Versatl

Versatl — Privacy Policy

Effective Date: March 9, 2026 Last Updated: March 9, 2026

1. Introduction

Mfini Inc. ("Mfini," "Company," "we," "us," or "our"), operating the Versatl platform ("Platform" or "Service") at versatl.ai, respects your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the Service.

Versatl is a product of Mfini Inc. This Privacy Policy constitutes part of your agreement with Mfini Inc.

By using the Service, you consent to the practices described in this policy.

2. Information We Collect

2.1 Information You Provide Directly

| Data Category | Specific Fields | Purpose | |--------------|-----------------|---------| | Account Information | Email address, name | Account creation and communication | | Profile Information | User context (JSON), preferences (JSON) | Agent personalization | | Creator Profile | Marketplace handle, bio, website | Public marketplace presence | | Task Content | Task instructions, service configurations | Agent execution | | Credentials | OAuth tokens, API keys for third-party services | Acting on your behalf via connected services |

2.2 Information Collected Automatically

| Data Category | Specific Fields | Purpose | |--------------|-----------------|---------| | Account Metadata | Account creation timestamp, account type | Service operation | | Usage Data | Task count, token consumption, tool calls per task | Billing, plan enforcement, analytics | | Execution Logs | Agent steps, tool call results, task outcomes | Service delivery, debugging | | Audit Logs | Actor, action, resource, IP address, user agent, timestamp | Security, compliance |

2.3 Information from Third Parties

| Source | Data Received | Purpose | |--------|--------------|---------| | Clerk (authentication) | Email, name, user ID | Account creation and login | | Stripe (payments) | Customer ID, subscription status, payment history | Billing | | Stripe Connect (creator payouts) | Connect account ID, payout status | Creator revenue distribution |

2.4 AI-Generated Information

Through your use of the Service, the following data is generated and stored:

  • Episodic Memories: Structured records of each task — input, steps taken, output, outcome, and a vector embedding for semantic search (1024-dimensional). Scoped to your user account and the specific agent.
  • Semantic Memories: Distilled knowledge patterns extracted from your task history by an AI model (e.g., "User prefers informal language" or "Evening posts get higher engagement"). These improve agent personalization over time.
  • Task Outputs: The results produced by agents in response to your instructions.

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Delivery

  • Executing tasks and services you request
  • Retrieving relevant memories to personalize agent behavior
  • Connecting to and acting through third-party services on your behalf
  • Delivering notifications about task status, approvals, and service events

3.2 Billing and Payments

  • Processing subscription payments through Stripe
  • Enforcing plan-based usage limits (tasks, services, tokens)
  • Calculating and distributing creator revenue (70/30 split)
  • Processing payouts to creators via Stripe Connect

3.3 Safety and Security

  • Running guardrails on agent outputs (PII detection/redaction, content safety, budget enforcement)
  • Maintaining audit logs for security monitoring
  • Enforcing row-level security to prevent cross-tenant data access
  • Validating authentication tokens and API keys

3.4 Service Improvement

  • Monitoring platform performance and reliability (via OpenTelemetry and Sentry)
  • Structured logging for debugging and incident response

3.5 Communication

  • Sending in-app notifications about task completion, approval requests, and service events
  • Delivering webhooks to your configured endpoints (HMAC-signed)

4. AI Processing and Third-Party AI Providers

4.1 How Your Data Is Processed by AI

When you submit a task, the following data is sent to AI model providers for processing:

  • Your task instruction text
  • Your user context (the JSON data you provide in your profile settings)
  • Retrieved memories (semantic and episodic) relevant to the current task
  • Tool call results during the agent's execution loop
  • The agent's system prompt (configured by the agent developer)

4.2 AI Model Providers

Your data may be processed by the following AI providers:

| Provider | Models Used | Role | |----------|------------|------| | Anthropic | Claude Sonnet 4.5, Claude Haiku 4.5 | Primary LLM provider | | OpenAI | GPT-4o, GPT-4o Mini | Fallback provider; embedding generation | | Google | Gemini 2.0 Flash, Gemini 2.5 Pro | Fallback provider |

The Platform uses model fallback chains — if the primary model is unavailable, your request may be processed by a fallback provider. All providers are subject to their own privacy policies and data handling practices.

4.3 What Is NOT Sent to AI Providers

  • Your authentication credentials (passwords, JWT tokens)
  • Your encrypted third-party credentials (OAuth tokens, API keys)
  • Your Stripe payment information
  • Raw credential data of any kind

4.4 AI Provider Data Policies

We select AI providers that do not use customer data for model training. However, we recommend reviewing each provider's current data policies:

  • Anthropic: https://www.anthropic.com/privacy
  • OpenAI: https://openai.com/privacy
  • Google: https://ai.google/privacy

5. Data Sharing

5.1 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties.

5.2 Service Providers

We share data with the following service providers as necessary to operate the Platform:

| Provider | Purpose | Data Shared | |----------|---------|-------------| | Clerk | Authentication | Email, name | | Stripe | Payment processing | Email, plan, payment details | | Stripe Connect | Creator payouts | Creator identity, earnings | | Anthropic | AI processing | Task content, user context, memories | | OpenAI | AI processing (fallback) | Task content, user context, memories | | Google | AI processing (fallback) | Task content, user context, memories | | Sentry | Error tracking | Error context (no personal content) |

5.3 Connected Third-Party Services

When you connect external services (Twitter/X, LinkedIn, Instagram, Gmail, web search), agents may transmit data to those services on your behalf (e.g., posting a tweet, sending an email). The data transmitted depends on the agent's actions and your instructions.

