AgentHub

1. Scope and roles

This Policy applies to personal information we process about (a) visitors to our marketing website, (b) users of the AgentHub Service, including end users invited to a Workspace, (c) prospects and customer contacts, and (d) recipients of communications generated by agents on behalf of customers.

Controller / Processor. When a customer (the “Workspace”) submits content into the Service, the customer is the controller (or business) of the personal information in that content, and MVS is the processor (or service provider) acting on the customer's behalf and on its instructions. For information we collect directly from website visitors and account holders, MVS is the controller.

2. Information we collect

We collect three categories of personal information.

a. Account information

When you sign up, we collect your name, work email address, password (stored as a salted hash), Workspace name, and any organization details you provide. If you purchase a paid plan, we collect billing contact details and a payment-method token from our card-payments processor — we do not store raw card numbers.

b. Usage information

We collect technical information about how you use the Service: log entries (timestamp, IP address, user agent, request path, response status), feature usage (which agents you install, how many runs you trigger), approval decisions and audit events, error reports, and aggregated performance metrics. This information helps us operate, secure, and improve the Service.

c. Customer content

When you use an agent, the Service receives the prompts, files, knowledge-base documents, connector outputs, and other content you submit (“Customer Content”). Customer Content may contain personal information about your employees, customers, or other individuals. We process Customer Content only to provide the Service to you, in accordance with your Workspace configuration and any signed data processing addendum.

3. How and why we use information

Provide the Service. Authenticate you, route requests, run agents, generate citations, persist audit logs, and deliver any output back to your Workspace.
Bill and collect fees. Process subscriptions and usage charges through our card-payments processor and produce invoices.
Secure the platform. Detect, investigate, and prevent abuse, fraud, and security incidents; enforce our Terms and Acceptable Use Policy.
Operate and improve the Service. Diagnose errors, measure reliability, evaluate features, and improve documentation. We do not use Customer Content to train foundation models.
Communicate with you. Send transactional messages (account, billing, security), respond to support requests, and — subject to your preferences — share product updates.
Comply with law. Respond to legal process, tax obligations, and regulatory inquiries.

4. Legal bases (EEA / UK)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR / UK GDPR:

Contract — to provide the Service to you, manage your account, and process billing.
Legitimate interests — to operate, secure, and improve the Service, and to communicate with prospects (subject to your right to object).
Consent — for optional marketing and for non-essential cookies, where required.
Legal obligation — to respond to lawful requests, retain records, and comply with tax law.

5. Sharing and subprocessors

We do not sell personal information. We share information only with the categories of recipients below. The current list of subprocessors, with categories and regions, is published at /legal/subprocessors.

Subprocessors. Vetted service providers acting on our behalf and under written data-protection terms, including a managed Postgres provider, a hosted vector retrieval provider, an object storage provider, an email delivery provider, an SMS delivery provider, a card-payments processor, a code sandbox provider, an OAuth-token vault provider, a model gateway provider, and an application hosting provider.
Workspace administrators. If you are invited to a Workspace, the administrators of that Workspace can see your account profile, your activity in the Workspace, and any content you submit.
Connectors authorized by the Workspace. When a Workspace authorizes a connector to a third-party system, the Service reads from and writes to that system on the Workspace's behalf, scoped to the permissions the Workspace approved.
Legal, safety, and corporate transactions. We may share information to comply with law, enforce our agreements, protect the rights and safety of MVS, our customers, or the public, or in connection with a merger, acquisition, financing, or sale of assets, subject to appropriate confidentiality obligations.

When subprocessors are located outside your country, we use approved transfer mechanisms (such as the EU Standard Contractual Clauses and the UK Addendum) and conduct transfer impact assessments.

6. Retention

We retain personal information for as long as needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Typical retention windows are:

Account records — for the life of the account plus up to ninety (90) days after termination.
Customer Content — for the life of the account plus a thirty (30) day grace period for export, after which it is purged.
Audit and security logs — up to thirteen (13) months, then archived in aggregated form.
Billing records — up to seven (7) years to satisfy tax and accounting requirements.

Backups are encrypted and rotated; data deleted from production is purged from backups within thirty-five (35) days through normal backup-retention cycles.

7. Your rights

Subject to applicable law, you may exercise the following rights with respect to personal information we hold about you:

Access a copy of the information.
Correct inaccurate or incomplete information.
Delete information, subject to limited exceptions.
Export information in a portable format.
Object to or restrict certain processing, including direct marketing.
Withdraw consent where we rely on consent.
Lodge a complaint with your local supervisory authority.

If you are a Workspace end user (for example, a teammate of someone who created a Workspace), please direct your request to the Workspace administrator first; we will assist them. Otherwise, contact legal@mvsagents.ai. We may verify your identity before fulfilling a request and will respond within the timelines required by applicable law (typically thirty (30) to forty-five (45) days).

8. California residents (CCPA / CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act and the California Privacy Rights Act, including the rights to know, access, delete, correct, and limit the use of sensitive personal information, and to opt out of sale or sharing. We do not sell personal information and do not share it for cross-context behavioral advertising.

The categories of personal information we collect are described in Section 2; the business purposes are described in Section 3; the categories of recipients are described in Section 5; and our retention periods are described in Section 6. To exercise your rights, contact legal@mvsagents.ai. You may designate an authorized agent to act on your behalf with appropriate proof of authorization. We will not discriminate against you for exercising your rights.

9. EEA, UK, and Switzerland (GDPR)

MVS Holdings is the data controller for personal information collected directly through the Service's public-facing pages and account-management functions. When acting as a processor for customers, MVS processes personal information under a written data processing addendum that incorporates the EU Standard Contractual Clauses (Module Two) and the UK International Data Transfer Addendum where applicable.

You may contact our data-protection point of contact at legal@mvsagents.ai. If we cannot resolve your concern, you may file a complaint with the supervisory authority in your country of residence, place of work, or place where the alleged infringement occurred.

10. Cookies and similar technologies

We use a small set of cookies and local-storage entries:

Strictly necessary — session identifiers, anti-CSRF tokens, theme preference. These are required for the Service to function and are not used for tracking.
Analytics — privacy-respecting product analytics that record feature-level events without building cross-site profiles. Where required, we ask for consent before setting these cookies.

We do not use third-party advertising cookies. You can manage cookies through your browser settings. Disabling strictly-necessary cookies may break parts of the Service.

11. Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit and at rest, tenant isolation via row-level security, hash-pinned approvals on consequential agent actions, short-lived OAuth scopes for connectors, secret rotation through a managed secret manager, and an immutable audit-event chain. See our Security overview for more detail. No system is perfectly secure; report suspected vulnerabilities to security@mvsagents.ai.

12. Children

The Service is not directed to children under 13 (or 16 in the EEA), and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact legal@mvsagents.ai so we can delete it.

13. Changes

We may update this Policy from time to time. Material changes will be communicated in-product or by email to the Workspace owner before they take effect, and the new effective date will be indicated at the top of this page.

14. Contact

If you have questions about this Policy or our privacy practices, reach out:

General support: support@mvsagents.ai
Privacy and data-rights requests: legal@mvsagents.ai
Security disclosures: security@mvsagents.ai

AgentHub is operated by MVS Holdings. Effective date: May 15, 2026.