Legal

Privacy Policy

This policy explains what DebtAgent collects, why, and how long we keep it. Two populations are covered: our customers, and the debtors whose personal information customers load into the platform. We never sell either. We never buy debt.

FDCPA Regulation F DPA available Encrypted at rest

1. Who we are, and what DebtAgent is not

DebtAgent is a software-as-a-service product operated at debtagent.ai. It generates and runs compliant collection cadences on overdue accounts that our customers already own or are already entitled to collect.

DebtAgent is not a collection agency, not a debt buyer, and not a law firm. We do not take assignment of debts, we do not act as a collector on our own account, and we do not provide legal advice. Our customer remains the creditor or the collector of record for every account loaded into the platform, and remains responsible for the accuracy of the balances, the lawful basis for collecting them, and any licences their jurisdiction requires. We supply the tooling and the guardrails.

For anything in this policy, write to [email protected]. A person reads that inbox. There is no contact form on this site.

2. The two kinds of data on this platform

Collections software is unusual: most of the personal information inside it does not belong to the person using it. We keep those two populations conceptually and technically separate.

2.1 Customer data (you, the account holder)

For customer accounts, we are the controller. We collect:

  • Account details. Your email address, a hashed password, your name if you give it, and your company name.
  • Billing details. Your subscription tier, billing period, and payment status. Card numbers are handled by Stripe and never touch our servers.
  • Usage data. Sequences generated, actions taken, tier limits consumed, plus standard server logs (IP address, user agent, timestamps) kept for security and abuse prevention.
  • Support correspondence. Anything you email us, kept so we can answer you.

2.2 Debtor data (personal information you load)

For the debtor records our customers upload, the customer is the controller and DebtAgent is the processor. We process this data only on the customer's documented instructions, only to run the cadence they configured, and never for our own purposes. That data typically includes:

  • Debtor name, company, email address, and phone number.
  • Invoice number, amount owed, currency, due date, and days overdue.
  • Account status: contacted, promised, paid, or disputed.
  • The content of each message sent, and the compliance event log for every send decision.

Do not upload data you do not need. DebtAgent does not ask for, and you should not load, Social Security numbers, bank account numbers, card numbers, government identifiers, or health or medical detail. Clinics collecting patient balances should load the balance and the contact details, not the diagnosis. We are not a HIPAA business associate and the platform is not configured to receive protected health information.

3. Our FDCPA and Regulation F posture

Compliance and privacy overlap heavily in collections, so it is worth being explicit about how the product behaves.

  • Mandated disclosures are attached, not optional. Messages carry the required debt disclosure language rather than leaving it to the sender to remember.
  • Contact-time windows and frequency caps are enforced before the send. A message outside permitted hours, or over the seven-contacts-in-seven-days cap, is blocked and logged as a compliance event.
  • Disputes and cease-communication requests stop the cadence. Every remaining step for that debt is paused automatically and the account is flagged. Collection can only resume when the customer supplies verification.
  • No threats, no harassment. The drafting model is constrained so it will not generate threats of litigation, arrest, or credit consequences, and will not produce abusive language.
  • Third-party disclosure is avoided. The agent contacts the debtor at the addresses the customer supplied, and does not discuss the debt with anyone else.

These guardrails reduce risk. They do not eliminate it, and they are not a substitute for legal advice. Whether a particular account may lawfully be collected, and under which state licence, is a question for the customer and their counsel.

4. How we use data

We use customer data to operate the service, take payment, enforce tier limits, keep the platform secure, and answer support requests. We use debtor data for exactly one thing: running the cadence the customer configured, and recording what happened.

We do not sell personal information, and we do not share it for cross-context behavioural advertising. We do not train AI models on your debtor records, and our AI sub-processor is contractually barred from doing so with the content we send it. There is no advertising network on this site, and no third-party ad or social tracking pixels.

5. Sub-processors

Running a collections platform means moving messages and money, so a small set of vendors necessarily touches data. Each one is bound by a data protection agreement and receives only what it needs.

