agentmail is designed to collect the minimum data needed to operate:
API keys: when you create a paid account, we store your Stripe-generated API key (a random string). We do not store passwords.
Screening queries: we log the subject of each sanctions check (wallet address, name, or country code), the timestamp, and the result. This log is your audit trail and is retained for compliance purposes.
Usage metadata: request count, IP address (for rate limiting), and timestamps. We do not store request payloads beyond the screening subject.
Billing data: handled entirely by Stripe. We never see or store your credit card number.
What we do NOT collect
We do not use tracking cookies or analytics pixels that follow you across sites.
We do not sell, rent, or share your data with third parties.
We do not store the contents of your emails or SMS messages (those are handled by separate inbox services).
Data retention
Screening logs (audit trails) are retained for the life of your account. If you delete your account, we purge your logs within 30 days, unless retention is legally required.
GDPR / CCPA
You can request export or deletion of your data at any time by contacting us via GitHub Issues. We comply with all data subject access requests within 30 days.
Security
All traffic is encrypted via HTTPS (HSTS enforced). API keys are transmitted via headers only, never in URLs. We do not store sensitive payment data (Stripe handles all billing).