Gift an Agent
TermsHome

Privacy Policy

Last updated: 26 March 2026

Gift an Agent (“we”, “us”, “our”) operates the website giftanagent.com and the Gift an Agent personal AI assistant platform (collectively, the “Service”). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the choices you have.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you are in the European Economic Area (EEA) or UK, we process your personal data as a data controller under the UK GDPR and EU GDPR. If you are a California resident, see Section 13 for your additional rights under the CCPA.

Program description: Gift an Agent is a personal AI assistant service. Users receive AI agents as gifts or purchase them directly. Your agent communicates with you via Telegram and/or SMS text messaging. It can make phone calls, send and receive emails, connect to third-party services, store notes and contacts, set reminders, search the web, and more — all on your behalf and at your direction.

1. What Data We Collect

We collect different categories of data depending on your role (gifter or recipient) and how you interact with the Service.

Gifter Data (collected at purchase)

·
Recipient's name To personalise the agent and gift email
·
Recipient's email address To send the gift setup email
·
Your name (gifter) To personalise the gift and agent profile
·
Personal note / message Stored in the agent's memory and read at each session
·
Recipient context Description of the recipient to personalise the agent
·
Payment information Processed by Stripe — we do not store card details
·
Purchase metadata Plan selected, timestamp, Stripe session ID

Recipient Data (collected at setup and during use)

·
Telegram chat ID Used to deliver messages and manage the agent session
·
Phone number (if using SMS) Used to deliver messages via SMS text messaging
·
SMS consent timestamp and IP address Recorded when you opt in to SMS messaging, for compliance purposes
·
Self-context (role, interests, goals) Written by the recipient to personalise their agent
·
Agent name chosen by recipient Personalisation of the agent
·
Selected skills Which capabilities the recipient enables for their agent

Usage and Conversation Data

·
Conversation messages Stored to provide conversation memory and context to the agent
·
Token usage counts Tracked to manage plan limits and top-up thresholds
·
Timestamps and model metadata Operational logging and billing accuracy
·
Long-term memory summaries Compressed summaries generated when conversation history grows long; original messages are deleted after summarisation
·
Behavioral style profile AI-generated summary of your communication preferences and personality traits, used to personalise how the agent speaks with you
·
Daily activity logs Truncated logs of each day's conversations, kept to help the agent recall recent activity
·
Scheduled task instructions If you set up reminders or recurring tasks, the task label and instructions are stored to enable timed delivery
·
Notes and contacts If you save notes or contacts with your agent, these are stored permanently in our database and are never auto-deleted
·
Phone call recordings and transcripts If your agent makes or receives phone calls on your behalf, the call audio may be recorded and transcribed by our telephony provider (Bland AI). See Section 6 for details.
·
Email messages If your agent sends or receives emails on your behalf via AgentMail, the email content (including attachments) is processed and stored. See Section 8 for details.
·
Credentials and access tokens shared with the agent If you voluntarily share login credentials, API keys, or access tokens with your agent so it can act on your behalf, these are stored as part of the agent's memory. See Section 4 for important guidance.

2. How We Collect Your Data

We collect data through the following means:

  • Directly from you — when you complete the gifting form, the setup form, or contact us
  • From Stripe — payment confirmation webhooks (no card data is shared with us)
  • From Telegram — when you message your agent via Telegram, Telegram delivers the message to our webhook
  • From Twilio (SMS) — when you message your agent via SMS, Twilio delivers the message to our webhook
  • From phone calls — when your agent makes or receives calls on your behalf, call data is processed by Bland AI
  • From third-party service connections — when you connect services like Google, Spotify, or LinkedIn, data is exchanged via OAuth through Composio
  • Automatically — basic server logs (timestamps, request metadata) and website analytics via PostHog

3. How We Use Your Data

We use personal data for the following purposes, and only for these purposes:

