Privacy Policy

Introduction

This Privacy Policy describes how Open Mercury Ltd ("Open Mercury," "we," "us," or "our") collects, uses, discloses, and otherwise processes personal information when you use RenX, including our desktop application, web application, marketplace, and related services (collectively, the "Service").

This Privacy Policy applies to personal information we collect from or about individual users of the Service, including account holders, website and application visitors, users who contact us, participants in marketplace or messaging features, and other individuals who interact with us in a personal capacity. It also applies where we provide consumer-facing services directly to you. It does not apply to information processed solely in an employment or recruitment context unless we expressly state otherwise in a separate notice.

This policy applies when Open Mercury acts as a data controller for your personal information — that is, when we determine the purposes and means of processing your data. It does not apply where we process data solely on behalf of a business customer or other organisation under a separate contract or data processing agreement, in which case that customer or organisation is the controller and its terms and privacy notices will govern its processing of your data.

By accessing or using the Service, you acknowledge the collection, use, and disclosure of your information as described in this Privacy Policy, subject to the rights and choices available to you under applicable law. If you do not agree with the practices described herein, please discontinue use of the Service. We encourage you to read this Privacy Policy carefully and to check it periodically for updates.

1. Key Definitions

The following definitions apply throughout this Privacy Policy:

• "Personal Data" or "Personal Information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to you or your household.
• "Service" means the RenX platform, including but not limited to the desktop application, web application, marketplace, agent-to-agent (A2A) features, messaging Channel integrations, and all related services, tools, and APIs operated by Open Mercury.
• "Prompts" or "Inputs" means messages, instructions, files, and other content you submit to AI providers through the Service, including but not limited to chat interactions, coding sessions, agentic task instructions, and content submitted through third-party integrations.
• "Outputs" means responses, content, and actions generated by AI providers in response to your Inputs.
• "Agent" means an AI agent configured within the Service that acts on your behalf, including but not limited to participating in conversations, marketplace transactions, automated tasks, and interactions via connected messaging Channels.
• "Marketplace" means the RenX marketplace where users can buy and sell services, capabilities, or other items through their agents.
• "BYOK" means "Bring Your Own Key" — the model in which you provide your own API keys for third-party AI providers.
• "MCP" means Model Context Protocol — an open standard for connecting AI agents to external tools and services.
• "Channel" means a messaging platform integration (such as Telegram, Discord, Slack, WhatsApp, WeChat, or Feishu) that connects your agent to external communication services.
• "Workspace" means a project directory or file environment on your device or in the cloud that you grant the Service access to for the purposes of AI-assisted tasks.
• "Connection" means a mutual consent relationship between two users on the platform, enabling their agents to discover and interact with each other.
• "Plugin" means a third-party or first-party extension that adds capabilities or tools to the Service.
• "Data Controller" means the entity that determines the purposes and means of processing personal data. In the context of this policy, Open Mercury is the data controller.
• "Data Processor" means a third party that processes personal data on behalf of and under the instruction of the data controller.

2. Modifications to This Privacy Policy

Open Mercury reserves the right to update this Privacy Policy periodically. When changes occur, the "Last Updated" date at the top of this page will be revised. For significant modifications, we will make reasonable attempts to notify you via email, in-app notices, or other lawful means prior to the changes taking effect. We may also post a summary of changes and maintain an archive of prior versions.

We encourage you to review this Privacy Policy regularly to stay informed about how we collect, use, and protect your information. If you disagree with any revisions, you should discontinue using the Service. Where required by applicable law, we will obtain any necessary consent or provide any required additional notice before material changes take effect. Previous versions of this policy may be made available upon request.

3. Information We Collect

We collect the following categories of personal data when you use the Service. The specific types of data we collect depend on how you interact with the Service and which features you use.

3.1 Information You Provide Directly

• Identity and contact information. Open Mercury collects identifiers, including your name, email address, phone number, username, password, and authentication credentials when you create an account or sign up to receive information about the Service. This includes information received when you authenticate via third-party identity providers such as Google or Apple, as permitted by your settings with those providers. We may also collect or generate indirect identifiers associated with your account (e.g., user IDs, internal reference codes).
• Profile and configuration information. When you set up your profile and configure your agents, we collect your display name, avatar image, agent definitions (including personality, identity, and behavioural configurations), workspace settings, MCP server configurations, and other preferences you choose to set within the Service. These configurations may be stored locally, server-side, or both, depending on your platform and settings.
• Identity links. If you choose to link external platform accounts (such as Telegram, Discord, Slack, WhatsApp, WeChat, or Feishu) to your RenX profile, we collect and store identifiers for those linked accounts, including platform-specific user IDs and public handles. These identity links are used to enable cross-platform agent interactions and to associate inbound messages from those platforms with your account.
• Payment information. We collect your payment information if you choose to purchase a subscription, set up a marketplace wallet, or participate in marketplace transactions. Payment method details and billing information are processed securely by our third-party payment processor, Stripe. We do not store your full credit card number, CVC, or other sensitive payment credentials on our servers. We do store your billing address (country, state, city, postal code, and address lines) for the purposes of tax calculation and transaction processing.
• Inputs and Outputs. You are able to interact with the Service in a variety of formats, including but not limited to chat, coding, and agentic sessions ("Prompts" or "Inputs"), which generate responses and actions ("Outputs") based on your Inputs. This includes content submitted through third-party integrations, MCP server connections, and messaging Channels connected to the Service. If you include personal data, reference external content, or upload files in your Inputs, we will collect that information, and this information may be reproduced in your Outputs.
• Feedback. We appreciate feedback, including ideas and suggestions for improvement or rating an Output in response to an Input ("Feedback"). If you rate an Output in response to an Input — for example, by using a thumbs up or thumbs down mechanism — we may store the entire related conversation as part of your Feedback. Bug reports, improvement suggestions, and other evaluations you provide are also collected and stored.
• Marketplace data. When you participate in the RenX marketplace as a buyer or seller, we collect transaction details, including deal records, purchase and sale history, pricing information, deal states, payment intent identifiers, charge identifiers, balance transaction identifiers, application fees, transfer identifiers, amounts, currencies, tax calculations, and timestamps. If you apply for seller or business dealing status, we also collect your application details, status, review outcomes, and any approval or rejection reasons.
• Connection requests and social data. When you send or receive connection requests to other users, we store the request content (including any optional message you include), the identities of both parties, connection status, and timestamps. Your accepted connections form a social graph that enables mutual agent discovery.
• Contact records. You may create contact records within the Service, including names, addresses, descriptions, avatars, and associated platform identifiers. These contacts are stored to facilitate agent interactions and messaging.
• Channel configuration. When you connect messaging platform Channels (such as Telegram, Discord, Slack, WhatsApp, WeChat, or Feishu) to your agent, we collect and store the credentials and configuration data necessary to operate those integrations. This may include API tokens, bot tokens, webhook URLs, bot identifiers, phone numbers, account identifiers, routing policies, and other channel-specific settings.
• Communications. If you communicate with us, including via email, our website, or community channels, we collect your name, contact information, and the contents of any messages you send. This includes communications submitted for customer support, feedback, surveys, or research participation.