DebtAgent sub-processors, what each is used for, and what data it receives
Sub-processor Purpose Data received
Stripe Subscription billing and the debtor pay-now portal Customer billing details, payment status
Amazon Web Services Application hosting and encrypted database storage All platform data, at rest in the United States
Amazon SES / Postmark Delivery of account emails and collection messages Recipient email address, message content
Twilio SMS and voice steps in a cadence (Starter and above) Recipient phone number, message content
Anthropic Drafting compliant collection copy Debt context needed to draft the message
Intuit QuickBooks / Xero Optional overdue-invoice import (Pro and above) Invoice and customer records you authorise

We will also disclose data where the law compels it, for example a subpoena or a lawful request from a regulator, and where necessary to establish or defend a legal claim. If the business is ever acquired, data moves with it and this policy continues to apply to it.

6. Data Processing Addendum

A Data Processing Addendum is available to any customer, on any plan, at no cost. It sets out the processor obligations, the sub-processor list, the security measures, breach notification timelines, and the Standard Contractual Clauses where a transfer needs them. Request it at [email protected]. Enterprise customers get it signed as part of onboarding, alongside a security review.

7. Security

Data is encrypted in transit with TLS and at rest in the database. Access to production is limited to the people who need it, gated behind multi-factor authentication, and logged. Passwords are stored as salted hashes and are never recoverable, by us or by anyone else. Inside the product, access is role-based, and Enterprise adds SSO/SAML and provisioning.

We keep an audit log of collection activity, which is a compliance feature and a security one: if something goes wrong on an account, there is a record of exactly what was sent, when, and under which rule. No system is perfectly secure, and we will not pretend otherwise. If we ever suffer a breach affecting your data, we will tell you promptly and tell you what we know.

8. Retention and deletion

  • Account data is kept while your account is open, and for 30 days after you close it, so an accidental deletion can be undone.
  • Debtor records and sequences are yours. Delete them at any time from inside the product and they are purged from live systems immediately and from backups within 30 days.
  • Compliance and audit logs are retained while the related account is live and for a period afterwards, because the whole point of an audit trail is that it survives the moment someone would like it not to. You can export them before you close your account, and you can ask us to purge them once no dispute is outstanding.
  • Billing records are kept as long as tax and accounting law requires, which is longer than we would otherwise choose.
  • Server logs roll off after 90 days.

9. Your rights

Wherever you are, you can ask us for a copy of the personal data we hold about you, ask us to correct it, ask us to delete it, and ask us to stop sending you anything. Email [email protected] and we will act within 30 days.

If you are a debtor who received a message from DebtAgent: the account belongs to one of our customers, not to us, and they control it. We will forward your request to them, and we will pass on a dispute or a cease-communication request immediately, which stops the cadence. To have the underlying record corrected or erased, the fastest route is to reply to the message you received, because that reaches the creditor directly.

California residents have the rights to know, delete, correct, and opt out of sale or sharing under the CCPA and CPRA. We do not sell or share personal information, so there is nothing to opt out of, but the right to know and to delete still applies and we will not discriminate against you for exercising it.

If the GDPR or UK GDPR applies to you, you additionally have rights of access, rectification, erasure, restriction, portability, and objection, and you may complain to your supervisory authority. Where we act as processor for a customer, we will refer your request to that customer and assist them in answering it.

10. Cookies

We set a session cookie so you can stay logged in, and a CSRF cookie so form submissions cannot be forged. Both are strictly necessary and neither follows you anywhere. We use privacy-respecting, aggregate product analytics to see which pages get read and where the demo breaks. We do not run advertising cookies, we do not embed social tracking pixels, and we do not build behavioural profiles.

11. Children, and where data lives

DebtAgent is a business tool. It is not directed at anyone under 18 and we do not knowingly collect data from children. Our production systems are hosted in the United States. If you load data about people outside the United States, that data will be processed in the United States, and the DPA covers the transfer mechanics. Enterprise customers can ask about data residency options.

12. Changes, and how to reach us

If we change this policy in a way that materially affects you, we will email you before it takes effect. Continuing to use DebtAgent after that means you accept the change.

Questions, requests, a DPA, or a security questionnaire, all go to the same place: [email protected].

Related reading: our Terms of Service, and the debt collection software pricing page.