You may opt for EU-only routing as described in Section 6 to avoid these transfers.
Consultation booking — Cal.eu may process your name, email, meeting time, and meeting notes. Where the provider's underlying processing involves a transfer outside the EEA, Standard Contractual Clauses apply.

Where we transfer personal data outside the EEA, we ensure appropriate safeguards are in place in accordance with GDPR Chapter V. You may request a copy of the relevant transfer safeguards by contacting us.

12. Children's Privacy

AgentHeaven is a business service intended for adults (18+). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we do, we will update the "Last updated" date at the top of this page. For significant changes, we will notify active subscribers by email.

Continued use of our service after changes are posted constitutes your acceptance of the updated policy.

14. Contact Us

For any questions, requests, or concerns about this Privacy Policy or your personal data, please contact us:

Black Salt Kft. (trading as AgentHeaven)

1077 Budapest, Baross tér 14, Hungary

Company registration: 01 09 450602 · VAT: HU13853619

Email: info@agentheaven.ai

Website: agentheaven.ai

This policy was last reviewed on 14 May 2026. AgentHeaven reserves the right to update this document at any time. The current version is always available at agentheaven.ai/privacy.