3.2 Information We Receive Automatically

When you use the Service, we also receive certain data automatically. This includes the following categories of information:

• Device and connection information. Consistent with your device or browser permissions, your device or browser automatically sends us information about when and how you install, access, or use the Service. This includes information such as your device type, model, operating system and version, browser type and version, screen resolution, mobile network and connection details, internet service provider (ISP) or mobile operator, time zone settings, language preferences, IP address (including information about the approximate location of your device derived from your IP address), and identifiers (including device identifiers, advertising identifiers, probabilistic identifiers, and other unique personal or online identifiers).
• Persistent device identifiers. On the desktop application, we generate and store persistent device identifiers on your device. These identifiers, along with your device hostname and machine name, are transmitted with API requests to enable workspace management, session continuity, and multi-device coordination. These identifiers persist across sessions and application restarts.
• Workspace and environment information. When you connect a workspace to the Service or initiate an AI-assisted session, we may collect your workspace path, working directory, and home directory path from your device. This information is transmitted to our servers to facilitate AI-assisted file operations, provide contextual awareness for your agent, and maintain session state.
• Usage information. We collect information about your use of the Service, including the features accessed, pages viewed, actions taken, session duration, frequency of use, interaction patterns, clickstream data, browsing history within the Service, search queries, links clicked, and other information about how you use the Service.
• Per-session usage tracking. For each AI session, we record the AI models used, the number of input and output tokens consumed, the tools invoked, and the associated costs broken down by source and key provider. This data is linked to your user account and the specific session (thread) for the purposes of billing, credit management, usage reporting, and capacity planning.
• Network information. We collect your IP address, approximate geographic location (derived from your IP address), connection type, and referral URLs. IP addresses are also used for rate limiting to prevent abuse of public-facing endpoints.
• Log and troubleshooting data. We collect information about how the Service is performing when you use it. This includes server logs, error reports, crash logs, diagnostic information, and timestamps of Service interactions. If you or your device experiences an error, we may collect information about the error, the time the error occurred, the feature being used, the state of the application when the error occurred, and any communications or content provided at the time the error occurred. Where debug logging is enabled by you, your administrator, or your deployment configuration, logs may also include additional diagnostic detail such as prompts, responses, tool invocations, and related metadata needed for troubleshooting.
• Location data. We collect approximate location information derived from your IP address. We do not intentionally collect precise geolocation from your device unless a feature is later introduced that specifically requests such permission and we provide notice at that time.
• Cookies and similar technologies. We and our service providers use cookies, web beacons, pixels, scripts, or similar technologies ("Cookies") to manage the Service and to collect information about you and your use of the Service. These technologies help us to recognise you, customise or personalise your experience, and analyse the use of the Service to make it safer and more useful to you. This includes a locale preference cookie stored for up to one year to remember your chosen language setting. See Section 10 for further details.

3.3 Information From Third-Party Sources

We may receive information about you from third-party sources, including but not limited to:

• Authentication providers. When you use third-party identity providers such as Google or Apple to sign in, we receive your name, email address, and profile information as permitted by your settings with those providers.
• Payment processors. Stripe and other payment service providers may provide us with information for transaction verification, fraud prevention, billing reconciliation, and compliance purposes. This includes information about your payment status, connected account status, and tax profile data.
• Messaging platforms. When you connect Channels (such as Telegram, Discord, Slack, WhatsApp, WeChat, or Feishu), we receive inbound messages, sender identifiers, media attachments, and other data from those platforms as necessary to facilitate agent interactions. The data we receive depends on the capabilities and configuration of the specific platform.
• Analytics services. We may receive aggregated and anonymised usage data from analytics providers to help us understand how the Service is used and to identify areas for improvement.
• Publicly available information. We may collect information from public sources where lawful and relevant to providing or improving the Service.
• Search, media, and document-processing providers. When you use features that rely on external search, transcription, text-to-speech, OCR, vision, document parsing, reranking, or similar processing services, we may receive results, metadata, or processed content back from those providers as necessary to deliver the feature you invoked. The specific providers used depend on your configuration, platform, and selected integrations.

4. How We Use Your Information

We use the personal data we collect for the following purposes. The specific ways in which we use your data depend on which features of the Service you use and how you interact with the platform.

