AgentGuard Privacy Policy

Effective Date: June 11, 2026
Last Updated: June 11, 2026

This Privacy Policy describes how GoPlus Labs (“GoPlus,” “we,” “us,” or “our”) collects, uses, discloses, retains, and protects information in connection with AgentGuard and any related websites, dashboards, APIs, command-line tools, local guards, MCP-compatible servers, extensions, integrations, trust-registry tools, documentation, and other services that link to this Privacy Policy (collectively, the “Services”).

AgentGuard is a security service for AI agents and AI-enabled products. It is designed to evaluate risky agent actions before execution, enforce runtime policies, scan code, files, prompts, tools, skills, plugins, URLs, commands, and supply-chain packages, route sensitive actions through approvals, maintain audit timelines, and provide trust-registry and threat-intelligence functions.

This Privacy Policy is governed by the laws of the British Virgin Islands, including the Data Protection Act, 2021, and serves as our global standard for data protection. To the extent mandatory privacy or data-protection laws in your jurisdiction provide additional rights or protections, we will comply with those laws as required.

Please read this Privacy Policy carefully. By accessing or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Privacy Policy, do not use the Services.

1. Scope of This Privacy Policy

This Privacy Policy applies to information we process in connection with the Services.

For some activities, GoPlus acts as a controller, meaning we determine the purposes and means of processing personal information. This may include processing related to website visitors, account registration, billing, customer support, marketing, security monitoring, and operation of the AgentGuard trust registry.

For other activities, GoPlus may act as a processor or service provider on behalf of a customer. This may include processing agent logs, prompts, code, files, tool-call metadata, approval records, and other customer-submitted content solely to provide the Services under our agreement with that customer. In those cases, the customer controls the relevant data, and the customer’s privacy notice and any applicable data-processing agreement govern how that data is handled.

This Privacy Policy does not apply to third-party websites, products, tools, models, agent platforms, repositories, package registries, payment processors, or other services that we do not own or control, even if they are linked to, integrated with, or accessible from the Services.

2. Information We Collect

We collect information in several ways: information you provide directly, information collected automatically, information submitted through AgentGuard tools, and information received from third parties or public sources.

2.1 Account, Contact, and Customer Information

We may collect:

  • name;
  • email address;
  • username;
  • company or organization name;
  • role, title, and team information;
  • password or authentication credentials, if applicable;
  • API key metadata;
  • subscription, plan, and billing status;
  • support requests and communications;
  • feedback, survey responses, and product preferences; and
  • any other information you choose to provide.

2.2 Billing and Payment Information

If you purchase a paid plan, we or our payment processors may collect billing information, including billing name, billing address, payment method details, tax information, invoice information, and transaction history.

We do not intentionally store full payment card numbers unless necessary and permitted by applicable law. Payment information may be processed by third-party payment providers subject to their own terms and privacy policies.

2.3 AgentGuard Runtime, Security, and Audit Information

Because AgentGuard provides runtime security for AI agents, the Services may process security-relevant information, including:

  • agent identifiers, workspace identifiers, project identifiers, and organization identifiers;
  • runtime policy configurations;
  • tool names, tool identifiers, tool-call parameters, and tool permissions;
  • shell commands, command arguments, and execution metadata;
  • file paths, file names, file hashes, file metadata, and selected file contents submitted for scanning;
  • code snippets, package names, dependency metadata, manifests, lockfiles, skill descriptions, plugin descriptions, MCP server metadata, and related supply-chain information;
  • prompts, system instructions, tool outputs, agent messages, and other text submitted for security analysis;
  • URLs, domains, redirect chains, HTTP metadata, and URL reputation indicators;
  • detection results, risk scores, policy decisions, approval requests, approval responses, revocation events, and audit timelines;
  • timestamps, request IDs, session IDs, latency, errors, diagnostic logs, and system events; and
  • security telemetry used to detect abuse, suspicious activity, malicious commands, prompt injection, credential leakage, data exfiltration, permission abuse, and supply-chain compromise.

The exact information processed depends on how you configure and use AgentGuard. Customers are responsible for configuring the Services appropriately and for ensuring that they have the legal rights and permissions necessary to submit content to AgentGuard.

