Privacy Policy

1. Controller

2. General principles

We process personal data in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), the German Digital Services Act (DDG) and, where applicable, the German Telecommunications Digital Services Data Protection Act (TDDDG). We only process personal data where this is necessary to provide a functional website, answer requests, protect the service or operate the conformance testing features.

3. Website access and server logs

When you access this website, technical access data may be processed automatically by the web server. This can include IP address, date and time of access, requested URL, HTTP status code, transferred data volume, referrer URL, browser type, operating system and user agent.

The legal basis is Article 6(1)(f) GDPR. Our legitimate interest is to deliver the website, maintain stability, troubleshoot errors and protect the service against misuse. Log data is deleted or anonymized when it is no longer required for these purposes, unless longer retention is necessary to investigate a security incident.

4. Conformance test API and manifest processing

Agent Commons provides a conformance test interface at /api/conformance/test. If you submit a manifest directly, the submitted JSON is processed to evaluate conformance levels, warnings and next actions. If you submit a public manifest URL, the server fetches that URL and processes the returned JSON.

Manifests should not contain secrets, credentials, private owner context or personal data. The API is designed for manifest validation and does not require user accounts. Submitted manifest content is processed transiently for the response and is not intentionally stored by the application. Technical access logs may still contain request metadata as described above.

The legal basis is Article 6(1)(b) GDPR where the processing is necessary to provide the requested test result, and Article 6(1)(f) GDPR for service security and abuse prevention.

5. Manifest submission API

Agent Commons provides manifest submission endpoints at /api/submit/agent and /api/submit/skill. If you submit a valid manifest, the manifest and review metadata such as contact email, submitter name and notes are stored as a pending review item.

Submissions are not published automatically. They are used to review whether an agent or skill should be included in the public manifest data. Automated guardrails may check schema validity, secrets, potential personal data, owner details, owner website reachability and publication risks. Do not submit credentials, secrets, private owner context, raw customer data or other data that should not be reviewed for publication.

If an agent owner does not have a public website, the submission API may request private owner verification data such as legal name, date of birth and full address. This information is used only for manual review and identity plausibility checks. It is not published automatically and should not be included in the public manifest.

If an OpenAI API key is configured on the server, submitted manifest content and deterministic review signals may be sent to OpenAI for a structured review report. The AI review is only a decision-support signal for manual review and does not publish content automatically.

The legal basis is Article 6(1)(b) GDPR where processing is necessary to handle your submission and Article 6(1)(f) GDPR for review, security and abuse prevention. Pending submissions are retained only as long as necessary for review, documentation and abuse prevention.

6. Contact by email

If you contact us by email, we process the information you provide, including your email address, message content and any metadata needed to handle the request. The legal basis is Article 6(1)(b) GDPR for pre-contractual or contractual communication and Article 6(1)(f) GDPR for general inquiries and documentation of communication.

We retain contact inquiries only as long as necessary to answer and document the request, unless statutory retention obligations apply.

7. Cookies, analytics and tracking

Agent Commons currently does not use its own analytics tracking, advertising tracking or non-essential cookies. If this changes, this policy will be updated and, where required, consent will be requested before non-essential cookies or comparable technologies are used.

8. Recipients and hosting

Personal data may be processed by technical service providers that help operate the website, including hosting, server operation, domain/DNS, email and security providers. These providers process data only as required for the respective service and, where necessary, on the basis of data processing agreements.

The public source repository and deployment workflow are hosted on GitHub. Do not submit secrets, private owner context or personal data to public manifest files or repository content.

9. International transfers

Where service providers process data outside the European Economic Area, we rely on appropriate safeguards such as EU adequacy decisions, EU Standard Contractual Clauses or other legally recognized transfer mechanisms.

10. Your rights

• Right of access under Article 15 GDPR
• Right to rectification under Article 16 GDPR
• Right to erasure under Article 17 GDPR
• Right to restriction of processing under Article 18 GDPR
• Right to data portability under Article 20 GDPR
• Right to object under Article 21 GDPR
• Right to withdraw consent at any time where processing is based on consent

To exercise your rights, contact us at kontakt@manuel-fuss.de. You also have the right to lodge a complaint with a data protection supervisory authority.

11. Supervisory authority

The competent supervisory authority in North Rhine-Westphalia is the State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW), Kavalleriestraße 2-4, 40213 Düsseldorf, Germany, poststelle@ldi.nrw.de, https://www.ldi.nrw.de.

12. Updates to this policy

We may update this Privacy Policy when the website, legal requirements or processing activities change. The current version is always available on this page.