AgentPM™ Privacy Policy#

Last updated: June 18, 2026

This Privacy Policy explains how AgentPM ("AgentPM," "we," "us," or "our") collects, uses, and shares information when you use:

  • The AgentPM website and registry (the "Site" and "Registry"),
  • Our public APIs and services,
  • The open-source CLI and SDKs (collectively, the "Services").

By using the Services, you agree to this Policy.


1) Scope & who we are#

AgentPM provides a package registry and tooling for AI agent artifacts—including tools, agents, skills, and templates—along with manifests, signing, verification, and install flows. This Policy covers personal information we process as a controller (e.g., your account profile) and data we process as a service provider (e.g., hosting your published artifacts).

Contact: support@agentpackagemanager.com


2) Information we collect#

A. Account & authentication#

  • Account details: name, email, username/namespace handle, organization (if any).
  • Authentication: Personal Access Tokens (PATs), device-code flow approvals. CLI note: PATs you paste or pipe are sent to the Registry only to authenticate or validate; your local token file (token.json) is stored on your device, not by us.

B. Content you publish#

  • Artifacts you upload: manifests (agent.json), tarballs, docs, READMEs, signatures, and registry attestations. Published artifacts and their metadata are public by design when published to a public namespace.
  • Namespace settings: visibility (public or private), signing mode, signer public keys, org membership and roles.

C. Billing & subscription data#

  • Subscription state: plan level (Free, Pro, or Team), billing status (active, trialing, past due, or canceled), and billing period dates.
  • Payment processing: payments are handled by Lemon Squeezy, our payment processor. We do not store your full payment card details. We receive and store subscription status, plan level, and renewal dates to manage your access to paid features.

D. Usage & log data#

  • Server logs: IP address, timestamps, request and response metadata, user agent, referrer, error traces.
  • Security events: auth successes and failures, rate-limit and abuse signals, publish, verify, and attestation results.
  • Scanning results: malware and threat scan status (e.g., Clean, Infected, Unknown), yanking state.

E. Cookies & local storage (Site)#

  • Strictly necessary cookies for session and auth.
  • Preference cookies (e.g., theme). We do not use ad tech or cross-site behavioral advertising.

F. Support & communications#

  • Emails, issue reports, or form submissions you send to us.

G. Optional analytics#

We may use privacy-respecting analytics to understand aggregate usage (e.g., page counts). No ad tracking.


3) How we use information#

  • Provide and maintain the Services: account auth, installs, publishes, signatures and attestations, artifact delivery, private namespace access control.
  • Billing: process and manage subscriptions, enforce plan-based access to paid features, handle billing communications.
  • Security & integrity: detect and prevent abuse and malware; yank infected versions; enforce signing and attestation.
  • Product operations: measure reliability, debug errors, improve docs and UX.
  • Communications: service notices, billing updates, and (if you opt in) product updates.
  • Legal compliance: enforce terms, respond to lawful requests.

4) When we share information#

We do not sell personal information.

We may share:

  • Payment processor: Lemon Squeezy processes subscription payments on our behalf. When you purchase a paid plan, relevant transaction data (including your email and billing details) is shared with Lemon Squeezy as necessary to complete the transaction. Lemon Squeezy's privacy policy governs their processing of that data.
  • Service providers: hosting, storage, email delivery, logging and monitoring, security scanning. Providers may process data on our behalf under contracts.
  • Legal reasons: to comply with law, respond to lawful requests, or protect rights, safety, and security.
  • Business transfers: if we undergo a merger, acquisition, or asset sale, data may transfer subject to this Policy.
  • Public registry data: artifacts, manifests, signatures, scan badges, and version metadata are public when you publish to a public namespace.

5) CLI & SDK specifics#

  • Local token storage: the CLI stores credentials only on your device (e.g., OS app-data directory). We do not read your local files.
  • Runtime behavior: SDKs run your tools in subprocesses within your environment; inputs, outputs, and any logs from your tools remain in your environment.
  • Environment variables: variables you pass to load() are used only to launch your tools and are not transmitted to AgentPM.

6) Malware & security scanning#

After publish, artifacts are scanned asynchronously. Results (e.g., Clean, Infected, Unknown) appear on version pages. If threats are detected, versions are Yanked: they remain visible for auditability but cannot be installed and are removed from search and trending. We also enforce size, archive, and path-safety checks at publish time to reduce risk.


7) Data retention#

  • Account data: retained while your account is active. We may retain limited logs (up to 90 days) for security and operations.
  • Published content: artifact versions and metadata are part of the public record of the Registry; we generally retain them to preserve integrity and dependency reproducibility, including yanked versions (which remain visible with a badge but are not installable).
  • Billing records: retained as required for financial and legal compliance.
  • Security logs & scan results: retained as needed for security, investigation, and compliance.

8) Your choices & rights#

  • Access/Update: manage your profile and namespace settings on the Site.
  • Auth tokens: create and revoke PATs at any time.
  • Namespaces & signers: add or revoke signer public keys on your namespace.
  • Billing: manage or cancel your subscription from the billing section of your profile.
  • Delete account: contact us at support@agentpackagemanager.com. Note that public artifacts already published may remain for registry integrity; we can mark versions Yanked but cannot retroactively remove them from dependent builds.
  • Regional rights: If you are in a region with data rights (e.g., GDPR/UK GDPR/CPRA), you may request access, correction, deletion, or portability of your personal data. Requests: support@agentpackagemanager.com.

We do not knowingly collect information from children under 16. If you believe a minor has provided personal information, contact us.


9) International transfers#

We operate primarily in the United States. If you access the Services from outside the U.S., you consent to processing in the U.S. and other countries where we or our providers operate, which may have different data protection laws.


10) Security#

We use industry-standard measures to protect data, including HTTPS in transit, encryption at rest for stored artifacts and metadata, signing and attestation to protect artifact integrity, access controls, and routine scanning. No method of transmission or storage is 100% secure.


The Services may link to third-party sites or documentation. Their privacy practices are their own; review their policies.


12) Changes to this Policy#

We may update this Policy from time to time. We will post the new date at the top and, for material changes, provide additional notice (e.g., a banner or email). Continued use means you accept the updated Policy.


13) Contact#

Questions or requests: support@agentpackagemanager.com