Privacy Policy
Last updated: March 17, 2026
This Privacy Policy explains how Ovk Consulting ("we", "us", "our") collects, uses, stores, and protects your personal data when you use Agent One at agent-one.org and through connected messaging platforms. We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and applicable Danish data protection law.
1. Who We Are
Agent One is operated by Ovk Consulting (CVR 38284282), Lyngbyvej 438, 2820 Gentofte, Denmark. For the purposes of GDPR, Ovk Consulting is the data controller -- meaning we decide how and why your personal data is processed.
Contact for data requests:
Ovk Consulting
CVR: 38284282
Lyngbyvej 438, 2820 Gentofte, Denmark
Email: [email protected]
Website: agent-one.org
2. What Data We Collect
We collect only the data necessary to provide and improve Agent One. Here is what we collect and why:
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, billing communication, service updates | Contract performance |
| Telegram user ID | Connecting your agent to your Telegram account | Contract performance |
| Conversation messages | Providing AI responses and the agent memory feature | Contract performance |
| Usage metrics (message counts per day) | Service monitoring, fair use enforcement, billing | Legitimate interest |
| Payment information | Processing payments via Stripe (we never see or store your card number) | Contract performance |
We do not collect special category data (health, biometric, political, or religious data). We do not buy data from third parties or build advertising profiles.
3. How We Use Your Data
Your data is used for the following purposes:
- Providing the service -- delivering AI agent responses in your messaging app, maintaining conversation memory, and managing your account.
- AI processing -- your messages are sent to third-party large language model (LLM) providers through OpenRouter to generate AI responses. See Section 5 for details.
- Team features -- if you use a team agent, conversation context is shared between team members to enable collaborative use of the agent.
- Billing -- processing payments, managing subscriptions, and enforcing fair use.
- Service improvement -- aggregate, anonymized usage metrics help us improve performance and reliability. We do not use your messages to train AI models.
4. Legal Basis for Processing
Under GDPR Article 6, we process your personal data based on the following legal grounds:
- Performance of a contract (Article 6(1)(b)) -- most of the data we process is necessary to deliver the service you signed up for. This covers your email, Telegram user ID, conversation messages, and payment processing.
- Legitimate interests (Article 6(1)(f)) -- we collect usage metrics to monitor service health, prevent abuse, and improve Agent One. We have assessed that this does not override your rights, as the data is minimal and non-sensitive.
We do not rely on consent as a legal basis for core service functionality. If we ever need consent for a specific purpose (such as marketing emails), we will ask for it separately and you can withdraw it at any time.
5. Third-Party Services
We share data with the following third parties, only to the extent necessary to operate the service:
Stripe (Payments)
Stripe processes your payment information. We never receive or store your credit card number. Stripe acts as an independent data controller for payment data. See Stripe's Privacy Policy.
OpenRouter / Anthropic (AI Processing)
Your messages are sent to AI model providers through OpenRouter to generate agent responses. These providers process messages as data processors on our behalf. Messages are sent for inference only and are not used to train AI models. See OpenRouter's Privacy Policy.
Telegram (Messaging)
Agent One connects to your Telegram account through Telegram's Bot API. Telegram acts as an independent platform. Your messages pass through Telegram's infrastructure before reaching us. See Telegram's Privacy Policy.
We do not sell your personal data to anyone. We do not share your data with advertisers.
6. Data Storage and Security
Your conversation data is stored in isolated SQLite databases within individual Docker containers -- one per agent. This means your data is architecturally separated from other users' data.
We take the following measures to protect your data:
- Each agent runs in its own isolated container environment
- Access to production systems is restricted to authorized personnel
- Data is transmitted over encrypted connections (TLS)
- We regularly review and update our security practices
Server location: Our servers are located in the European Union.
If our servers are located outside the EU/EEA, we ensure that appropriate safeguards are in place for international data transfers, such as Standard Contractual Clauses (SCCs) approved by the European Commission.
7. Data Retention
We retain your data only for as long as necessary:
| Data | Retention Period |
|---|---|
| Conversation messages | 30 days by default, then automatically deleted |
| Account data (email, Telegram ID) | Until you request account deletion |
| Usage metrics | Retained for billing and service monitoring purposes, deleted when no longer needed |
| Payment records | As required by Danish tax and accounting law (typically 5 years) |
When data reaches the end of its retention period, it is permanently deleted from our systems.
8. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights. You can exercise any of them by emailing [email protected].
- Right of access (Article 15) -- you can request a copy of all personal data we hold about you.
- Right to rectification (Article 16) -- you can ask us to correct inaccurate or incomplete data.
- Right to erasure (Article 17) -- you can ask us to delete your personal data. We will comply unless we have a legal obligation to retain it.
- Right to restrict processing (Article 18) -- you can ask us to limit how we process your data in certain circumstances.
- Right to data portability (Article 20) -- you can request your data in a structured, machine-readable format (JSON).
- Right to object (Article 21) -- you can object to processing based on legitimate interests. We will stop unless we have compelling grounds.
- Right to withdraw consent (Article 7(3)) -- where processing is based on consent, you can withdraw it at any time without affecting earlier processing.
How to make a request: Email [email protected] with "Data Request" in the subject line. We will verify your identity and respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) at datatilsynet.dk.
9. International Data Transfers
Some of our third-party service providers (Stripe, OpenRouter) operate in the United States. When your data is transferred outside the EU/EEA, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Provider-specific data processing agreements with appropriate safeguards
You can request a copy of the relevant safeguards by contacting us at [email protected].
10. Team Agents and Shared Data
If you use a team agent, be aware that:
- Conversation context is shared between all team members connected to the same agent.
- Other team members may see information you share with the team agent as part of the shared context.
- The team administrator is responsible for managing team membership.
Do not share sensitive personal information with a team agent if you do not want other team members to have access to it.
11. Cookies
The Agent One website (agent-one.org) uses only essential cookies required for the site to function (such as session management during signup). We do not use tracking cookies, analytics cookies, or advertising cookies.
Since we only use strictly necessary cookies, consent is not required under GDPR. If this changes in the future, we will update this policy and implement a cookie consent mechanism.
12. Children's Privacy
Agent One is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date at the top of this page
- Notify you by email if the changes significantly affect how we process your data
We encourage you to review this page periodically. Continued use of Agent One after changes are posted constitutes acceptance of the updated policy.
14. Contact Us
If you have any questions about this Privacy Policy, your personal data, or want to exercise your rights, contact us:
Ovk Consulting
CVR: 38284282
Lyngbyvej 438, 2820 Gentofte, Denmark
Email: [email protected]
Website: agent-one.org
For complaints about data protection, you can also contact the Danish Data Protection Agency (Datatilsynet):