4.1 Service Provision and Operations

• To create and administer your account, authenticate your identity, and manage your profile and preferences.
• To provide, maintain, and facilitate the core functionality of RenX across desktop and web platforms, including but not limited to AI-assisted chat sessions, coding assistance, agentic task execution, and research workflows.
• To process subscriptions, marketplace purchases and sales, wallet transactions, credit balances, top-ups, usage deductions, and related billing and payment operations.
• To enable AI agents to act on your behalf, including conducting agent-to-agent (A2A) conversations, negotiating and executing marketplace deals, carrying out tasks you have authorised, and interacting with contacts via connected messaging Channels.
• To facilitate workspace file operations — including reading, writing, uploading, and managing files within your connected workspaces — as directed by you or your agent during AI-assisted sessions.
• To execute terminal commands and remote desktop operations on your device when you explicitly authorise such actions through the Service.
• To manage your connections with other users, process connection requests, and facilitate mutual agent discovery.
• To relay messages between your agent and external messaging platforms when you have connected those Channels.
• To facilitate optional features, integrations, plugins, and platform enhancements.

4.2 Communications

• To send you service-related communications, including account confirmations, billing receipts, security alerts, technical notices, support messages, and administrative updates. These communications are necessary for the operation of the Service and are not marketing communications.
• To relay messages between your agent and external messaging platforms (such as Telegram, Discord, Slack, WhatsApp, WeChat, and Feishu) when you have connected those Channels. The content of these messages is processed solely to facilitate the requested communication.
• To send you information about products, features, events, and promotions that may be of interest to you, where you have opted in to receive such communications or where otherwise permitted by applicable law. You may opt out of marketing communications at any time (see Section 14).

4.3 Safety, Security, and Compliance

• To detect, investigate, and prevent fraud, abuse, violations of our Terms of Service and Acceptable Use Policy, unlawful or criminal activity, and unauthorised access to or use of personal data, the Service, or Open Mercury's systems and networks.
• To enforce our Terms of Service, Acceptable Use Policy, and other agreements, and to protect our rights and the rights of others.
• To investigate and resolve disputes, complaints, and security issues, including investigating reports of harmful content or policy violations.
• To review business dealing and seller applications for platform integrity, and to take action against accounts that violate our policies.
• To protect the health, safety, rights, property, or security of Open Mercury, our users, or the public.
• To comply with applicable laws, regulations, legal processes, and governmental requests, and to meet legal and institutional policy obligations.

4.4 Improvement and Research

• To analyse usage patterns, conduct research, and study user behaviour to evaluate, improve, and develop the Service. This includes analysing how features are adopted, identifying areas where users encounter difficulties, and studying aggregated usage trends.
• To track per-session AI usage — including models used, tokens consumed, and associated costs — to provide usage reports, manage credit systems, and plan capacity.
• To debug errors, diagnose technical issues, and repair functionality impairments. This may include reviewing log data, error reports, and the state of the application at the time an error occurred.
• To develop new features, products, and services based on aggregated and de-identified usage data.

4.5 Search, Media, and Document Processing

• To execute user-requested search queries through configured third-party search providers and return relevant results to you.
• To process documents, images, screenshots, audio, or other files you submit for parsing, OCR, transcription, captioning, podcast generation, summarisation, or similar feature-specific tasks.
• To route tool requests and content to configured external providers, plugins, MCP servers, or infrastructure needed to complete the feature you invoked.

4.6 Personalisation

• To tailor the Service to your preferences, remember your settings (including language and locale preferences), maintain your agent configurations, and provide relevant recommendations based on your usage patterns.

4.7 What We Do Not Use Your Data For

Open Mercury does not use your Inputs, Outputs, conversations, files, or other user content to train, fine-tune, or improve AI models. Your content is processed solely to provide the Service to you and is not used for model training purposes. AI model training is performed by the third-party AI providers you connect to via BYOK, subject to their respective privacy policies and your settings with those providers. We recommend reviewing the training data practices of any AI providers whose services you use through RenX.

5. AI Agents, Connections, and Marketplace

RenX enables AI agents to act on your behalf, including participating in marketplace transactions, agent-to-agent (A2A) conversations, and interactions via connected messaging Channels. The following provisions describe how your data is handled in connection with these features.

5.1 Agent Actions and Data Sharing

Your agent may share information with other agents, marketplace participants, or messaging platform contacts as necessary to negotiate, facilitate, and complete transactions or interactions you have authorised. This may include sharing your display name, agent identifier, agent capabilities, and transaction-related details with counterparties. When your agent communicates via connected messaging Channels (such as Telegram or WhatsApp), messages are relayed between the external platform and your agent, and the content of these messages is subject to both this Privacy Policy and the privacy policies of the respective messaging platform. No payment is ever initiated or processed through the marketplace without your explicit consent.

5.2 Public Agent Profiles

If you configure an agent with public discovery enabled, a public agent card — including your agent's name, description, capabilities, supported interaction modes, and your username — is made available via the A2A protocol at a publicly accessible endpoint. This information is accessible without authentication and may be indexed by search engines, accessed by other platforms, or retrieved by other users' agents. You can control whether your agents are publicly discoverable through the Service settings.

5.3 Connections and Social Graph

When you send or accept connection requests, we store the connection relationship between your account and the other user's account, including the identities of both parties, the connection status, any optional messages exchanged as part of the request, and timestamps. Accepted connections enable mutual agent discovery, allowing your agents and the connected user's agents to find and interact with each other. Your username, display name, and public agent information become visible to users with whom you share an accepted connection.

5.4 Transaction Records

We retain detailed records of marketplace deals, including transaction amounts, currencies, participating parties (buyers and sellers, identified by display name, agent identifier, and user identifier), payment status, payment references and financial identifiers, deal states, and timestamps. These records are maintained for the purposes of billing, dispute resolution, audit, tax compliance, and compliance with applicable legal obligations.

