Privacy Policy

Effective date: March 24, 2026 — Last updated: March 24, 2026

AgentWorkPermit (“AWP”, “we”, “us”, or “our”) operates a permission proxy that allows AI agents to access your Gmail account through temporary, scoped, and revocable work permits. This Privacy Policy explains what data we collect, why we collect it, how we protect it, and what rights you have.

We believe privacy policies should be clear and honest. If something is unclear, contact us at privacy@agentworkpermit.com.

1. Data Controller

The data controller responsible for your personal data is:

NANJI SAS
French company registered under SIREN 910189380
43 rue de Turbigo, 75003 Paris, France
Operating the service AgentWorkPermit (AWP)

Email: privacy@agentworkpermit.com

2. Data We Collect

2.1 Account Information

When you sign in with Google, we collect your email address, display name, and Google profile ID for account identification and personalization. Legal basis: contract performance (Art. 6(1)(b) GDPR).

2.2 Gmail OAuth Tokens

When you connect Gmail, we receive OAuth tokens to execute permitted agent actions on your behalf. These tokens are encrypted at rest using Google Cloud KMS (AES-256-GCM). You can revoke Gmail access at any time from the Settings page, which immediately deletes stored tokens. Legal basis: explicit consent (Art. 6(1)(a) GDPR).

2.3 Permit Data

Permit configurations (scope, duration, rules) and status history are stored to define and track agent access. Legal basis: contract performance (Art. 6(1)(b) GDPR).

2.4 Audit Logs

We log action type, timestamp, agent identifier, and action metadata (e.g., thread ID, label name) for security monitoring and accountability. Audit logs record metadata only. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).

3. Data We Do NOT Collect

We want to be explicit about what AWP never stores:

• Email content — we do not store email bodies, subjects, or snippets
• Email attachments — we do not store or process attachments
• Contact details — we do not store your Gmail contacts
• Tracking cookies — we do not use third-party trackers, advertising pixels, or analytics

When an AI agent reads or sends email through AWP, the content passes through our servers transiently but is never persisted.

4. How We Protect Your Data

• Gmail OAuth tokens encrypted at rest via Google Cloud KMS (europe-west9)
• All connections use HTTPS/TLS
• Session tokens in httpOnly, secure, SameSite cookies
• Permit tokens hashed with SHA-256 — never stored in plaintext
• IP binding — tokens lock to the first IP that uses them
• Rate limiting — automatic blocking of excessive requests
• All infrastructure in EU (Paris, France)

5. Data Retention

• Account information — until you delete your account
• Gmail OAuth tokens — until you disconnect Gmail or delete your account
• Audit logs — 90 days after the related permit expires, then deleted
• Session data — 7 days or until you sign out

When you delete your account, all associated data is permanently deleted. This action is irreversible.

6. Subprocessors

All subprocessors operate within the European Union:

• Google Cloud Platform — KMS encryption (europe-west9, Paris)
• Fly.io — API and database hosting (CDG, Paris)
• Vercel — Web dashboard hosting (EU edge)

We do not sell, rent, or share your personal data with any other third parties.

7. Your Rights Under GDPR

You have the right to:

• Access (Art. 15) — request a copy of your personal data
• Rectification (Art. 16) — correct inaccurate data
• Erasure (Art. 17) — delete your account and all data
• Restriction (Art. 18) — restrict processing in certain cases
• Portability (Art. 20) — receive your data in a machine-readable format
• Object (Art. 21) — object to processing based on legitimate interests
• Withdraw consent (Art. 7(3)) — disconnect Gmail at any time
• Complaint — lodge a complaint with the CNIL

To exercise your rights: use the Settings page or email privacy@agentworkpermit.com. We respond within 30 days.

8. Cookies

AWP uses a single session cookie (awp_session) for authentication. It is httpOnly, Secure, and SameSite. Duration: 7 days.

We do not use tracking cookies, advertising cookies, or third-party analytics. No cookie consent banner is required.

9. Data Breach Notification

In the event of a breach, we will notify the CNIL within 72 hours and affected users without undue delay, as required by Art. 33-34 GDPR.

10. International Data Transfers

All AWP infrastructure is in the European Union (Paris, France). We do not transfer personal data outside the EEA.

11. Contact Us

NANJI SAS — 43 rue de Turbigo, 75003 Paris, France

Email: privacy@agentworkpermit.com