What we store. What we don't.

Tokens. Every API key, OAuth access_token, and refresh_token you save is wrapped in AES-256-GCM with a versioned key envelope before it touches disk. Plaintext never persists. The encryption key is derived from a server-side secret loaded only at boot.

Commands. Your chat messages and routed actions are logged in an audit trail tied to your account. The audit log records the action taken, the connector involved, and a 140-character snippet of your original message — not full message bodies, not vendor responses.

LLM routing. When the agent classifies your intent, your message is sent to a self-hosted Ollama instance running on Steve's hardware. We do not send your commands to third-party LLM providers (Anthropic, OpenAI, etc.). Your business workflow is not training someone else's model.

Cookies. One signed session cookie (HttpOnly, SameSite=Lax). No third-party trackers, no advertising pixels, no analytics SDKs.

Vendor calls. When you authorize an action against a connected SaaS tool (Shopify, Stripe, Slack, etc.), the agent calls that vendor's API directly with your credentials. Their privacy policy applies to that data.

Data export / deletion. Email info@agentabrams.com and we'll respond within 7 days.

Last updated 2026-05-05 · Questions: info@agentabrams.com