Delivering the gift: Sending the setup email, provisioning the agent, and enabling Telegram or SMS access.
Personalising the agent: Your note, gifter name, and recipient context are read by the agent at the start of each session to create a personalised experience.
Maintaining conversation memory: Messages are stored so the agent can remember past conversations. Older messages are periodically compressed into summaries.
Storing notes, contacts, and reminders: When you ask your agent to save a note, contact, or reminder, this data is stored to serve you across sessions.
Making phone calls and sending emails: When you instruct your agent to call someone or send an email, your data is shared with our telephony and email providers to complete the action.
Connecting third-party services: When you connect a third-party service (e.g. Google, Spotify), OAuth tokens are stored by our integration partner to enable the agent to act on your behalf.
Managing token usage: Tracking usage to enforce plan limits and notify recipients when top-up is needed.
Processing payments and top-ups: Communicating with Stripe to fulfill purchases and subscriptions.
Improving the Service: Website analytics (via PostHog) to understand how people use the site and improve the experience. We do not use conversation content for analytics.
Customer support: If you contact us, we use your data to respond to your request.
Legal compliance: We may process or disclose data where required by law.

Our legal basis for processing under the GDPR is:

  • Contract performance — processing necessary to fulfil your gift purchase or agent service
  • Legitimate interests — maintaining security, preventing fraud, improving the Service
  • Legal obligation — compliance with applicable laws
  • Consent — where you have explicitly opted in (e.g., SMS messaging, phone calls, third-party service connections)

4. Conversation Data and AI Processing

Important: AI providers process your conversations

Every message you send to your agent is processed by Anthropic's Claude AI model. Anthropic processes this data under their own privacy policy and usage terms. We strongly recommend reading Anthropic's Privacy Policy.

When you send a message to your agent:

  1. Your message, along with recent conversation history, your agent's profile, and relevant memory context is sent to Anthropic's API to generate a response.
  2. If your agent needs to use a tool (search the web, make a call, send an email, etc.), the AI may make multiple rounds of tool calls before returning a final response.
  3. The response is returned and sent to you via Telegram or SMS.
  4. Both your message and the response are stored in our database (Supabase, hosted on AWS) to enable future conversation memory.

We store conversations for as long as your agent account is active. See Section 12 for retention details.

What we don't do: We do not sell your conversations to third parties. We do not use your conversation content to train AI models. We do not share conversation content with the gifter after the gift has been delivered.

Credentials and access tokens you share with your agent

Your agent can act on your behalf with third-party services. To do this, you may choose to share login credentials, API keys, or access tokens with your agent during a conversation.

If you do, you should be aware of the following:

  • These credentials are stored as part of your agent's memory file in our database.
  • They are stored as plain text (not encrypted at rest beyond standard database-level security).
  • They are included in the context sent to Anthropic's API with each conversation.

Our recommendation: Where possible, use the built-in OAuth connections (see Section 10) instead of sharing raw credentials. If you must share credentials, prefer read-only API keys and revoke them when no longer needed.

5. Memory System

Your agent maintains a memory system so it can remember you across conversations. This memory includes:

  • Factual memories — things you tell the agent to remember (e.g. your preferences, important dates, facts about people in your life).
  • Behavioral style profile — an AI-generated summary of how you communicate, covering dimensions like formality, humor, detail level, and conversational style. This helps the agent match your tone.
  • Core identity — the gifter's note, your self-description, and the agent's personality as configured during setup.
  • Conversation summaries — when your conversation history grows long, older messages are compressed into summaries and the originals are permanently deleted.
  • Notes and contacts — user-created data that is stored permanently and never auto-deleted. You can ask your agent to delete any note or contact at any time.

All memory data is stored in our Supabase database and is included in the context sent to Anthropic when generating responses. Memory data is retained for the life of your agent account unless you request deletion.

6. Phone Calls

Your agent can make phone calls on your behalf using our telephony provider, Bland AI. When your agent makes a call:

  • The call is placed by Bland AI's infrastructure. The recipient will see a phone number associated with Gift an Agent, not your personal number.
  • Call recordings and transcripts: Calls may be recorded and transcribed by Bland AI. Transcripts are returned to your agent and stored in your conversation history.
  • Call data (phone number called, duration, transcript) is processed and stored by Bland AI under their privacy policy.
  • Your agent will only make calls when you explicitly instruct it to do so. We do not make automated marketing calls.