2.4 AgentGuard Extension and Trust-Registry Tools

Some AgentGuard features run locally, while others communicate with GoPlus-operated remote services. In particular, trust-registry tools such as registry_lookup, registry_attest, registry_revoke, registry_list, and similar registry-related tools communicate with AgentGuard’s remote registry service.

When you use these tools, information may leave your machine and be transmitted to GoPlus. This may include:

  • registry lookup queries;
  • attestation records;
  • revocation requests;
  • registry list filters;
  • trust statements, signatures, references, and related metadata;
  • tool, skill, plugin, package, MCP server, agent, workspace, or organization identifiers;
  • account identifiers or API key metadata;
  • authentication tokens or API keys necessary to authorize the request;
  • timestamps, request IDs, IP addresses, user-agent strings, and network metadata;
  • response status, latency, and error logs; and
  • related security telemetry necessary to provide, protect, debug, and improve the trust-registry service.

We use trust-registry data to provide registry lookup, attestation, revocation, listing, verification, abuse prevention, audit logging, security monitoring, reliability, and compliance functions.

Unless you intentionally publish or submit a public attestation, we do not make your private registry requests public. Public or shared attestations may be visible to other users or subscribers if you choose to publish them, if your organization configures registry sharing, or if the nature of the registry feature requires publication.

2.5 Website, Device, and Usage Information

When you access our websites, dashboards, APIs, documentation, or other online Services, we may automatically collect:

  • IP address;
  • device type;
  • operating system;
  • browser type and version;
  • referring page;
  • pages viewed;
  • links clicked;
  • access times;
  • approximate location derived from IP address;
  • cookie identifiers;
  • session identifiers; and
  • usage analytics.

2.6 Cookies and Similar Technologies

We may use cookies, pixels, local storage, SDKs, and similar technologies to operate the Services, keep you signed in, remember preferences, measure performance, analyze usage, prevent abuse, and improve the Services.

You can usually control cookies through your browser settings. If required by applicable law, we will request consent before using non-essential cookies. Disabling cookies may affect the availability or functionality of certain Services.

2.7 Information from Third Parties and Public Sources

We may receive information from:

  • service providers;
  • payment processors;
  • analytics providers;
  • identity and authentication providers;
  • business partners;
  • package registries;
  • code repositories;
  • threat-intelligence sources;
  • public websites;
  • public security advisories; and
  • other public or commercially available sources.

We may combine information from these sources with information collected through the Services.

3. Information We Do Not Intentionally Collect

AgentGuard is designed to reduce security risk, not to collect unnecessary sensitive information. We do not intentionally request or require users to provide:

  • raw passwords for third-party services;
  • private cryptographic keys, SSH keys, signing keys, or other secrets unless explicitly required for a configured security feature;
  • full credentials, tokens, or secrets that are not necessary for the specific security function;
  • full payment card numbers outside payment processing flows;
  • government identification numbers, unless required for billing, tax, compliance, or contractual purposes; or
  • sensitive personal information unrelated to providing the Services.

You should not submit unnecessary credentials, private cryptographic keys, personal health information, biometric information, payment card data, or other highly sensitive information to the Services unless explicitly required and authorized under your agreement with GoPlus.

If AgentGuard detects credentials, secrets, tokens, keys, or similar sensitive material during scanning, it may process limited portions, fingerprints, hashes, metadata, or redacted copies of that material to generate security findings and prevent exposure.

4. How We Use Information

We use information for the following purposes:

4.1 To Provide and Operate the Services

We use information to:

  • create and manage accounts;
  • authenticate users and API requests;
  • provide dashboards, APIs, extensions, local guards, MCP-compatible services, and registry tools;
  • scan commands, files, prompts, tools, packages, URLs, and agent actions;
  • enforce runtime policies;
  • generate risk scores, findings, reports, and alerts;
  • process approval workflows;
  • maintain audit timelines;
  • provide trust-registry lookup, attestation, revocation, and listing functions;
  • provide threat-intelligence feeds and advisories; and
  • deliver customer support.

