Effective date: May 1, 2026
Antigency is operated by Antigency Inc. (referred to in this policy as “Antigency,” “we,” “our,” or “us”).
Privacy inquiries: derek@antigency.ai.
Mailing address: On file with registered agent.
From the merchant directly. Account email, name, business name, payment method (handled by our payment processor — we never see card numbers), subscription tier selection, and any voice or configuration preferences you provide.
From the merchant’s Shopify store (with your OAuth permission). Products, orders, customer records (which contain personal data about your end customers), inventory levels, theme assets, scripts, checkout settings, and shipping zones. The exact OAuth scopes requested are listed on the install screen.
From connected integrations (with your OAuth permission). Google Analytics 4 traffic data, Google Search Console query data, Google Ads campaign and account data, Klaviyo flow and list data, Meta Ads campaign data, Google Merchant Center feed data.
Automatically. IP address, user agent, page views on antigency.ai, and dashboard interactions, recorded server-side for security and product analytics.
From external agents (MCP). When the Antigency MCP server is available, calling-agent metadata such as call ID, rationale, context payload, and originating IP. The MCP server is post-launch; this section is forward-looking.
To operate the service: read your data, run audits and execution tasks against your approval, and write results back to your account.
To improve the service: aggregate and de-identified analysis of system performance and per-merchant outcome refinement.
To bill the service: tier enforcement and quota tracking.
For security and fraud prevention: anomaly detection, abuse investigation, and audit logging.
For support: when you contact us, we use your data to help resolve your issue.
We do not sell merchant data.
We do not use merchant data to train external large language models.
We do not share merchant data across merchants. Tenant isolation is enforced at the database row level.
Active merchant data: retained while your account is active.
Inactive merchant data: retained for 90 days after cancellation, then purged. This grace window allows reactivation.
Per-merchant agent memory: retention windows vary by subscription tier. Free tier: 30 days from last activity. Pro tier: indefinite during active subscription, 30-day grace window after cancellation.
Audit logs: retained for 1 year minimum; governance-relevant logs retained longer.
Backups: retained for 30 days, then purged.
We use the following sub-processors to operate the service:
Legal compliance. We share data when required by law, court order, or valid regulatory request.
Your explicit consent. When you connect an integration, that integration’s data flows back through our infrastructure under your authorization.
We do not sell, rent, or monetize merchant data through advertising or data brokerage of any kind.
Parts of the platform — currently the content drafting workflows that produce blog articles and product descriptions — use third-party large language models (Anthropic’s Claude) to generate written content. All such content is presented to you for review and approval before any publication action is taken on your behalf. We do not pass your store data to LLM providers without your explicit action; LLM providers do not retain prompts or outputs beyond their standard operational logging windows.
Antigency operates across multiple data platforms you connect (e.g. Shopify, Meta Ads, Google Ads, Klaviyo). To power agents that depend on signals from more than one platform — for example matching ad spend to revenue, or matching customer email engagement to purchase patterns — we correlate data across the platforms you’ve connected. This correlation is performed inside your account only. We do not aggregate data across customers, do not sell data, and do not share data with third parties beyond what is necessary to fulfill the agent’s stated function (e.g. an LLM call for content generation, see “AI-generated content” above). You can disconnect a platform at any time, which immediately revokes our access to its data.
Primary infrastructure is hosted in the United States (Vercel and Supabase US regions).
Some sub-processors operate globally. Where applicable, we rely on their published compliance posture (SOC 2, ISO 27001, and equivalent frameworks).
For merchants in the European Union, United Kingdom, and other regions with cross-border transfer requirements, our Data Processing Agreement at /legal/dpa covers the required terms, including Standard Contractual Clauses.
Right to access. You may request a full export of your data by emailing us.
Right to deletion. Cancellation triggers a 90-day grace period followed by purge. You may request immediate purge at any time.
Right to portability. Data exports are provided in JSON and CSV formats.
Right to object. You may opt out of any processing that is not strictly required for service delivery.
Right to lodge a complaint. You may contact your local data protection authority.
For California residents. CCPA-specific rights apply, including the right to know what personal information is collected and the right to request deletion. We do not sell personal information.
For European Union residents. GDPR Articles 15 through 22 apply, including access, rectification, erasure, portability, restriction, and objection.
The marketing site at antigency.ai uses privacy-respecting analytics that do not set cookies for cross-site tracking.
The dashboard uses authentication cookies, which are required to keep you signed in.
We do not use third-party advertising cookies, social pixels, or tag managers on our properties.
Antigency is built for businesses, not children. We do not knowingly collect personal data from anyone under the minimum age set by applicable law in the merchant’s jurisdiction (commonly 13 or 16). If you believe a minor has provided us with data, contact us and we will delete it.
Material changes will be notified by email and dashboard banner at least 30 days in advance. Non-material changes will be notified by dashboard banner. The effective date at the top of this page is updated with each version, and prior versions are archived on request.
Privacy inquiries: derek@antigency.ai.
DPA requests: same address. We send the DPA template within 5 business days.
Data deletion requests: same address. We honor them within 30 days or as required by applicable law.