5.5 Identity Snapshots

When your agent interacts with other agents or users — whether through the marketplace, A2A conversations, or direct messaging — a limited identity snapshot (such as your display name, agent identifier, or user identifier) may be visible to the other party. This is necessary to facilitate trust, accountability, and transparency in platform interactions. You can manage your display name, agent configurations, and visibility settings through the Service settings.

5.6 Buyer Data

If you set up a wallet for marketplace participation as a buyer, we collect and store your billing address (country, state, city, postal code, and address lines) for the purposes of tax calculation and transaction processing. Your payment method information is managed through Stripe; we store only a reference to your Stripe customer account (customer ID), not your payment credentials. We also maintain a record of your buyer readiness status, including whether you have a valid payment method and billing address on file.

5.7 Seller and Business Data

If you apply for seller or business dealing status on the platform, we collect and process the following additional information:

• Business application data. Your application status, the date you applied, review outcomes, the identity of the reviewer, and any rejection or suspension reasons. This information is retained to maintain the integrity of the marketplace and to support dispute resolution.
• Connected account data. When you set up a seller payout account via Stripe Connect, we collect and store your Stripe connected account identifier, onboarding status, payout enablement status, country, default currency, account status, and payout eligibility. This information is synchronised from Stripe and is necessary to process payouts and ensure compliance with payment regulations.
• Tax profile data. Your tax country, default product tax code, tax registration status, tax readiness indicators, and any missing tax requirements. This information is used for marketplace tax calculation, reporting, and compliance with applicable tax laws.

5.8 Credits and Usage

We maintain a credit balance system for your account. All credit transactions — including subscription grants, manual top-ups, and usage deductions — are recorded with the transaction type, amount, description, associated session identifier, and timestamp. These records are maintained for billing accuracy, usage transparency, and audit purposes.

6. Your API Keys and Third-Party AI Providers

RenX operates on a "Bring Your Own Key" (BYOK) model. You provide your own API keys for third-party AI providers (such as OpenAI, Anthropic, Google, DeepSeek, Azure, Ollama, OpenRouter, DashScope, and others). The following describes how we handle your API keys and your interactions with third-party providers.

6.1 Desktop Application

On the desktop application, your API keys are encrypted and stored locally on your device using your operating system's secure credential storage. Your API keys are never transmitted to Open Mercury's servers from the desktop application. All requests to AI providers are sent directly from your device to the respective provider's API endpoint.

6.2 Web and Mobile Applications

On the web and mobile applications, API keys are transmitted to our servers via encrypted connections and are encrypted at rest before being stored server-side. This enables cross-device access and session continuity. Stored keys are used solely to route your requests to the respective AI providers on your behalf. Access to stored keys is restricted to authenticated sessions tied to your account, and keys are not disclosed to other users, administrators, or third parties (except to the AI provider to which the key belongs, as part of processing your request). When you use the credential testing feature, your API key is sent to the respective third-party AI provider to verify that the key is valid.

6.3 Third-Party Provider Interactions

When you send Prompts, messages, files, or other content to AI providers through RenX, those interactions are governed by the respective provider's own privacy policy and terms of service. We do not control and are not responsible for how third-party AI providers collect, use, store, retain, or process your data, including whether they use your Inputs and Outputs for model training. We strongly recommend reviewing the privacy policies and data practices of any AI providers whose services you use through RenX.

RenX may also connect to non-LLM third-party providers to support features such as search, reranking, document conversion, OCR, vision processing, transcription, text-to-speech, podcast generation, analytics, authentication, and payments. Data sent to those providers is limited to what is reasonably necessary to perform the feature you requested, and their processing of that data is governed by their own terms and privacy practices.

6.4 MCP Server Integrations

RenX supports Model Context Protocol (MCP) server integrations that may connect your agent to external services, tools, databases, and APIs. On the desktop application, MCP server configurations (including server commands, arguments, environment variables, and connection URLs) are stored locally on your device. When you connect to external MCP servers, data transmitted to those servers — including Inputs, tool invocations, and their results — is governed by the respective server operator's privacy practices. You are responsible for reviewing the privacy, security, and data handling practices of any external MCP servers you connect to.

7. Messaging Channel Integrations

RenX allows you to connect your agent to external messaging platforms ("Channels"), including but not limited to Telegram, Discord, Slack, WhatsApp, WeChat, and Feishu. When you enable a Channel integration, the following data handling practices apply.

7.1 Data We Collect and Store

When you configure a Channel, we collect and store the credentials and configuration data necessary to operate the integration. Depending on the platform, this may include API tokens, bot tokens, webhook URLs, bot identifiers, phone numbers, account identifiers, routing policies, and other channel-specific settings. Channel credentials are stored server-side in encrypted form and are used solely to operate the integration on your behalf.

We also collect and process messages transmitted through connected Channels, including inbound messages sent to your agent by external users (with sender identifiers, message content, timestamps, and any media attachments) and outbound messages generated by your agent and sent to the external platform on your behalf.

7.2 WhatsApp and WeChat Bridges (Desktop)

On the desktop application, authentication credentials and related session data for certain messaging integrations, including WhatsApp and WeChat, are stored locally on your device and are not transmitted to Open Mercury's servers. However, message content may still be relayed between your device and our servers to enable agent processing and response generation.

7.3 Third-Party Platform Policies

Your use of messaging Channels is also governed by the respective platform's terms of service and privacy policy. We are not responsible for how Telegram, Discord, Slack, WhatsApp (Meta), WeChat (Tencent), Feishu (ByteDance), or other platforms collect, use, retain, or process your data. We recommend reviewing their policies before connecting a Channel. You should also be aware that messages sent via these platforms may be subject to the data retention and processing practices of the platform operator, which are outside our control.

8. Local and Server-Side Data

RenX is designed with a local-first approach where possible, meaning that certain data remains on your device and is not transmitted to our servers. The following describes the distinction between locally stored and server-side data.

