Privacy Policy

Last updated: May 25, 2026

The short version

We collect your email when you sign up, and the GPS coordinates you send us when you call the API. We use that data to run the service. We don't sell it, share it with advertisers, or do anything with it beyond what's described below.

What we collect

Email address. Required when you generate an API key. We use it to send you your key and any billing receipts. We don't send marketing emails.

Field coordinates. The latitude, longitude, and radius you send in API requests. We store these alongside the analysis result so we can serve cached responses on repeat requests and avoid unnecessary satellite queries.

Usage counts. How many API calls your key has made this month. We need this to enforce rate limits.

Server logs. Standard stuff -- IP address, request timestamp, HTTP status code. Kept for 30 days for debugging and security, then deleted.

What we do with it

  • +Run the satellite analysis you asked for
  • +Enforce your monthly call limit
  • +Send your API key by email, and Stripe receipts if you're on a paid plan
  • +Debug errors when something goes wrong
  • +Improve our crop health models using aggregated, anonymised results

That's it. Nothing else.

Who we share it with

We use a small number of third-party services to run AgroSat. Each receives only what they need to do their job.

SupabaseOur database — stores API keys, usage counts, and field results
UpstashCache layer — stores analysis results for up to 30 days
Google CloudHosts our API and MCP servers
VercelHosts this dashboard
StripeHandles payment for paid plans — we pass only your email
Microsoft Planetary ComputerProvides the Sentinel-2 satellite imagery — we send coordinates, they return pixel data
CloudflareSits in front of our domains for DDoS and security

We don't sell your data to anyone. Ever.

How long we keep it

  • +Your email and API key stay in our database until you ask us to delete them
  • +Usage counts are kept for 13 months
  • +Cached field results expire automatically (5 days for standard analysis, 30 days for historical baselines)
  • +OAuth access tokens expire after 1 hour
  • +Server logs are deleted after 30 days

Your data, your call

You can ask us to delete your account and everything associated with it at any time. Just email [email protected] and we'll take care of it within a few days. If you want a copy of the data we hold on you, same address.

AI agents and MCP access

AgroSat supports access via the Model Context Protocol (MCP), which allows AI agents such as Claude to call the API on your behalf using OAuth 2.0. When you connect an AI agent, it acts under your API key and draws from your monthly quota. We do not receive or store the contents of your AI conversations -- only the same field coordinates and usage counts we would log from a direct API call.

You can revoke an AI agent's access at any time from your dashboard.

Security

API keys are stored as hashed values -- we can't see your plaintext key after you claim it, and neither can anyone who might access our database. All traffic is encrypted. Our servers sit behind Cloudflare.

If you find a security issue, please tell us at [email protected] before posting it publicly.

Cookies

We don't use tracking cookies or analytics. No ad networks, no fingerprinting. The developer dashboard may set a session cookie to keep you logged in -- that's the only one.

Changes

If we change this policy in a meaningful way, we'll update the date at the top. Big changes will also be emailed to registered key holders.

Questions

[email protected]