4.2 To Protect Users, Agents, and Systems

We use information to detect, prevent, investigate, and respond to:

  • prompt injection;
  • malicious commands;
  • credential leakage;
  • secret exposure;
  • data exfiltration;
  • permission abuse;
  • phishing URLs;
  • suspicious domains;
  • supply-chain attacks;
  • malicious packages, plugins, skills, or MCP servers;
  • unauthorized access;
  • abuse of the Services; and
  • other security threats.

4.3 To Improve and Develop the Services

We may use information to:

  • debug errors;
  • improve detection accuracy;
  • evaluate feature performance;
  • analyze usage trends;
  • develop new products and features;
  • improve reliability and latency;
  • generate aggregated statistics; and
  • create de-identified threat intelligence.

Where feasible, we use aggregated, de-identified, hashed, redacted, or minimized data for these purposes.

4.4 To Communicate with You

We may use information to:

  • send service notices;
  • send security alerts;
  • respond to support requests;
  • provide product updates;
  • send billing notices;
  • request feedback; and
  • send marketing communications where permitted by law.

You may opt out of marketing communications at any time. You cannot opt out of necessary service, security, legal, or transactional communications.

We may use information to:

  • comply with applicable laws, regulations, sanctions, legal processes, and governmental requests;
  • enforce our agreements and policies;
  • protect the rights, property, and safety of GoPlus, our users, customers, partners, and the public;
  • prevent fraud or abuse;
  • maintain business records; and
  • resolve disputes.

5. AI Model Training and Automated Processing

We do not use customer-submitted agent content, prompts, files, code, registry payloads, audit logs, or security findings to train general-purpose AI models.

We may use automated systems, classifiers, rules, heuristics, machine-learning models, and AI-assisted analysis to detect security risks, generate findings, score risk, classify threats, and recommend protective actions.

AgentGuard may automatically block, allow, warn, or escalate an action based on configured security policies. These decisions are made for security enforcement and system protection. Customers are responsible for reviewing and configuring policy thresholds appropriate for their environment.

Where applicable law requires a legal basis for processing personal information, we rely on one or more of the following:

  • Performance of a Contract: to provide the Services, process subscriptions, authenticate users, respond to support requests, and perform our obligations under agreements with users and customers.
  • Legitimate Interests: to secure the Services, prevent abuse, improve product functionality, maintain audit records, analyze usage, and protect users and systems, provided those interests are not overridden by your rights and freedoms.
  • Consent: where required for certain cookies, marketing communications, optional integrations, or other processing activities.
  • Legal Obligation: to comply with laws, regulations, legal processes, tax requirements, accounting requirements, sanctions, and lawful government requests.
  • Vital or Public Interests: where necessary to protect the safety, security, or integrity of users, systems, or the public, where recognized by applicable law.

7. How We Share Information

We do not sell personal information. We may share information as described below.

7.1 Service Providers

We may share information with vendors and service providers that perform services on our behalf, such as:

  • cloud hosting;
  • infrastructure operations;
  • database hosting;
  • analytics;
  • customer support;
  • email delivery;
  • payment processing;
  • authentication;
  • security monitoring;
  • logging;
  • error tracking;
  • compliance support; and
  • professional services.

These service providers may process information only as necessary to provide services to us and are required to protect information appropriately.

7.2 Affiliates

We may share information with our affiliates and related entities for purposes consistent with this Privacy Policy, including operating, securing, improving, and supporting the Services.

7.3 Customer-Directed Sharing and Integrations

If you connect AgentGuard to third-party services, repositories, package registries, model providers, agent platforms, notification tools, or collaboration tools, we may share information with those services as directed by you or your organization.

Third-party integrations are governed by the terms and privacy policies of the relevant third parties. You are responsible for ensuring that your use of integrations complies with applicable laws and contractual obligations.

7.4 Trust Registry, Public Attestations, and Threat Intelligence

If you submit a public attestation, configure shared registry visibility, subscribe to or publish trust-registry information, or participate in threat-intelligence sharing, relevant registry or threat metadata may be visible to other users, customers, subscribers, or the public, depending on your configuration and the nature of the feature.

We may also share aggregated, de-identified, redacted, or non-personal threat intelligence, including indicators of compromise, malicious package names, suspicious domains, malicious command patterns, prompt-injection patterns, and supply-chain advisories.

