Privacy Policy

Agent Outpost is an AI agent marketplace operated by Sholtis Labs Inc. ("we," "us," "our"). Agent Outpost connects buyers and sellers of AI-powered agents, tools, and services through a two-sided platform with listings, secure checkout, reviews, messaging, and dispute resolution.

This Privacy Policy describes how we handle personal information collected through the Agent Outpost platform at agentoutpost.ai and any related services.

Account Information

When you register or update your profile, we collect:

• Email address and username
• Display name and bio
• Profile avatar (optional)
• Hashed password (bcrypt + pepper — never stored in plaintext)
• Account role (buyer, seller, admin)
• Email verification status

Seller Information

Sellers who activate a seller account additionally provide:

• Payout method details (processed by Stripe — we do not store raw bank account or card numbers)
• Business name (optional)
• Seller tier and verification status

Listing & Transaction Data

We collect information about the agents and services listed on the platform, including titles, descriptions, pricing, tags, category, and delivery type. For transactions, we store order records, amounts, platform fees, payout amounts, and order status — but full card details are handled exclusively by Stripe.

Communications

Messages sent between buyers and sellers through the platform's messaging system are stored to facilitate transactions and support dispute resolution. Dispute submissions, including descriptions and supporting context, are also retained.

Reviews & Ratings

When you leave a review, we store the rating, written content, and associated listing and user IDs.

Usage & Technical Data

We automatically collect limited technical data to operate the platform securely:

• Session tokens (stored in HttpOnly cookies)
• Login timestamps and IP addresses (for security and fraud prevention)
• Browser type and operating system (user-agent)
• Pages visited and actions taken within the platform

Waitlist

If you joined the pre-launch waitlist, we stored your email address, referral code (if any), and the timestamp of your submission.

We use collected information for the following purposes:

Specifically:

• Account management — creating, authenticating, and maintaining your account
• Transactions — processing payments, calculating platform fees, routing seller payouts
• Communication — sending transactional emails (email verification, password reset, order confirmations, payout notifications)
• Security — detecting unauthorized access, rate limiting, brute-force protection, and audit logging
• Disputes — investigating and resolving buyer/seller disputes using message and order records
• Analytics — understanding platform usage to improve performance and features (aggregated, not sold)

We share personal information only in these limited circumstances:

Between Buyers and Sellers

To facilitate transactions, buyers and sellers can see each other's display names, profile information, and listing details. Sellers can see order details (including buyer username) for orders placed on their listings.

Service Providers

We work with a small number of third-party service providers who access personal data only to perform services on our behalf:

• Stripe — payment processing and seller payouts. Stripe operates under its own Privacy Policy.
• Resend — transactional email delivery (verification, password reset, notifications). Email content is limited to what's necessary for the notification.

Legal Requirements

We may disclose information if required by law, court order, or valid government request, or to protect the rights, property, or safety of Agent Outpost, our users, or others.

Business Transfer

If Sholtis Labs is acquired or merges with another company, user data may be transferred as part of that transaction. We will notify you via email or prominent platform notice before your data becomes subject to a different privacy policy.

With Your Consent

We will share your information with third parties in any other circumstance only with your explicit consent.

All payment processing on Agent Outpost is handled by Stripe, Inc., a PCI-DSS-compliant payment processor. When you complete a purchase or set up a payout method:

• Your full card number, CVV, and bank account details go directly to Stripe's servers — Agent Outpost never receives or stores this data
• Stripe returns a payment intent ID and confirmation status, which we store in our database for order records
• Seller payout details are managed through Stripe Connect

Platform fees (10% of transaction value) are calculated and deducted at the time of purchase before seller payouts are initiated. These amounts are stored in our database as part of your transaction record.

Agent Outpost uses the following cookies and local storage mechanisms:

Authentication Cookies

When you log in, we set a session token in an HttpOnly, Secure cookie. This cookie:

• Cannot be read by JavaScript (HttpOnly flag prevents XSS token theft)
• Expires after 24 hours of inactivity
• Is invalidated when you log out
• Is tied to your account ID and a server-side session record

Functional Cookies

We may use cookies to remember your preferences (e.g., theme, sort order) and maintain your browsing state across page loads.

No Third-Party Tracking

We do not use Google Analytics, Facebook Pixel, or any other third-party advertising or behavioral tracking cookies. The only third-party scripts loaded on platform pages are from Stripe (for payment elements).

Cookie Management

You can clear cookies at any time through your browser settings. Clearing your session cookie will log you out. Blocking all cookies will prevent you from logging in.

We retain your personal data for the following periods:

After the applicable retention period, data is permanently deleted or irreversibly anonymized.

Depending on your location, you may have the following rights regarding your personal information:

Access

You can request a copy of the personal data we hold about you at any time.

Correction

You can update most of your account information directly in your profile settings. For corrections that require our assistance, contact us.

Deletion

You can request deletion of your account and associated personal data. We will process the deletion within 30 days, subject to data we are legally required to retain (e.g., transaction records for tax purposes).

Data Portability

You can request an export of your data in a machine-readable format (JSON or CSV).

Opt-Out of Marketing

We send transactional emails only — there is no marketing mailing list to unsubscribe from. If we introduce a newsletter in the future, it will be opt-in with a clear unsubscribe link.

California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act, including the right to know, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise any CCPA rights, contact us at the email below.

EEA / UK Residents (GDPR)

If you are in the European Economic Area or United Kingdom, you have rights under GDPR including the right to object to processing, the right to restrict processing, and the right to lodge a complaint with your local supervisory authority. Our legal bases for processing are: contract performance (operating the marketplace), legitimate interests (security, fraud prevention), and consent (where applicable).

Agent Outpost is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected] and we will delete it promptly.

Users must be at least 18 years old to engage in financial transactions (buying or selling) on the platform.

We take security seriously. Our technical safeguards include:

• Passwords — bcrypt-hashed with a server-side pepper; never stored in plaintext
• Sessions — HttpOnly, Secure cookies with server-side session records; invalidated on logout
• Transport — All traffic served over HTTPS via Cloudflare TLS termination
• Rate limiting — Login, registration, and API endpoints are rate-limited to prevent brute-force attacks
• Account lockout — Repeated failed login attempts trigger temporary lockout
• Admin isolation — Admin-only routes require separate role verification on every request
• Input validation — All user-supplied input is validated and sanitized server-side
• Audit logging — Security-relevant actions are logged with timestamps and IP addresses

Despite these measures, no system is 100% secure. If you discover a security vulnerability, please disclose it responsibly to [email protected] before public disclosure. We take security reports seriously and respond quickly.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Send a notification email to registered users
• Post a prominent notice on the platform for 30 days

Your continued use of Agent Outpost after changes become effective constitutes acceptance of the revised policy. If you disagree with any changes, you may close your account before the changes take effect.

For privacy-related questions, data requests, or to exercise your rights:

• Email: [email protected]
• Security disclosures: [email protected]
• Company: Sholtis Labs Inc., Pennsylvania, USA

We aim to respond to all privacy requests within 30 days.