1. Who We Are
Creative Sauce Ltd is the data controller for AgentConsole HQ. We are committed to protecting your privacy and ensuring you have a positive experience on our platform.
Data Controller: Creative Sauce Ltd
Contact: hello@creativesauce.io
2. What Data We Collect
We collect data necessary to provide, secure, and improve our platform. Here's what we collect:
Account Data
- Full name
- Email address
- Business name and industry
- Account preferences
Payment Data
- Payment information is processed securely by Stripe
- We store only the last 4 digits of payment cards for verification purposes
- Full payment details are never stored on our servers
- Billing address and transaction records
Usage Data
- AI agent activity and interactions
- Tasks completed and workflow data
- Feature usage and engagement metrics
- Timestamps and duration of platform use
Technical Data
- IP address and location data
- Browser type and version
- Device information and operating system
- Log files and access data
Communications Data
- Support tickets and correspondence
- User feedback and survey responses
- Customer support interactions
Third-Party API Credentials (Bring Your Own Keys)
AgentConsole HQ operates on a Bring Your Own Keys (BYOK) model. To let your agents run on your own provider accounts, you may choose to paste API keys from one or more of the following providers: OpenAI, Anthropic, Perplexity, Google (Gemini) and xAI (Grok).
- Keys are submitted by you voluntarily and only when you want to activate the associated provider
- Keys are encrypted at rest using Supabase Vault (pgsodium) with a key never exposed to client browsers
- Only the last 4 characters of any stored key are ever visible after saving, including to you in your own dashboard
- Keys are transmitted only to the originating provider to execute your agent runs, and never to any other third party
- You may revoke any stored key at any time from the API Keys section of your dashboard. Revocation takes effect immediately and destroys the encrypted copy
- When you delete your account, all stored keys are permanently destroyed as part of the deletion process
3. How We Use Your Data
We use your personal data for the following purposes:
- Service Delivery: To provide, maintain, and improve the Creative Sauce platform
- Payment Processing: To process subscriptions and transactions securely
- Service Communications: To send platform updates, security alerts, and essential service notifications
- Product Improvement: To analyse usage patterns and develop better AI agents and features
- Security: To prevent fraud, unauthorised access, and other security threats
- Legal Compliance: To meet regulatory and legal obligations
- Marketing (with consent): To send promotional content, newsletters, and product updates only when you have consented
4. Legal Basis Under UK GDPR
We process your personal data under the following legal bases:
- Contract Performance: Processing data necessary to perform our service agreement with you
- Legitimate Interests: Protecting platform security, preventing fraud, and improving our services
- Consent: Marketing communications and optional features (you can withdraw consent anytime)
- Legal Obligations: Complying with tax, financial, and regulatory requirements
5. Data Sharing
We only share your data with trusted partners necessary to operate the platform. We never sell your personal data.
Third Parties We Share With:
- Stripe: Payment processor for secure transaction handling
- Cloud Hosting Providers: Vercel, Render, Supabase and AWS for secure infrastructure, database and data storage
- Brevo: Transactional and notification email delivery
- AI Providers (only at your direction): When you run an agent, the prompt, context and any files you supply are transmitted to the AI provider whose API key you have connected. Supported providers are OpenAI, Anthropic, Perplexity, Google (Gemini) and xAI (Grok). Creative Sauce acts purely as the pipe in this exchange: we do not retain the AI provider's raw response beyond what is needed to display and store the agent output you requested. Each provider operates under its own privacy policy and data processing terms, which you accepted when you created the account that issued the API key
- Analytics Providers: Anonymised usage data only to understand platform performance
Data We Do NOT Share:
- Personal data is never sold to advertisers or third-party marketers
- Personal data is never shared for commercial purposes
- Personal data is never rented or leased to other organisations
6. Data Retention
We retain your data for different periods depending on the type and purpose:
| Data Type | Retention Period |
|---|---|
| Active Account Data | While subscription is active |
| Cancelled Account Data | 30 days after cancellation, then permanently deleted |
| Payment Records | 7 years (required by UK tax law) |
| Anonymised Analytics | Retained indefinitely for service improvement |
| Support Tickets | 3 years or until account deletion |
7. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of Access: Request a copy of all personal data we hold about you
- Right of Rectification: Correct inaccurate or incomplete data
- Right of Erasure: Request deletion of your data (subject to legal obligations)
- Right of Data Portability: Receive your data in a structured, machine-readable format
- Right to Restrict Processing: Limit how we use your data in certain circumstances
- Right to Object: Object to marketing communications and certain processing activities
- Rights Related to Automated Decision-Making: Transparency and opt-out rights for automated processing
How to Exercise Your Rights
To exercise any of these rights, please contact us at hello@creativesauce.io with clear details of your request. We will respond within 30 days of receipt.
Right to Complain
If you believe we have not handled your personal data appropriately, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Cookies and Tracking Technologies
Our platform uses minimal cookies and tracking technologies:
- Authentication Token: Essential for keeping you logged in securely
- Session Cookie: Maintains your session during platform use
- Analytics Cookie: Helps us understand how the platform is used (optional, user opt-in)
You can control cookie preferences through your browser settings. Disabling essential cookies may prevent platform access.