We may disclose information if we believe disclosure is necessary or appropriate to:

  • comply with applicable law;
  • respond to subpoenas, court orders, legal processes, or government requests;
  • enforce our agreements;
  • protect the rights, property, and safety of GoPlus, users, customers, partners, or the public;
  • detect, prevent, or investigate fraud, abuse, security incidents, or illegal activity; or
  • defend against legal claims.

7.6 Business Transfers

If GoPlus is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or similar transaction, information may be disclosed or transferred as part of that transaction, subject to appropriate confidentiality protections where required.

8. Data Retention

We retain information for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, protect users, and maintain security.

Retention periods may vary depending on the type of information, customer configuration, subscription plan, legal requirements, and contractual obligations. Unless a different retention period is specified in a customer agreement, product setting, or legal obligation, we generally apply the following retention approach:

  • Account information: retained while the account is active and for a reasonable period after deletion, suspension, or termination as necessary for legal, security, tax, accounting, and dispute-resolution purposes.
  • Billing records: retained as required for tax, accounting, compliance, audit, and legal purposes.
  • Runtime security logs and audit timelines: retained for the period needed to provide audit, security, investigation, and compliance functions, or as configured by the customer.
  • Trust-registry records: retained while active, until revoked, expired, deleted, superseded, or otherwise no longer required to provide registry functions. Public attestations or published registry records may remain available for transparency, verification, security, and audit purposes unless removal is required by law or supported by the applicable registry feature.
  • Security incident records: retained as long as reasonably necessary to investigate, remediate, document, and prevent security incidents.
  • Support communications: retained as needed to provide support, maintain business records, and improve service quality.
  • Aggregated or de-identified data: may be retained for longer periods because it does not identify an individual.

When information is no longer needed, we will delete, de-identify, aggregate, or securely retain it in accordance with applicable law and our internal retention practices.

9. Security Measures

We use reasonable administrative, technical, and organizational measures designed to protect information from unauthorized access, disclosure, alteration, and destruction. These measures may include:

  • encryption in transit;
  • encryption at rest where appropriate;
  • access controls;
  • authentication and authorization controls;
  • logging and monitoring;
  • network security controls;
  • vulnerability management;
  • incident response processes;
  • least-privilege access practices;
  • separation of environments; and
  • confidentiality obligations for personnel and service providers.

No method of transmission or storage is completely secure. We cannot guarantee absolute security. You are responsible for protecting your own credentials, API keys, private keys, devices, agents, repositories, and connected systems.

10. International Data Transfers

We may process and store information in countries other than the country where you are located. These countries may have data-protection laws that differ from those in your jurisdiction.

Where required by applicable law, we use appropriate safeguards for international transfers, such as contractual protections, data-processing agreements, Standard Contractual Clauses, or other lawful transfer mechanisms.

11. Your Rights and Choices

Depending on your location and applicable law, you may have rights regarding your personal information, including the right to:

  • request access to personal information we hold about you;
  • request correction of inaccurate or incomplete information;
  • request deletion of personal information;
  • request restriction of processing;
  • object to processing;
  • request portability of information;
  • withdraw consent where processing is based on consent;
  • opt out of marketing communications;
  • opt out of certain sharing or targeted advertising where applicable;
  • appeal a decision regarding your privacy request where applicable; and
  • lodge a complaint with a data-protection authority.

To exercise your rights, contact us using the information in the “Contact Us” section. We may verify your identity before responding. We may decline or limit requests where permitted by law, including where fulfilling the request would adversely affect the rights and freedoms of others, conflict with legal obligations, compromise security, or interfere with fraud prevention or abuse detection.

If we process personal information on behalf of a customer as a processor or service provider, we may refer your request to that customer or ask you to contact the customer directly.

12. U.S. State Privacy Notice

This section applies to residents of U.S. states with comprehensive privacy laws, including California, where applicable.

