Privacy policy.
What AgentMetal collects, why, who processes it, and how you exercise your rights. We are built so an agent can buy compute with no account, so we collect very little. This page is a plain-language summary; the formal notice is our aviso de privacidad.
1Who is responsible
The data controller (responsable) is E-NGENIUM INFRAESTRUCTURA, S. de R.L. de C.V. (trading as "iNBest Cloud"), Av. Unión #163, Piso 1, Col. Lafayette, C.P. 44140, Guadalajara, Jalisco, México. Privacy and data-rights requests: [email protected].
2What we collect
- Nothing required to buy. You can provision a server with no account: the paying wallet (USDC over x402) or the card payment is the only identifier.
- Email, only if you choose to claim an account. We send a one-time code to verify it and store the address to manage your fleet and billing.
- Payment records: the amount, time, plan, a Stripe customer/charge reference for card payments, and the on-chain transaction hash and payer wallet address for USDC payments. We do not store card numbers or private keys.
- Server data: the plan, region, the IPv4 address we assign, expiry, and (only if you ask us to manage a key) an SSH private key stored encrypted at rest and purged when the server is destroyed.
- Operational logs: for each request, the IP address, user-agent, path, referrer, and any UTM parameter, used to run the service, prevent abuse, and produce aggregate traffic counts.
3Why we use it
To provide and bill the service, to authenticate account holders, to detect and stop abuse (see the acceptable-use section of our terms), to meet legal and accounting obligations, and to understand aggregate demand. We do not sell your personal data, and we do not use it for third-party advertising.
4Payments are partly public by nature
USDC payments settle on the Base blockchain. Blockchain transactions, including wallet addresses and amounts, are public and permanent by design and are not under our control. Card payments are handled by Stripe under Stripe's own privacy terms; we never see your full card details.
5Who else processes your data
We rely on a small set of providers (subprocessors) to run the service. They process data only to provide their function to us:
- Hetzner — the cloud servers we provision for you.
- Neon — managed PostgreSQL where accounts, payment records, and logs are stored.
- Cloudflare — DNS, CDN, and security (WAF/DDoS) in front of the API and site; it processes request metadata including IP addresses.
- Stripe — card payment processing.
- Amazon Web Services (SES) — sending the account-verification email.
- x402 facilitator — relays and settles USDC payments on Base.
6Cookies & tracking
This website does not use advertising or cross-site tracking cookies. Analytics are server-side and aggregate, derived from the operational logs above, not from cookies. Any local storage the site uses is strictly functional.
7How long we keep it
Destroyed-server data is not retained (a machine and its data are permanently deleted after the post-expiry grace period). Operational logs are pruned on a rolling retention window. Account and payment records are kept as long as needed to provide the service and to meet legal, tax, and anti-abuse obligations, then deleted or anonymized.
8Security
Traffic is encrypted in transit (TLS), the database connection is TLS-enforced, managed SSH keys are encrypted at rest (AES-256-GCM), and access to production is restricted. No system is perfectly secure; you are responsible for securing your own server and keys once provisioned.
9International transfers
We operate from México, and our providers process data in the United States and elsewhere. Using the service means your data may be processed outside your country, under the safeguards those providers offer.
10Your rights
Under México's Ley Federal de Protección de Datos Personales en Posesión de los Particulares you may exercise your ARCO rights (acceso, rectificación, cancelación, oposición) and withdraw consent. Write to [email protected]; the full process is in our aviso de privacidad. If you are covered by other regimes (such as the GDPR), contact us and we will honor the equivalent rights of access, correction, deletion, and portability.
11Children
AgentMetal is infrastructure for developers and autonomous agents, not directed at children, and is not intended for anyone under 18. We do not knowingly collect data from children.
12Changes
We may update this policy; the version and effective date at the top will change. Material changes will be reflected here, and continued use after an update means you accept the updated policy.