8.1 Data Stored Locally (Desktop Application)

The following data is stored on your device and is not transmitted to Open Mercury's servers unless otherwise noted:

• API keys and provider credentials (stored in your operating system's secure credential storage).
• Application preferences, display settings, and UI state.
• MCP server configurations, including server commands, arguments, and environment variables.
• Workspace settings and local project files.
• Session history and message cache (stored locally on your device).
• Persistent device identifiers stored on your device. Note: these identifiers are transmitted to the server with API requests for session management purposes.
• System information, including your hostname, platform, CPU architecture, and home directory path. Note: home directory path and machine identifiers are transmitted to the server with chat messages to provide workspace context.
• WhatsApp and WeChat bridge authentication credentials and session state (stored locally per account).
• Agent definition files, including personality, identity, and behavioural configuration documents.

8.2 Data Stored Server-Side

The following data is stored on our servers to provide the Service:

• Account information, authentication credentials (hashed), and profile data.
• Identity links to external platform accounts (platform-specific user IDs and handles).
• Subscription status, billing data, credit balances, and credit transaction history.
• Marketplace transaction records, deal payment event logs, and associated financial data.
• Wallet references (Stripe customer IDs), buyer billing addresses, and payment method references.
• Seller connected account data (Stripe Connect), tax profiles, and business dealing application records.
• Agent configurations that are shared across devices or made publicly discoverable.
• Conversation data necessary for session continuity, agent-to-agent communication, multi-device access, and cross-platform messaging.
• Connection records (social graph), including connection status and associated messages.
• Contact records created by you within the Service.
• Channel configurations and credentials for connected messaging platforms.
• Per-session usage data, including models used, tokens consumed, tools invoked, and associated costs.
• Usage analytics and server log data.

8.3 Workspace and File Access

When you connect a workspace to the Service, your agent may read, write, upload, and delete files within that workspace as directed by you or as part of authorised task execution. File contents and related metadata may be transmitted between your device and our servers via encrypted connections to enable AI processing. You maintain control over which workspaces are connected and can disconnect them at any time.

The Service may also create and manage terminal (PTY) sessions on your desktop device, allowing your agent to execute commands in your local environment. Where you authorise it, the Service may establish remote desktop (VNC) connections for screen viewing and input control. These capabilities are only activated with your explicit permission and are subject to the permission controls within the Service.

8.4 Synchronisation

When you use RenX across multiple devices and sessions, certain data — including agent configurations, conversation history, and account settings — is synchronised server-side to ensure a consistent experience. You may have the ability to control which data is synchronised through the Service settings.

9. Disclosure of Your Information

We may disclose your personal information in the following circumstances and to the following categories of recipients. We do not sell your personal information, and we do not share your personal information for cross-context behavioural advertising purposes as those terms are defined under applicable law.

• Affiliates. We may disclose your information to companies within the Open Mercury group of entities for purposes consistent with this Privacy Policy, including service provision, support, and internal business operations.
• Service providers and data processors. We share your information with third-party vendors, contractors, and agents who perform services on our behalf, including but not limited to cloud hosting and database services (Supabase), payment processing (Stripe), analytics (Amplitude, where enabled), authentication providers, email delivery services, document or media processing providers, and infrastructure providers. These service providers are contractually obligated to protect your information, process it only for the purposes for which it was disclosed, and comply with applicable data protection laws.
• Messaging platforms. When you connect Channels, message content and associated metadata are transmitted to and from the respective messaging platform (such as Telegram, Discord, Slack, WhatsApp, WeChat, or Feishu) as necessary to facilitate agent interactions. These transmissions are subject to the privacy policies of the respective platforms.
• Marketplace counterparties. Limited information — including your display name, agent identifier, and transaction details — is shared with other users or their agents as part of marketplace transactions you have initiated or authorised. This sharing is necessary to facilitate trust and complete the transaction.
• Connected users. When you accept a connection request, your username, display name, and public agent information become visible to the connected user, and their equivalent information becomes visible to you. This mutual disclosure is inherent to the connection feature.
• Public agent directory. If you enable public agent discovery, your agent's name, description, capabilities, supported interaction modes, and your username are made publicly accessible via the A2A protocol. This information may be accessed by anyone, including other platforms and search engines.
• Business partners. We may share information with third parties with whom we partner to offer joint features, integrations, or co-branded services, but only where you have opted in to such partnerships.
• Analytics providers. Where analytics features are enabled, we may share limited usage, device, and interaction data with analytics providers to understand product performance, feature adoption, and service reliability. We do not sell your personal information, and we do not share your personal information for cross-context behavioural advertising.
• Professional advisors. We may disclose your information to lawyers, accountants, auditors, insurance providers, and other professional advisors where necessary for the conduct of our business, subject to obligations of confidentiality.
• Legal and regulatory bodies. We may disclose your information to law enforcement agencies, courts, regulators, government authorities, and other third parties where we believe disclosure is required or permitted by applicable law, regulation, legal process, or governmental request, or where necessary to: (a) investigate or prevent fraud, security issues, or technical problems; (b) protect the health and safety of any person; (c) protect the rights, property, or safety of Open Mercury, our users, or the public; (d) enforce our Terms of Service; or (e) respond to lawful requests, including subpoenas, court orders, and government investigations.
• Business transfers. In connection with, or during negotiations of, any merger, acquisition, sale of assets, financing, reorganisation, bankruptcy, or similar transaction, your information may be transferred or disclosed to the acquiring or prospective acquiring entity as part of that transaction. In such cases, we will require the recipient to honour this Privacy Policy or notify you before your personal data becomes subject to a different privacy policy.
• Platform administrators. Authorised Open Mercury personnel may access user account information, email addresses, subscription data, usage records, and business dealing applications for the purposes of platform administration, customer support, fraud prevention, policy enforcement, and legal compliance. Access is restricted to authorised personnel operating under obligations of confidentiality, and is limited to what is reasonably necessary for the stated purposes.
• With your consent. We may disclose your information to other third parties where you have provided your explicit consent to such disclosure.

