AgentPM™

AgentPM™ Privacy Policy#

Last updated: November 14, 2025

This Privacy Policy explains how AgentPM (“AgentPM,” “we,” “us,” or “our”) collects, uses, and shares information when you use:

  • The AgentPM website and registry (the “Site” and “Registry”),
  • Our public APIs and services,
  • The open-source CLI and SDKs (collectively, the “Services”).

By using the Services, you agree to this Policy.

1) Scope & who we are#

AgentPM provides a package registry and tooling for agent tools/agents, including manifests, signing, verification, and install flows. This Policy covers personal information we process as a controller (e.g., your account profile) and data we process as a service provider (e.g., hosting your published tool artifacts).

Contact: privacy@agentpackagemanager.com

2) Information we collect#

A. Account & authentication#

  • Account details: name, email, username/namespace, organization (if any).
  • Authentication: Personal Access Tokens (PATs), device-code flow approvals. CLI note: PATs you paste or pipe are sent to the Registry only to authenticate or validate; your local token file (token.json) is stored on your machine, not by us.

B. Content you publish#

  • Tool/agent data you upload: manifests (agent.json), tarballs, docs, READMEs, signatures, and registry attestations. Published artifacts and their metadata are public by design.
  • Namespace & signing settings: signer public keys you register, and per-namespace signing mode.

C. Usage & log data#

  • Server logs: IP address, timestamps, request/response metadata, user agent, referrer, error traces.
  • Security events: auth successes/failures, rate-limit/abuse signals, publish/verify/attestation results.
  • Scanning results: malware/threat scan status (e.g., clean/infected/unknown), yanking state.

D. Cookies & local storage (Site)#

  • Strictly necessary cookies for session/auth.
  • Preference cookies (e.g., theme). We do not use ad tech or cross-site behavioral advertising.

E. Support & communications#

  • Emails, issue reports, or form submissions you send to us.

F. Optional analytics#

We may use privacy-respecting analytics to understand aggregate usage (e.g., page counts). No ad tracking.

3) How we use information#

  • Provide and maintain the Services: account auth, installs, publishes, signatures/attestations, artifact delivery.
  • Security & integrity: detect/prevent abuse and malware; yank infected versions; enforce signing/attestation.
  • Product operations: measure reliability, debug errors, improve docs/UX.
  • Communications: service notices, security updates, and (if you opt in) product updates.
  • Legal compliance: enforce terms, respond to lawful requests.

4) When we share information#

We do not sell personal information.

We may share:

  • Service providers: hosting, storage, email delivery, logging/monitoring, security scanning (e.g., GuardDuty-backed scanning). Providers may process data on our behalf under contracts.
  • Legal reasons: to comply with law, respond to lawful requests, or protect rights, safety, and security.
  • Business transfers: if we undergo a merger, acquisition, or asset sale, data may transfer subject to this Policy.
  • Public registry data: artifacts, manifests, signatures, scan badges, and version metadata are public when you publish.

5) CLI & SDK specifics#

  • Local token storage: the CLI stores credentials only on your device (e.g., OS app-data directory). We do not read your local files.
  • Runtime behavior: SDKs spawn your tools in subprocesses; inputs/outputs and any logs from your tools remain within your environment.
  • Environment variables: variables you pass to load() are used only to launch your tools and are not transmitted to AgentPM.

6) Malware & security scanning#

  • After publish, artifacts are scanned asynchronously. Results (e.g., Clean, Infected, Unknown) appear on version pages.
  • If threats are detected, versions are Yanked: they remain visible for auditability but cannot be installed and are removed from search/trending.
  • We also enforce size, archive, and path-safety checks at publish time to reduce risk.

7) Data retention#

  • Account data: retained while your account is active. We may retain limited logs (e.g., up to 90 days) for security and operations.
  • Published content: artifact versions and metadata are part of the public record of the Registry; we generally retain them to preserve integrity and dependency reproducibility, including yanked versions (which remain visible with a badge but are not installable).
  • Security logs & scan results: retained as needed for security, investigation, and compliance.

8) Your choices & rights#

  • Access/Update: manage your profile/namespace settings on the Site.
  • Auth tokens: create/revoke PATs at any time.
  • Namespaces & signers: add/revoke signer public keys on your namespace.
  • Delete account: contact us at privacy@agentpackagemanager.com. Note that public artifacts already published may remain for registry integrity; we can mark versions Yanked but not retroactively remove them from dependent builds.
  • Regional rights: If you are in a region with data rights (e.g., GDPR/UK GDPR/CPRA), you may request access, correction, deletion, or portability of your personal data. Requests: privacy@agentpackagemanager.com.

We do not knowingly collect information from children under 16. If you believe a minor has provided personal information, contact us.

9) International transfers#

We operate primarily in the United States. If you access the Services from outside the U.S., you consent to processing in the U.S. and other countries where we or our providers operate, which may have different data protection laws.

10) Security#

We use industry-standard measures to protect data, including HTTPS in transit, encryption at rest for stored artifacts/metadata, signing/attestation to protect artifact integrity, access controls, and routine scanning. No method of transmission or storage is 100% secure.

The Services may link to third-party sites or documentation. Their privacy practices are their own; review their policies.

12) Changes to this Policy#

We may update this Policy from time to time. We’ll post the new date at the top and, if changes are material, provide additional notice (e.g., banner or email). Continued use means you accept the updated Policy.

13) Contact#

Questions or requests: privacy@agentpackagemanager.com