12.1 Categories of Personal Information We May Collect

Depending on your use of the Services, we may collect the following categories of personal information:

  • identifiers, such as name, email address, IP address, account ID, device ID, and API key metadata;
  • commercial information, such as subscription, billing, and transaction records;
  • internet or electronic network activity information, such as log data, usage data, device data, and interaction data;
  • geolocation information, such as approximate location derived from IP address;
  • professional or employment-related information, such as company name, role, and business contact details;
  • audio, electronic, or similar information if you provide it through support, demos, or communications;
  • inferences derived from usage, security, or account information, such as product preferences or risk indicators; and
  • sensitive personal information only where necessary for account security, authentication, payment, compliance, or security detection, and only as permitted by law.

12.2 Sources of Personal Information

We collect personal information from you, your organization, your devices, your use of the Services, integrations you enable, service providers, affiliates, partners, public sources, and threat-intelligence sources.

12.3 Purposes for Collection, Use, and Disclosure

We collect, use, and disclose personal information for the purposes described in this Privacy Policy, including providing the Services, securing AI agents, detecting threats, operating trust-registry tools, processing payments, supporting customers, improving the Services, complying with law, and protecting rights and safety.

12.4 Disclosure of Personal Information

We may disclose personal information to service providers, affiliates, customers, integrations you enable, professional advisors, legal authorities, and business transaction counterparties as described in this Privacy Policy.

12.5 Sale and Sharing

We do not sell personal information for money. We also do not knowingly sell or share personal information of individuals under 16 years of age.

If our use of analytics or similar technologies is considered “sharing” or “targeted advertising” under applicable law, you may exercise applicable opt-out rights by using available cookie controls or by contacting us.

12.6 Sensitive Personal Information

We do not use or disclose sensitive personal information for purposes other than those permitted by applicable law, such as providing the Services, maintaining security, preventing fraud, ensuring system integrity, or complying with legal obligations.

13. Marketing Communications

You may unsubscribe from marketing emails by following the instructions in those emails or contacting us. Even if you opt out of marketing communications, we may still send you non-marketing communications, such as service notices, security alerts, billing notices, and legal updates.

14. Do Not Track and Global Privacy Controls

Some browsers provide “Do Not Track” signals. Because there is no uniform standard for responding to Do Not Track signals, we may not respond to them.

Where required by applicable law, we will honor recognized universal opt-out mechanisms, such as Global Privacy Control, for applicable opt-out rights.

15. Children’s Privacy

The Services are not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided personal information to us, please contact us. If we learn that we have collected personal information from a child in violation of applicable law, we will take appropriate steps to delete it.

If you are under the age of majority in your jurisdiction, you may use the Services only with the involvement and consent of a parent, guardian, or authorized organization, as permitted by applicable law.

16. Third-Party Services and Integrations

The Services may contain links to third-party websites or allow integration with third-party services, including agent platforms, model providers, repositories, package registries, payment processors, communication tools, analytics services, and cloud providers.

We are not responsible for the privacy, security, or data practices of third parties. Your use of third-party services is governed by their own terms and privacy policies.

17. Customer Responsibilities

Customers and users are responsible for:

  • providing all required notices and obtaining all required consents before submitting personal information or customer content to the Services;
  • redacting or removing unnecessary sensitive personal information, personally identifiable information (PII), protected health information (PHI), payment card data, credentials, secrets, and other regulated or high-risk information from prompts, logs, code, files, or other content before submitting them to AgentGuard;
  • ensuring they have the legal right to submit prompts, code, files, logs, tool metadata, registry data, and other content to AgentGuard;
  • configuring policies, retention settings, integrations, and sharing permissions appropriately;
  • avoiding submission of unnecessary sensitive information;
  • protecting account credentials, API keys, private keys, tokens, and connected systems; and
  • complying with applicable laws, regulations, contracts, and internal policies.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice as required by law, such as by posting the updated Privacy Policy on our website, updating the “Last Updated” date, sending an email, or displaying an in-product notice.

Your continued use of the Services after the effective date of an updated Privacy Policy means that you acknowledge the updated Privacy Policy. If you do not agree with the updated Privacy Policy, you must stop using the Services.

19. Contact Us

If you have questions about this Privacy Policy, our data practices, or your privacy rights, please contact us:

GoPlus Labs
Craigmuir Chambers
Road Town, Tortola
VG 1110, British Virgin Islands