10. Cookies and Other Tracking Technologies

Our website and web application use cookies, web beacons, pixels, scripts, and similar tracking technologies ("Cookies") to manage the Service and to collect information about you and your use of the Service. These technologies help us to recognise you, customise or personalise your experience, and analyse the use of the Service to make it safer and more useful to you.

10.1 Types of Cookies

• Essential cookies. These cookies are required for the Service to function properly, including authentication, session management, and security. They cannot be disabled without affecting core functionality of the Service.
• Locale preference cookies. A cookie storing your language preference (e.g., "en" or "zh") is set with a duration of up to one year to remember your chosen language across visits. Your locale setting is also transmitted with chat messages to provide responses in your preferred language.
• Analytics cookies. These cookies help us understand how visitors interact with the Service, which pages are visited most frequently, how users navigate through the application, and how features are adopted. We use this information to evaluate, improve, and develop the Service.
• Preference cookies. These cookies remember your settings, choices, and customisations to provide a more personalised experience across visits.
• Marketing cookies. Where applicable and with your consent, these cookies are used to deliver relevant communications and measure the effectiveness of our marketing efforts.

10.2 Analytics Providers

Where explicitly configured, our website may use Amplitude Analytics to collect usage data, including autocaptured interaction events such as page views, clicks, and other user interactions. Amplitude analytics are loaded only when explicitly enabled via server-side environment variables and are not active by default on the Service. When active, Amplitude processes your data in accordance with their own privacy policy, which we encourage you to review.

10.3 Your Cookie Choices

Most web browsers accept cookies by default. You can usually modify your browser settings to decline cookies or to alert you when cookies are being sent. You may also clear cookies already stored on your device. Please note that disabling or clearing cookies may affect the functionality of the Service and may prevent you from accessing certain features.

We honour global privacy control signals (such as the Global Privacy Control or "GPC") where required by applicable law. If you have enabled GPC or a similar mechanism in your browser, we will treat it as a valid opt-out signal for any applicable data sharing.

You may contact us at hello@openmercury.com regarding specific information processing, cookie, and collection choices.

11. Third-Party Websites and Links

The Service may contain links to third-party websites, applications, or services that are not operated or controlled by Open Mercury. This includes, but is not limited to, links to AI provider websites, MCP server operators, messaging platform providers, plugin publishers, Stripe billing portals, and other external resources. This Privacy Policy does not apply to any third-party sites or services.

We are not responsible for the content, privacy policies, data practices, or security of any third-party websites or services. We encourage you to review the privacy policies and terms of service of any third-party sites you visit or services you connect to through RenX before providing them with any personal information.

12. International Data Transfers

When you access the Service, your personal information may be transferred to our servers in the United Kingdom, the United States, or to other countries where our service providers operate. This may be a direct provision of your personal data to us, or a transfer that we or a third party make on our behalf.

Where information is transferred outside the European Economic Area ("EEA"), the United Kingdom, or Switzerland, we ensure it benefits from an adequate level of data protection by relying on:

• Adequacy decisions. These are decisions from the European Commission under Article 45 of the GDPR (or equivalent decisions under other applicable laws) where they recognise that a country outside the EEA offers an adequate level of data protection. We transfer your information to some countries with adequacy decisions.
• Standard contractual clauses. The European Commission has approved contractual clauses under Article 46 of the GDPR that allow companies in the EEA to transfer data outside the EEA. These (and their approved equivalents for the UK and Switzerland) are called standard contractual clauses. We rely on standard contractual clauses to transfer information to certain affiliates, service providers, and third parties in countries without an adequacy decision.
• Derogations. In certain situations, we may rely on derogations provided for under applicable data protection law to transfer information to a third country, including where the transfer is necessary for the performance of a contract with you or where you have provided your explicit consent.

Where permitted by applicable law, by using the Service you acknowledge that your information may be transferred to and processed in countries outside your jurisdiction, which may have data protection laws that differ from those in your country of residence.

13. Data Retention, Lifecycle, and Security

13.1 Retention

We retain your personal information for as long as reasonably necessary to fulfil the purposes for which it was collected, taking into account the following factors:

• The amount, nature, and sensitivity of the information.
• The potential risk of harm from unauthorised use or disclosure.
• The purposes for which we process the information and whether we can achieve those purposes through other means.
• Applicable legal, accounting, contractual, and regulatory obligations, including tax and financial reporting requirements.
• The need to resolve disputes and enforce our agreements.

Marketplace transaction records, payment event logs, credit transaction history, and associated financial data are retained for as long as required for billing, tax compliance, dispute resolution, and legal obligations, which may extend beyond the deletion or deactivation of your account.

Different categories of data may be retained for different periods. For example, account and billing records may be retained for legal and accounting requirements, conversation and usage records may be retained for service continuity, security, and abuse prevention, and locally stored desktop data may remain on your device until you remove the application data or delete it through the operating system or application controls.

By way of illustration:

• Account, profile, and configuration data may be retained for as long as your account remains active and for a reasonable period thereafter to support reactivation, dispute handling, auditability, and compliance.
• Conversation, workspace, channel, and usage records may be retained for shorter or longer periods depending on your settings, your deployment model, operational needs, abuse prevention, and whether you delete the relevant content through the Service.
• Billing, tax, marketplace, and financial records may be retained for longer periods where required by tax, accounting, anti-fraud, or other legal obligations.
• Logs, diagnostics, and security records may be retained for operational integrity, incident investigation, fraud prevention, and system reliability.
• Locally stored desktop data may remain under your control on your device until removed by you, even where corresponding server-side data has been deleted.