5.4 Webhooks

If you configure webhook endpoints, the Platform sends task results (truncated to 1,000 characters) and event metadata to your specified URLs, signed with HMAC-SHA256 for integrity verification.

5.5 Memory Sharing

If you enable cross-agent memory sharing, semantic memories from one agent may be made available to another agent — but only for your own account, only semantic memories (not raw task data), and only as read-only. You control these sharing policies.

5.6 Legal Requirements

We may disclose your information if required by law, legal process, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6. Data Security

6.1 Encryption

  • Credentials at rest: Third-party OAuth tokens and API keys are encrypted using Fernet symmetric encryption (from the cryptography library). The encryption key is stored as an environment variable, never in the codebase.
  • API keys: Your Versatl API keys are stored as SHA-256 hashes (one-way). The raw key is shown once at creation and cannot be recovered.
  • Data in transit: All communication uses HTTPS/TLS.

6.2 Access Control

  • Row-Level Security (RLS): PostgreSQL enforces tenant isolation at the database level. Each query is scoped to your user ID through RLS policies with FORCE mode — even if application code has a bug, the database prevents cross-tenant access.
  • Agent Permission Scoping: Agents can only access the tools and credentials declared in their configuration. An agent configured for Twitter cannot access your Gmail credentials.
  • Admin Access: Platform administrators can access aggregated metrics but cannot access your encrypted credentials or task content.

6.3 Infrastructure

  • Database: PostgreSQL 16 with row-level security
  • Cache/Queue: Redis (for background jobs and real-time streaming)
  • No unnecessary services: We minimize our infrastructure surface area to reduce attack vectors

7. Data Retention

7.1 Active Accounts

While your account is active, we retain all data associated with your account, including task history, memories, usage events, and audit logs. There is no automatic data expiration for active accounts.

7.2 Deleted Accounts

When you delete your account (via Settings or the API), the following data is permanently deleted through cascade deletion:

  • All tasks and task execution data
  • All services and service configurations
  • All episodic and semantic memories
  • All stored credentials (encrypted OAuth tokens, API keys)
  • All Versatl API keys
  • All agent subscriptions and ratings
  • All notifications
  • All webhook configurations and delivery logs
  • All workspace memberships

7.3 Data Retained After Deletion

The following data may be retained after account deletion as required for legal, accounting, or security purposes:

  • Audit logs: Retained for security and compliance (actor identity anonymized).
  • Billing records: Revenue splits and payment history retained for accounting and tax compliance as required by law.
  • Aggregated usage data: De-identified, aggregated statistics may be retained for analytics.

7.4 Clerk and Stripe

Account deletion on Versatl does not automatically delete your Clerk or Stripe accounts. You may need to separately manage those accounts through their respective platforms.

8. Your Rights

8.1 Access

You can access your personal data at any time through the API (GET /auth/me) or the Dashboard Settings page. Your task history, usage data, and memories are accessible through respective dashboard pages.

8.2 Correction

You can update your profile information, user context, and preferences at any time through the Settings page or the API (PUT /auth/me).

8.3 Deletion

You can delete your account and all associated data at any time through the Settings page or the API (DELETE /auth/me). Deletion is permanent and irreversible.

8.4 Data Portability

You can access your data through the API endpoints. Task results, usage summaries, and agent configurations are available in JSON format.

8.5 Credential Revocation

You can disconnect any third-party service at any time, which revokes and deletes the stored credentials for that service.

8.6 Memory Control

You can control cross-agent memory sharing through your settings. You can enable or disable sharing policies per agent pair.

9. GDPR Rights (EEA/UK Users)

If you are located in the European Economic Area or the United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR):

  • Right to Access (Article 15): Request a copy of your personal data.
  • Right to Rectification (Article 16): Request correction of inaccurate data.
  • Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten").
  • Right to Restrict Processing (Article 18): Request limitation of processing.
  • Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Article 21): Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Withdraw consent at any time (without affecting lawfulness of prior processing).

Legal Bases for Processing:

  • Contract performance: Processing necessary to provide the Service (task execution, billing).
  • Legitimate interests: Security monitoring, fraud prevention, service improvement.
  • Consent: AI processing, cross-agent memory sharing, third-party integrations.

To exercise your GDPR rights, contact us at privacy@versatl.ai.

10. CCPA Rights (California Users)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with:

  • Right to Know: What personal information we collect, use, and share.
  • Right to Delete: Request deletion of your personal information.
  • Right to Opt-Out of Sale: We do not sell personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

To exercise your CCPA rights, contact us at privacy@versatl.ai.

11. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we discover that we have collected personal data from a child, we will delete it promptly.

12. Cookies and Tracking

The Platform uses essential cookies for authentication (managed by Clerk) and session management. We do not use advertising trackers or third-party analytics cookies. Sentry and OpenTelemetry collect technical performance data (latency, errors) but not personal browsing behavior.

13. International Data Transfers

Your data may be processed in the United States or other jurisdictions where our service providers operate. When transferring data internationally, we rely on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms as required by applicable data protection laws.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. The "Last Updated" date at the top reflects the most recent revision.

15. Contact

For privacy-related questions or to exercise your rights:

Email: privacy@versatl.ai Data Protection Officer: dpo@versatl.ai Mfini Inc. Address: [Company Address]