Privacy Policy
Agent Integrator is software middleware that lets users connect their accounts on third-party platforms — such as Google Calendar, HubSpot, Calendly, GoHighLevel, Zoho, SendGrid, Twilio, Shopify, and Stripe — to AI agents they have built and authorized. This page describes what data Agent Integrator handles, how it is used, who else may see it, and how it is protected.
1. Information we receive
When you click Connect for any third-party provider, you are redirected to that provider's own consent screen. After you grant consent, the provider issues us short-lived access tokens (and, where offered, refresh tokens) scoped to the permissions you approved. We also receive the basic account-identifying information needed to label the connection in your dashboard — typically your account email, your organization or shop name, a calendar name, or a non-sensitive account identifier.
We do not receive your password for any third-party platform. The provider authenticates you directly; only the resulting tokens cross our boundary.
Google user data specifically
If you connect Google Calendar, the data we may access on your behalf is limited to the scopes you approve at consent, which currently are:
- openid, email, profile — used only to label your connection with your Google account email.
- https://www.googleapis.com/auth/calendar.events — used to read free/busy time and create or update events that your AI agent is authorized to schedule.
We do not request, read, or store any other Google user data, including Gmail messages, Drive files, Contacts, or any restricted scopes outside the ones listed above.
2. How we use the data
Tokens and provider data are used solely to perform the actions your AI agent is authorized to take on your behalf — for example, checking free time slots in your Google Calendar, creating a calendar event when a caller books an appointment, creating a contact in your CRM, sending a transactional email, or fetching an order status.
We do not sell, rent, advertise against, or monetize Google user data or any other connected-provider data. We do not use Google user data for any purpose other than fulfilling the user-initiated action that requires it.
3. Subprocessors and third parties with whom we share data
To deliver the service we rely on a small set of subprocessors. Google user data flows through them only as needed to fulfill a user-initiated agent action — for example, when your AI voice agent needs to ask the LLM "given the free slots at 2pm and 3pm, which one fits the caller's preference?" the relevant calendar fragment is passed in-memory to the LLM provider hosting that turn of the conversation.
| Subprocessor | Purpose | May see Google user data? |
|---|---|---|
| Amazon Web Services (AWS) | Compute and file storage (knowledge-base files, call recordings, transcripts). | Yes — when calendar data appears in an agent transcript or recording, that record is stored in AWS S3. |
| Cloudflare | CDN and SSL termination for app and tenant domains. | Only as encrypted in-transit traffic. No data is stored at Cloudflare. |
| VAPI | Voice-agent platform that runs the AI conversation, including tool calls back to our calendar endpoints. | Yes — calendar tool responses pass through VAPI's runtime. |
| OpenAI | Large language model that decides agent responses for voice and chat turns (used directly and as the inference backend for VAPI voice agents). | Yes — calendar fragments may be included in the model's input context for the turn. |
| Tavus | Video-agent platform that runs the AI persona for video calls. | Yes, when using a video agent — calendar tool responses pass through Tavus's runtime. |
| Twilio | Phone numbers and SMS delivery. | No. Twilio carries voice audio and SMS, not structured calendar data. |
| Stripe | Billing and subscriptions. | No. |
Each of these providers operates under its own enterprise-grade privacy and security commitments. We do not share Google user data with any party not in this list, and we do not share it for advertising, marketing, or any purpose unrelated to the user-initiated agent action.
4. Storage and security
We apply the following protections to Google user data and all other connected-provider data:
- Encryption at rest. Access tokens, refresh tokens, and any persisted provider data are encrypted using AES-256 before they are written to the database.
- Encryption in transit. All traffic between the user's browser, our app, third-party providers (including Google), and our subprocessors travels over TLS 1.2 or higher.
- Key management. Encryption keys are stored separately from the encrypted data, are not committed to source control, and are rotated when team membership changes.
