Privacy Policy
AgenTorQ is an agentic AI platform available two ways: a Salesforce managed package that runs on-platform inside your own org, and a standalone web app that runs largely in your browser. This policy explains what data we access, how it is used, who processes it, and the strong limits we place on it. The short version: your connected data is processed at the moment you ask and sent only to the AI model you choose — we do not sell it, we do not use it to train models, and no human at AgenTorQ reads it.
1. Information we access
Only when you sign in, connect a source, or provide a key, AgenTorQ accesses:
- Account & profile — your email address, display name and avatar, from the sign-in method you choose (Google, Microsoft, or email/password via our authentication provider).
- Connected-source data — only for sources you explicitly connect, and only the data needed to answer: e.g. Google (Gmail messages, Calendar events, Drive/Docs/Sheets metadata and contents, Contacts), Microsoft (Outlook mail/calendar), GitHub (repositories and files), Salesforce (CRM records you are permitted to see), and other connectors you enable.
- Documents you upload — files you attach in chat (PDF, XLSX, CSV, images for OCR, etc.), processed to answer your question.
- Your AI provider API keys (BYOK) — the keys you add so the platform can call the model providers you choose.
- Workmate memory — what a Workmate learns as you work (Concepts, Entities, Workstreams, Notes), scoped to you.
- Usage metadata — token accounting, call logs and basic diagnostics used to operate, secure and meter the service.
We do not access any source you have not connected, and you can disconnect any source at any time from the Connectors tab.
2. How we use it
- Connected data is fetched live, at the moment you ask a question that needs it — in your browser (standalone) or on-platform in your org (managed package).
- It is included in the prompt sent to the AI model you select, so the agent can answer using your real data.
- In the Salesforce package, named PII is masked before any prompt leaves your org, and reads/writes pass a SOQL guard and DML guard. Only the masked prompt reaches the model.
- We use account and usage data to authenticate you, operate the service, enforce access controls, meter usage, and keep the platform secure.
3. Your keys, tokens & storage
- OAuth access tokens for connected sources are stored in your browser's local storage, scoped to your signed-in account, and in the managed package within your Salesforce org's encrypted external credential store.
- Your AI provider API keys are stored securely and encrypted, scoped to your account, and used only to call the provider you selected on your behalf. They are never shared with other users.
- Uploaded documents are processed for your request; in the standalone app they live in your browser.
- Workmate memory is stored per user via our memory service and applied on your future turns; you can view and clear it.
4. Third parties & subprocessors
We rely on a small set of processors to run the service. We do not sell your data to any of them or to anyone else.
| Provider | Purpose | Data involved |
|---|---|---|
| AI model providers | Generating answers on the model you choose — OpenAI, Azure OpenAI, Google (Gemini), DeepSeek, Mistral, Cerebras, Perplexity, SambaNova, MiniMax, Groq, xAI (Grok), HuggingFace, AI21, self-hosted Ollama, or a generic OpenAI-compatible endpoint. | The (masked) prompt you send, including the connected data needed to answer. |
| Nango | Connector & OAuth broker for third-party app integrations. | OAuth tokens and the API calls made to the apps you connect. |
| cognee | Per-user memory and semantic recall, and server-side web/news search. | Workmate memory items and search queries, scoped to your account. |
| Firebase / Auth0 | Authentication and sign-in. | Your email, name and avatar; auth session. |
| here.now | Hosting of the web app and static assets. | Standard request/hosting metadata. |
When you add a custom MCP connector, the MCP server you point to is a third party you choose; the agent calls its tools with your approval, under that server's own terms.
5. Google API Services — Limited Use disclosure
6. What we do NOT do
- We do not sell or rent your data, or share it beyond the processors above.
- We do not use your connected data or documents for advertising, and we do not use them to train AI/ML models.
- No human at AgenTorQ reads your connected data.
7. Data retention & deletion
Connected data is fetched to answer and is not retained as a separate copy on our servers. Tokens and uploaded documents live in your browser (standalone) or your org (package). Workmate memory is retained until you clear it. To delete your data you can:
- Click Disconnect on any connector to revoke its access.
- Clear a Workmate's Memory, or clear your browser storage for this site.
- Remove your API keys from the engine settings.
- Revoke AgenTorQ's access from your provider (e.g. Google account permissions).
- Email us at ady@opnyx.com to request deletion of account data we hold.
8. Your rights
Depending on your location, you may have rights to access, correct, export or delete your personal data, and to object to or restrict certain processing. To exercise them, contact ady@opnyx.com. Because we store minimal data and process connected data live, most requests are satisfied by disconnecting a source or clearing your storage.
9. Security
Authorization uses each provider's standard OAuth 2.0 / 2.1 flow (with PKCE for MCP connectors). API keys and secrets are encrypted and scoped to your account. All API calls are made over HTTPS. In the managed package, the agent runs on-platform in USER_MODE, honoring your Salesforce field-level security and sharing model, with named PII masking and SOQL/DML guards.
10. Children
AgenTorQ is a business tool and is not directed to children under 16. We do not knowingly collect their data.
11. Changes
We may update this policy; we will change the “Last updated” date above, and material changes will be reflected here. Continued use after an update constitutes acceptance.
12. Contact
Questions about this policy or your data: ady@opnyx.com. See also our Terms of Service.