9. Security
We implement comprehensive security measures to protect your personal data:
- Encryption in Transit: All data transferred between your device and our servers uses TLS/SSL encryption
- Encryption at Rest: Sensitive data is encrypted when stored on our servers. API credentials you supply under the BYOK model are encrypted using Supabase Vault (pgsodium) with an encryption key held in a secrets manager, never in application code or accessible to the browser
- Row Level Security: Every table containing customer data has PostgreSQL Row Level Security (RLS) enabled so that authenticated users can only ever read or modify rows belonging to their own account
- Key Isolation: Your BYOK API keys are only decrypted inside a server-side function at the exact moment an agent run is executed, and are never logged, cached, or returned to the browser
- Access Controls: Strict role-based access controls limit who can access personal data
- Regular Audits: We conduct regular security assessments and penetration testing
- Employee Training: Our staff receive ongoing data protection and security training
- Incident Response: We maintain procedures to respond to any potential security incidents, including mandatory notification within 72 hours of any confirmed breach affecting your personal data, as required by UK GDPR Article 33
9a. AI-Generated Content and Accuracy
AgentConsole HQ uses large language models (LLMs) and other generative AI systems to produce outputs on your behalf. You should be aware of the following before relying on any agent output:
- Outputs may be inaccurate: LLMs can and do produce content that is incorrect, incomplete, out of date, or entirely fabricated ("hallucinated"). Creative Sauce does not warrant that any agent output is accurate, fit for a particular purpose, or free from error
- Not professional advice: Agent outputs must never be treated as legal, financial, tax, medical, safety-critical or other professional advice. Always consult a qualified professional before acting on any such output
- You remain responsible: You are solely responsible for reviewing, editing, verifying and approving any agent output before publishing, sending, or acting upon it. Creative Sauce is not responsible for losses, damages or liabilities arising from your use of AI-generated content
- Training data and bias: Third-party AI providers train their models on large public datasets that may reflect biases, outdated facts, or copyrighted material. We have no control over how the underlying models were trained
9b. Support Chat and Data Handling
The Platform includes an AI-powered support chat widget. The following describes how data flows when you use it.
- No message storage: Chat messages are sent to our API endpoint, processed in real time, and are not stored in any database. There is no message log, no history retained server-side, and no way to retrieve a past conversation. When you close the chat, the conversation is gone.
- No personal data processed: The Support Chat is not connected to your account, subscription, or billing records. It has no access to your name, email, API keys, payment details, or any other personal information we hold about you. Do not enter personal or sensitive data into the chat - the assistant cannot use it and it provides no benefit.
- AI provider transmission: Your chat messages are transmitted to Anthropic (the AI provider behind the support assistant) solely to generate a response. Anthropic processes these messages under its own Privacy Policy and API terms. Creative Sauce does not retain the exchange after the response is returned.
- No profiling: Support Chat interactions are not used to profile you, build a behavioural record, or influence any decisions about your account.
- Account matters require email: The Support Chat cannot action any account request. For billing, refunds, cancellations, data subject rights, or API key issues, contact hello@creativesauce.io directly.
9c. API Key Storage
When you connect third-party API keys under the Bring Your Own Keys (BYOK) model, the following security measures apply.
- Encryption at rest: All API keys are encrypted using Supabase Vault (pgsodium), an industry-standard authenticated encryption library. The encryption key is stored in a secrets manager, never in application code or environment variables accessible to the browser.
- Never logged: API keys are never written to application logs, error reports, monitoring tools, or any other persistent store in plaintext form.
- Never returned to the browser: After you save a key, the full key value is never sent back to your browser. Only the last 4 characters are displayed as a reference marker.
- Decrypted only at run time: The encrypted key is decrypted inside a server-side function at the exact moment an agent run is executed. The decrypted value exists in memory only for the duration of the API call to your chosen provider, then is discarded.
- Transmitted only to your provider: The decrypted key is transmitted only to the originating AI provider (e.g. OpenAI, Anthropic) to authenticate your request. It is never sent to any other third party.
- Revocable at any time: You can delete any stored key from the API Keys section of your dashboard. Deletion takes effect immediately and permanently destroys the encrypted copy. There is no backup or recovery.
- Destroyed on account deletion: All stored keys are permanently destroyed as part of the account deletion process.
10. Children's Privacy
AgentConsole HQ is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete such data immediately and terminate the child's account.
11. International Data Transfers
Your personal data is primarily processed and stored within the United Kingdom and European Economic Area (EEA). If we transfer data outside the UK/EEA, we implement appropriate safeguards including Standard Contractual Clauses to ensure your data remains protected in accordance with UK GDPR.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will provide you with at least 30 days' notice of any material changes by:
- Sending an email notification to your registered email address
- Posting a prominent notice on our platform
- Updating the "Effective Date" at the top of this policy
Your continued use of the platform after changes become effective constitutes your acceptance of the updated Privacy Policy.
13. Contact Us
If you have any questions about this Privacy Policy, your personal data, or our privacy practices, please contact us:
Creative Sauce Ltd
Email: hello@creativesauce.io
Subject Line: "Privacy Policy Inquiry"
We aim to respond to all privacy inquiries within 10 business days.