TCPA Notice

By instructing your agent to make a phone call, you represent that you have the right to contact the person being called and that the call complies with applicable laws, including the Telephone Consumer Protection Act (TCPA). We do not make calls to any person without direction from the user.

7. SMS/Text Message Communications

SMS Program Details

  • Program name: Gift an Agent Personal AI Assistant
  • Description: A personal AI assistant that communicates with you via SMS text messaging to help with tasks, answer questions, set reminders, and more.
  • Message frequency: Varies based on your interaction. Your agent replies to your messages and sends scheduled reminders you have set up. You control message frequency by how often you text.
  • Phone number: (833) 984-2439
  • Message content: AI assistant responses to user-initiated conversations only. No marketing messages. No automated bulk messages.

If you connect to your agent via SMS text messaging, the following applies:

  • How you opt in: You consent to receive text messages from Gift an Agent by providing your phone number during setup and checking the SMS consent checkbox, OR by texting START followed by your activation token to (833) 984-2439. We record the timestamp and IP address of your consent.
  • What we collect: Your phone number, SMS consent status, consent timestamp, and IP address at the time of consent.
  • Message frequency varies based on your interaction with the agent. Your agent only responds when you text first, except for reminders you have explicitly scheduled. We never send marketing messages, promotional content, or automated bulk messages.
  • Message and data rates may apply depending on your mobile carrier and plan.
  • To stop receiving messages at any time, text STOP. You will receive a confirmation and no further messages will be sent.
  • To resume messages after opting out, text START.
  • For help, text HELP or email [email protected].
  • We do not share your phone number with third parties for marketing purposes.
  • Your phone number is stored securely and used only to deliver your AI assistant service.
  • SMS messages are processed via Twilio. Twilio processes your phone number and message content under their Privacy Policy.
  • Carriers are not liable for delayed or undelivered messages.

8. Email (Agent Email)

Your agent has its own email address powered by AgentMail. When your agent sends or receives email:

  • Outgoing emails are sent from your agent's dedicated email address, not from your personal email.
  • Incoming emails to your agent's address are processed and delivered to your conversation.
  • Email content (sender, recipient, subject, body, attachments) is processed by AgentMail and stored in our systems.
  • Email content may be included in conversation context sent to Anthropic for AI processing.
  • Your agent only sends emails when you explicitly instruct it to. We do not send unsolicited emails from your agent.

Transactional emails (gift setup emails, payment receipts) are sent via Resend and are separate from your agent's email functionality.

9. Third-Party Service Connections

Your agent can connect to third-party services (such as Google Workspace, Spotify, LinkedIn, and others) via OAuth authentication managed by our integration partner, Composio.

How third-party connections work

  • When you connect a service, you are redirected to that service's authorization page to grant specific permissions.
  • OAuth tokens are stored by Composio, not in our database directly.
  • Your agent accesses these services only when you explicitly instruct it to (e.g. “check my email”, “play a song”, “post to LinkedIn”).
  • Data retrieved from connected services may be included in conversation context sent to Anthropic for AI processing.
  • Data retrieved from connected services may appear in stored conversation messages and memory summaries.

Google Workspace Integration (Gmail, Google Drive, Google Calendar)

If you choose to connect your Google account, your agent can read and send emails, create and access Google Drive documents, and read your Google Calendar.

What Google data we access:

The initial connection grants send, Drive, and Calendar access. Email reading requires a separate opt-in authorization.

  • Gmail send: Send and reply to emails on your behalf (scope: gmail.send)
  • Gmail read (optional): Read and search your inbox — requires separate authorization (scope: gmail.readonly)
  • Google Drive: Create, read, and organise files created by the app (scope: drive.file)
  • Google Calendar: Read and manage your calendar events (scope: calendar.events)
  • Profile information: Your name and email address (scopes: openid, email, profile)

What we do NOT do with Google data:

  • We do not sell, share, or transfer your Google data to any third party, except as necessary to provide the Service (i.e. sending it to Anthropic for AI processing).
  • We do not use your Google data for advertising, marketing, or user profiling.
  • We do not use your Google data to train AI models.
  • We do not retain Google data beyond what is stored as part of your conversation history.