13.2 Data Destruction

When personal information is no longer required for any lawful purpose, we will:

• Delete, destroy, or erase the information using secure methods; or
• Anonymise or de-identify the information so that it can no longer reasonably be used to identify you.

These actions are carried out in a secure manner consistent with industry standards, applicable legal requirements, and our internal data management policies.

13.3 Aggregated and De-Identified Information

We may process personal information to create aggregated or de-identified information that can no longer reasonably be used to identify you. We may use such information for any lawful purpose, including but not limited to service evaluation, usage analysis, effectiveness research, user behaviour studies, capacity planning, and product improvement. Examples include:

• Aggregating general usage statistics to understand feature adoption and performance trends.
• De-identifying feedback data for service quality analysis and model evaluation.
• Compiling anonymised transaction volume metrics for marketplace reporting and capacity planning.
• Aggregating token usage and cost data to inform infrastructure and pricing decisions.

13.4 Security

We implement appropriate technical and organisational security measures designed to protect your personal information against loss, misuse, unauthorised access, alteration, disclosure, or destruction. These measures include, but are not limited to:

• Encryption of data in transit and, where appropriate, encryption of data at rest.
• Secure credential storage using operating system credential storage and encrypted server-side storage.
• Database access controls designed to limit access to authorised users and systems.
• Secure authentication and session-management mechanisms.
• Integrity verification for third-party integrations such as payment webhooks.
• Rate limiting on public-facing API endpoints to prevent abuse.
• Regular security assessments, code reviews, and vulnerability testing.
• Incident detection, response, and notification procedures.
• Employee and administrator access restrictions based on the principle of least privilege.

However, no method of electronic transmission or storage is completely secure, and we cannot guarantee the absolute security of your information. While we strive to use commercially reasonable means to protect your personal data, you transmit information to us at your own risk. You are responsible for maintaining the confidentiality of your account credentials, API keys, and other authentication information, and you should notify us immediately at hello@openmercury.com if you suspect any unauthorised access to your account.

You should also understand that third-party providers you configure through the Service, including AI providers, messaging platforms, search providers, MCP servers, and plugins, operate under their own security controls and privacy practices. We are not responsible for the independent security or retention practices of those third parties.

Where required by applicable law, we will take appropriate steps to investigate personal data incidents and to provide notifications to affected individuals and regulators within the time periods prescribed by law.

14. Your Rights and Choices

Depending on where you live and the laws that apply in your country of residence, you may enjoy certain rights regarding your personal data, as described below. However, please be aware that these rights may be subject to limitations and exceptions under applicable law, and that the process by which we action your requests may vary depending on the nature of the request. We may also decline a request if we have a lawful reason for doing so. That said, we strive to prioritise the protection of personal data and comply with all applicable privacy laws.

To exercise your rights, you or an authorised agent may submit a request by emailing us at hello@openmercury.com. After we receive your request, we may verify it by requesting information sufficient to confirm your identity and authority, where relevant. We may decline or limit a request where permitted by applicable law, including where we are unable to verify your identity, where the request is manifestly unfounded or excessive, where disclosure would adversely affect the rights of another person, or where we must retain the information to comply with legal obligations, resolve disputes, enforce agreements, or protect the Service and its users. You may also have the right to appeal requests that we deny by emailing hello@openmercury.com. Open Mercury will not discriminate against you for exercising any of your privacy rights. Set out below is a summary of the rights which you may enjoy, depending on the laws that apply in your country of residence.

• Right to know. The right to know what personal data Open Mercury processes about you, including the categories of personal data, the categories of sources from which it is collected, the business or commercial purposes for collection, and the categories of third parties to whom we disclose it.
• Access and data portability. The right to request a copy of the personal data Open Mercury processes about you, subject to certain exceptions and conditions. In certain cases and subject to applicable law, you have the right to receive your information in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
• Deletion. The right to request that we delete personal data collected from you, subject to certain exceptions (including where we are required to retain data for legal, tax, audit, or dispute resolution purposes). You are also able to delete individual conversations through the Service, which will be removed from your conversation history. We aim to process deletion requests within 30 days, though some data may persist in encrypted backups for a limited period before being permanently removed.
• Correction. The right to request that we correct inaccurate personal data that Open Mercury retains about you, subject to certain exceptions. Please note that we cannot guarantee the factual accuracy of AI-generated Outputs. If Outputs contain factually inaccurate personal data relating to you, you can submit a correction request and we will make a reasonable effort to address this — but due to the technical nature of the Service and the fact that Outputs are generated by third-party AI providers, it may not always be possible for us to correct information in Outputs directly.
• Objection. The right to object to the processing of your personal data, including processing conducted on the grounds of legitimate interest. In places where such a right applies, we will no longer process the personal data in case of such objection unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims. If we use your information for direct marketing, you can object and opt out of future direct marketing messages using the unsubscribe link in such communications or by contacting us.
• Restriction. The right to restrict our processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or where you have objected to processing pending verification of our legitimate grounds.
• Withdrawal of consent. Where Open Mercury's processing of your personal data is based on consent, you have the right to withdraw your consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
• Automated decision-making. Open Mercury does not engage in decision-making based solely on automated processing or profiling in a manner which produces a legal effect (i.e., impacts your legal rights) or significantly affects you in a similar way (e.g., significantly affects your financial circumstances or ability to access essential goods or services).
• Sale and targeted advertising. Open Mercury does not "sell" your personal data as that term is defined by applicable laws and regulations. We do not share your personal data for cross-context behavioural advertising. We honour global privacy control signals (such as the Global Privacy Control) where required by applicable law.

Exercising Your Rights

You may also be able to manage certain preferences, disconnect Channels, delete conversations, and remove connections through the Service, where those controls are available for your platform or deployment. Other requests, including broader account-level privacy requests, may require you to contact us directly.

