PIA (Personal Identity Agent) collects and processes the following information:

• Account Information: When you sign in with Google OAuth, we collect your email address, name, and profile information from your Google account.

• Identity Configuration: Your agent identity settings, including display name, primary email, and core directives that you configure.

• Policy Configuration: Your agent policy settings, including permissions, risk tolerance, spending limits, and domain filters.

• Audit Logs: Complete records of all agent verification requests, including action types, decisions, timestamps, IP addresses, and user agents.

• Service Connections: OAuth tokens for connected services (Gmail, Google Calendar, Google Contacts, Google Drive, Google Tasks) are stored encrypted.

• Agent Tokens: Securely hashed tokens for authorized external agents, including permissions granted and usage timestamps.

We use your information for the following purposes:

• Authentication: To verify your identity and provide secure access to your PIA account.

• Agent Verification: To evaluate agent actions against your configured policies using AI/LLM providers.

• Service Integration: To execute approved actions on your behalf through connected services (Gmail, Calendar, etc.).

• Audit Trail: To maintain a complete history of all agent activities for transparency and security.

• Platform Improvement: To improve our verification algorithms and user experience.

• Security: To detect and prevent unauthorized access, fraud, and abuse of our services.

We implement industry-standard security measures to protect your information:

• All agent tokens are hashed using SHA-256 before storage. The raw tokens are never saved.

• Service OAuth tokens are encrypted at rest using strong encryption algorithms.

• All communication with PIA uses HTTPS/TLS encryption.

• Access to your data is restricted to authenticated requests only.

• We regularly audit our security practices and update them as needed.

• Database access is limited and logged for security monitoring.

PIA integrates with and shares data with the following third-party services:

• Google OAuth: For user authentication and service integrations (Gmail, Calendar, Contacts, Drive, Tasks).

• LLM Providers: Your action requests are sent to AI providers (Groq, Google Gemini, or Ollama) for policy-based verification. We use your configured preferred provider.

• Vercel: Our hosting provider, which may have access to server logs and application data.

We do not sell your personal information to third parties. We only share data necessary for service functionality.

You have the following rights regarding your data:

• Access: You can view all your data, including audit logs, through the PIA dashboard.

• Modification: You can update your identity and policy configurations at any time.

• Deletion: You can delete your account and all associated data by contacting us.

• Revocation: You can revoke agent access tokens at any time through the "My Agents" page.

• Disconnection: You can disconnect service integrations at any time through the "Connections" page.

• Export: You can request a complete export of your data in machine-readable format.

• Objection: You can object to processing of your data for specific purposes.

We retain your data for the following periods:

• Account data: Retained while your account is active and for 30 days after account deletion.

• Audit logs: Retained for 90 days for security and compliance purposes.

• Service tokens: Retained until you disconnect the service or delete your account.

• Agent tokens: Retained until revoked or until they expire (default: 1 year).

After these retention periods, data is permanently deleted from our systems.

If you have questions about this Privacy Policy or your data, please contact us:

• Email: privacy@pia.com

• Website: https://pia.com/contact

We will respond to your inquiry within 30 days.