- Access controls. Application-level access is scoped to the authenticated user account that granted consent — one user cannot read or invoke another user's connected-provider data. Production database access is limited to a small set of named operators and is audited.
- Plaintext handling. Tokens are decrypted only at the moment of use and never written to logs or backups in plaintext form.
- Token revocation on disconnect. You can disconnect any integration at any time from your dashboard. On disconnect we delete the local tokens immediately and call the provider's revoke endpoint where supported (Google's is invoked at oauth2.googleapis.com/revoke).
- Breach notification. If we discover that Google user data or other connected-provider data has been accessed by an unauthorized party, we will notify affected users without undue delay and report to applicable authorities as required by law.
- No production data in non-production environments. Connected-provider data is not copied to development or testing environments.
5. AI and machine learning
Agent Integrator passes connected-provider data (including Google Calendar fragments such as free/busy windows or event titles your agent reads or writes) to third-party AI providers only as part of the inference context for the specific user-initiated turn of the conversation, and only when that turn requires it to fulfill the action you asked the agent to perform.
The third-party AI providers we use, and how they handle data, are:
- OpenAI — LLM provider for voice and chat agent responses. Used directly and as the inference backend for VAPI voice agents. OpenAI's API policy excludes API inputs from training by default. See OpenAI API Data Usage Policies.
- VAPI — voice-agent runtime that orchestrates calls and routes inference to OpenAI. See VAPI Privacy Policy.
- Tavus — video-agent runtime for AI personas. See Tavus Privacy Policy.
Connected-provider data is never sent to any AI provider for the purpose of model training, evaluation, benchmarking, or product improvement. It is only sent as inference input for the specific live turn that needs it.
6. Retention and deletion
Tokens are retained as long as the integration is connected. When you click Disconnect on the integrations page, the tokens are deleted from active storage and we call the provider's revoke endpoint.
You can also:
- Request deletion of your entire account and all associated data via data deletion.
- Revoke our app's access directly from Google at myaccount.google.com/permissions — this immediately invalidates the tokens at Google's end.
Routine encrypted backups are retained for up to 30 days on a rolling basis as part of standard operational continuity, after which they are overwritten. On account deletion, we delete all live data immediately; any data still present in rolling backups is overwritten within the 30-day window.
7. Your rights
You can:
- View which integrations are currently connected from your dashboard.
- Disconnect any integration, which deletes its tokens from our systems.
- Request deletion of your account and all associated data via data deletion.
- Request a copy of the connected-provider data we currently hold for you, via support.
- Revoke our app's access directly from the provider's own security settings — for example, Google Account → Security → Third-party apps with account access, or HubSpot account settings → Integrations → Connected apps.
8. Compliance with the Google API Services User Data Policy
Agent Integrator's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. This means Google user data is used only to provide or improve user-facing features that are prominent in the requesting application's user interface, is not transferred to others except as necessary to provide or improve those features, is not used for advertising, and is not read by humans except with explicit user consent or for security/legal/operational reasons.
9. Cookies and analytics
This website uses only the cookies necessary to operate. We do not run third-party advertising trackers or sell visitor data. Limited aggregate analytics may be used to understand which pages are loading slowly or returning errors, but no individual identification is performed on this marketing site.
10. Children
Agent Integrator is not directed at children under 13 (or under 16 in regions where that is the applicable age threshold), and we do not knowingly collect personal information from minors.
11. International data
Connected provider tokens may be processed in the region selected by the platform operator that bundles Agent Integrator into their product. Where applicable laws (such as GDPR or UK-GDPR) confer additional rights — access, correction, deletion, portability, objection — those rights are honored on request via support.
12. Changes
We may update this policy. The "last updated" date at the top reflects the most recent change. Material changes affecting how Google user data or other connected-provider data is handled will be communicated to active users.
13. Contact
For privacy questions, please reach out via the support page or email support@myswiftly.ai. The operator of the platform that bundles Agent Integrator into their product is the data controller for your account.
See also: Terms of Service · Data Deletion · Support