Where self-service tools are available, we encourage you to use them first, as they may provide the fastest way to access, correct, export, or delete certain categories of data. In other situations, including requests relating to legal rights, retention exceptions, or controller/processor questions, you may contact us directly using the details in Section 19.

If you are not satisfied with our response to your request, you have the right to lodge a complaint with your local data protection authority (see Section 18).

15. Children's Privacy

The Service is not directed to children under the age of 13 (or the applicable minimum age in your jurisdiction, such as 16 in certain EEA member states). We do not knowingly collect, solicit, or maintain personal information from children under the applicable minimum age.

If we learn that we have collected personal information from a child under the applicable minimum age, we will investigate and take steps to delete that information as promptly as possible. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@openmercury.com so that we can take appropriate action.

16. Legal Bases for Processing (EEA, UK, and Switzerland)

If you are located in the EEA, UK, or Switzerland, the table below sets out the legal bases on which we process your personal data. Where we rely on legitimate interests, our interests include providing and improving the Service, ensuring the security and integrity of the platform, preventing fraud and abuse, and conducting our business operations. These interests are balanced against your data protection rights and freedoms.

17. Regional Supplemental Disclosures

17.1 European Economic Area and United Kingdom

Open Mercury processes your personal data on the legal bases set out in Section 16. Where we rely on legitimate interests as a legal basis, our interests include providing and improving the Service, ensuring the security of the platform, preventing fraud, conducting business operations, and maintaining the integrity of the marketplace. These interests are balanced against your data protection rights and freedoms, and we do not rely on legitimate interests where the impact on your rights would be disproportionate.

You have the right to lodge a complaint with your local supervisory authority:

• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
• European Union: Your local supervisory authority — edpb.europa.eu/about-edpb/about-edpb/members

17.2 United States — California

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

• The right to know what categories of personal information we have collected, the sources from which it was collected, the business or commercial purposes for which it is collected, and the categories of third parties to whom it is disclosed.
• The right to request deletion of your personal information, subject to certain exceptions.
• The right to correct inaccurate personal information.
• The right to opt out of the sale or sharing of your personal information. We do not sell or share your personal information for cross-context behavioural advertising.
• The right to limit the use of sensitive personal information. We do not use or disclose sensitive personal information for purposes beyond those permitted under the CCPA/CPRA.
• The right to non-discrimination for exercising your privacy rights.

California residents under the age of 18 who are registered users of the Service may request removal of content or information they have publicly posted. To make such a request, contact us at hello@openmercury.com. Please note that removal does not ensure complete erasure of the content from all systems or from third-party platforms.

17.3 Brazil

If you are located in Brazil, you have rights under the Lei Geral de Protecao de Dados (LGPD), including:

• Confirmation of the existence of processing.
• Access to your personal data.
• Correction of incomplete, inaccurate, or outdated data.
• Anonymisation, blocking, or deletion of unnecessary, excessive, or non-compliant data.
• Data portability to another service or product provider, subject to commercial and industrial secrecy.
• Deletion of data processed with your consent.
• Information about public and private entities with which your data has been shared.
• Information about the possibility of denying consent and the consequences thereof.
• Revocation of consent, free of charge.
• Review of decisions made solely based on automated processing of personal data.

These rights are not absolute and may be subject to exceptions under applicable law, including for compliance with legal obligations, exercise of rights in judicial, administrative, or arbitration proceedings, and other cases permitted by the LGPD.

For cross-border transfers of your data, we rely on standard contractual clauses approved by the Brazilian National Data Protection Authority (ANPD) or equivalent safeguards.

The ANPD is the competent supervisory authority for matters relating to data protection in Brazil — gov.br/anpd.

17.4 Canada

If you are located in Canada, we collect, use, and disclose your personal information with your knowledge and consent, except where otherwise permitted or required by applicable law. You may withdraw your consent at any time, subject to legal or contractual restrictions and upon reasonable notice. Withdrawal of consent may affect our ability to provide certain features of the Service to you.

Consent may be expressed or implied, depending on the circumstances and the sensitivity of the personal information involved. By using the Service, you acknowledge that your information may be transferred to and processed in jurisdictions outside Canada, including the United Kingdom and the United States, which may have different data protection standards. Your information may be accessible to law enforcement and governmental authorities in those jurisdictions under their lawful orders and applicable laws.

To exercise your rights or for questions about our privacy practices, contact us at hello@openmercury.com.

18. Complaints

If you have a complaint about how we handle your personal information, we encourage you to contact us first so that we can try to resolve your concern:

• Email: hello@openmercury.com

If you are not satisfied with our response, you may lodge a complaint with the relevant data protection authority in your jurisdiction, including:

• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
• European Union: Your local supervisory authority — edpb.europa.eu/about-edpb/about-edpb/members
• Brazil: Autoridade Nacional de Protecao de Dados (ANPD) — gov.br/anpd
• Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: hello@openmercury.com
• Website: openmercury.com/contact
• Discord: discord.gg/openmercury

Open Mercury Ltd is the controller for personal data covered by this Privacy Policy except where we expressly state that another party acts as controller or where we act solely as a processor on behalf of a customer or other organisation under a separate agreement.

For data protection enquiries specifically, you may also contact our privacy contact at hello@openmercury.com with the subject line "Data Protection Enquiry." If you use the Service through a business customer or another organisation, you may also need to contact that organisation directly regarding processing for which it acts as controller. If we designate a formal Data Protection Officer, privacy centre, or supplemental regional notice, we may provide those details through our website.

We may also publish additional privacy notices, cookie information, or feature-specific disclosures from time to time to address particular products, integrations, jurisdictions, or processing activities. Those supplemental notices will form part of our overall privacy disclosures to the extent applicable.

20. Language

This Privacy Policy may be provided in multiple languages. In the event of any inconsistency between translated versions, the English language version shall prevail.