Revoking access: You can disconnect your Google account at any time by telling your agent to “disconnect Google” or by revoking access at myaccount.google.com/permissions.

Disconnecting any service: You can disconnect any connected third-party service at any time by telling your agent. OAuth tokens will be removed from Composio. Data already stored in your conversation history will remain until you request deletion.

10. Third-Party Service Providers

We share data with the following trusted third parties, only as necessary to provide the Service:

Anthropic (AI model provider (Claude))

Data shared: Conversation messages, agent system prompt, memory context, tool call results

Region: USA

Policy

Supabase (Database (PostgreSQL on AWS))

Data shared: All stored data: gift records, user profiles, messages, usage counters, notes, contacts, memories

Region: USA (AWS)

Policy

Stripe (Payment processing)

Data shared: Payment information, purchase metadata (not conversation data)

Region: USA / EU

Policy

Telegram (Message delivery platform)

Data shared: Telegram chat ID; message content is routed through Telegram's servers

Region: Global

Policy

Twilio (SMS message delivery)

Data shared: Phone number, SMS message content

Region: USA

Policy

Bland AI (Telephone calls)

Data shared: Phone numbers, call audio recordings, call transcripts

Region: USA

Policy

AgentMail (Agent email service)

Data shared: Email addresses, email content (subject, body, attachments)

Region: USA

Policy

Composio (Third-party OAuth integration)

Data shared: OAuth tokens for connected services (Google, Spotify, LinkedIn, etc.)

Region: USA

Policy

Google (Workspace integration (Gmail, Drive, Calendar))

Data shared: OAuth tokens, email content, Drive files, Calendar events — accessed only on user instruction

Region: USA / Global

Policy

OpenAI (Audio transcription (Whisper))

Data shared: Audio files from voice messages for transcription

Region: USA

Policy

fal.ai (Image and video generation)

Data shared: Text prompts for generating images or videos

Region: USA

Policy

Resend (Transactional email delivery)

Data shared: Recipient name, email address, gift details (for setup and receipt emails)

Region: USA

Policy

PostHog (Website analytics)

Data shared: Anonymous page views, browser type, referral source (no conversation data)

Region: USA / EU

Policy

Railway (Application hosting)

Data shared: Server logs, application runtime data

Region: USA

Policy

Buffer (Social media scheduling (agent-directed))

Data shared: Social media post content, scheduling metadata

Region: USA

Policy

We do not sell personal data to any third party. We do not share personal data with advertisers.

11. Data Retention

We retain your data for as long as necessary to provide the Service and comply with our legal obligations.

·
Gift and recipient records: Retained for 3 years after the gift expiry date, for accounting and legal purposes.
·
Conversation messages: Retained for the life of the agent account. When a conversation accumulates more than approximately 40 messages, the oldest messages are summarised into a memory file and the originals are permanently deleted from our database.
·
Memory summaries and style profiles: Retained for the life of the agent account.
·
Notes and contacts: Retained permanently until you ask your agent to delete them, or until you request account deletion.
·
Payment records: Retained for 7 years as required by tax law.
·
Phone call recordings: Retained by Bland AI per their data retention policy. Transcripts are stored in your conversation history.
·
SMS messages: Retained by Twilio per their data retention policy. Message content is stored in your conversation history.
·
Agent emails: Retained by AgentMail and in your conversation history for the life of your agent account.
·
OAuth tokens (third-party connections): Retained by Composio only while the service is connected. Removed when you disconnect.
·
Website analytics: PostHog retains anonymized analytics data per their retention policy.
·
Deletion on request: If you request deletion of your data, we will remove your personal data (gift record, conversations, memory files, notes, contacts, usage data) within 30 days of a verified request, except where retention is legally required. Email us at [email protected].

12. Your Rights

For EEA and UK Residents (GDPR / UK GDPR)

If you are in the EEA or UK, you have the following rights regarding your personal data. You can exercise these rights by contacting us at [email protected].

Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Ask us to correct inaccurate or incomplete data.
Right to erasure ('right to be forgotten'): Request deletion of your personal data. We handle deletion requests manually and will process your request within 30 days. Some data (e.g. payment records) may be retained where required by law.
Right to restrict processing: Ask us to limit how we use your data in certain circumstances.
Right to data portability: Request your data in a structured, machine-readable format.
Right to object: Object to processing based on legitimate interests. We will stop processing unless we have compelling legitimate grounds.
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
Right to lodge a complaint: You have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk, or your local supervisory authority in the EU.

We will respond to all valid requests within 30 days. We may ask you to verify your identity before fulfilling a request.

For California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) gives you additional rights regarding your personal information:

Right to know: You can request that we disclose what personal information we collect, use, disclose, and sell about you. The categories of information we collect are described in Section 1 of this policy.
Right to delete: You can request that we delete personal information we have collected from you, subject to certain legal exceptions.
Right to opt-out of sale: We do not sell your personal information. We have not sold personal information in the preceding 12 months.
Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge different prices, or provide a different level of service.

To exercise your CCPA rights, email us at [email protected]. We will verify your identity and respond within 45 days.

Categories of personal information we collect (CCPA disclosure)

  • Identifiers: Name, email address, phone number, Telegram chat ID
  • Financial information: Payment details (processed by Stripe; we do not store card numbers)
  • Internet activity: Website page views and interactions (via PostHog)
  • Communications: Conversation messages, emails, SMS content, phone call transcripts
  • Inferences: AI-generated memory summaries, behavioral style profiles, preferences

We do not collect sensitive personal information categories as defined by the CCPA (such as Social Security numbers, driver's license numbers, or genetic data).

13. International Data Transfers

Our Service is hosted in the United States (Railway). Many of our third-party providers are also based in the United States. When we transfer your personal data outside the UK or EEA, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO
  • Providers certified under the UK Extension to the EU-US Data Privacy Framework, where applicable

For questions about international transfers, contact us at [email protected].

14. Cookies and Analytics

Our website uses minimal cookies. We do not use advertising or tracking cookies.

  • Strictly necessary cookies — session cookies required for the checkout flow and form functionality. These cannot be disabled without affecting Service functionality.
  • Stripe cookies — Stripe sets cookies during the payment flow for fraud prevention and session continuity. See Stripe's Cookie Policy for details.
  • PostHog analytics — We use PostHog for website analytics to understand page views, traffic sources, and general usage patterns. PostHog does not track you across other websites and we do not use it to build advertising profiles.

We do not use Google Analytics, Meta Pixel, or any other advertising tracking technology. We do not build user profiles for ad targeting.

15. Children's Privacy

The Service is not intended for children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us immediately and we will delete it.

16. Security

We take reasonable technical and organisational measures to protect your personal data from unauthorised access, disclosure, alteration, or destruction. These measures include:

  • HTTPS encryption for all data in transit
  • Row-level security (RLS) on our Supabase database
  • HMAC-signed internal API endpoints to prevent enumeration attacks
  • Webhook signature verification for all Stripe and Telegram webhooks
  • No storage of payment card details — all payment data handled by Stripe
  • OAuth-based third-party connections — tokens stored by Composio, not in our database
  • Per-agent data isolation — each agent account can only access its own data

No system is completely secure. In the event of a data breach that affects your rights, we will notify you and the relevant supervisory authority as required by law.

17. Links to Other Sites

Our Service may contain links to third-party websites (such as Telegram, Anthropic, Google, and others). We are not responsible for the privacy practices of those sites. We recommend reading their privacy policies before providing personal data to them.

18. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date. For material changes, we will notify active users by email or via their agent where possible. Your continued use of the Service after the effective date of any change constitutes acceptance of the revised policy.

19. Contact and Data Requests

For any privacy-related questions, data access requests, deletion requests, or to exercise any of your rights described in this policy, please contact us:

Gift an Agent

Email: [email protected]

Website: giftanagent.com

We aim to respond to all data requests within 30 days (45 days for CCPA requests, with the possibility of a 45-day extension if needed).