legal

Privacy Policy

Last updated: 3 June 2026 · Effective: 3 June 2026

Draft for legal review. This is a working draft prepared to describe how AgentRex handles data. It has not yet been reviewed by a qualified data-protection lawyer. Placeholders in [BRACKETS] must be completed, and the whole document reviewed, before publication.

This Privacy Policy explains how Eucaliptus Trading Limited (BVI) ("AgentRex", "we", "us") collects, uses, and protects your personal data when you use the AgentRex mobile application and related services (the "Service"). We are the data controller for the personal data described here, except where we act as a processor on your behalf or where a third-party provider acts as an independent controller (each identified below).

AgentRex is a booking concierge: you describe a trip in plain language, our in-app agent searches travel options, and — only after you confirm each purchase — books it using a payment card linked to a wallet you control. Understanding that flow makes the data practices below clearer.

01Who we are & how to contact us

Controller: Eucaliptus Trading Limited (BVI), Ritter House, Wickhams Cay II, PO Box 3170, Road Town, Tortola VG1110, British Virgin Islands. For any privacy question or to exercise your rights, contact us at privacy@agentrex.xyz. [If you appoint a Data Protection Officer or an EU/UK representative under GDPR Art. 27, name and contact them here.]

02The data we collect

Information you provide

Identity verification data (KYC)

To issue a payment card, our payments partner is legally required to verify your identity ("Know Your Customer"). During this step you provide identity information and documents (for example, legal name, date of birth, nationality, residential address, and a government ID with a liveness/selfie check). This verification is performed by our payments partner and its identity-verification subprocessor — AgentRex does not collect or store your raw identity documents or biometric data. We receive only the result of the check (for example, "approved") and limited associated status information. [Confirm with your payments partner exactly which fields, if any, are returned to AgentRex, and reflect that here.]

Wallet & payment data

Information collected automatically

[If you add analytics, crash reporting (e.g. a tool like Sentry), or push notifications, disclose each here, including what it collects and its legal basis. The current build's diagnostic channel is noted internally as not yet wired — update this section when it is.]

03How we use your data & our legal bases

Under UK GDPR and EU GDPR we rely on the following legal bases:

Provide the Service
Run the chat agent, search travel, and execute bookings you confirm. Basis: performance of a contract.
Verify identity & issue a card
Meet anti-money-laundering / KYC obligations through our payments partner. Basis: legal obligation; performance of a contract.
Send service messages
Booking confirmations, invite codes, and essential notices. Basis: performance of a contract; legitimate interests.
Prevent fraud & abuse
Rate-limiting, hashed-IP abuse checks, securing accounts. Basis: legitimate interests; legal obligation.
Improve & support
Diagnose issues, respond to support requests, improve the Service. Basis: legitimate interests.
Marketing (waitlist)
Tell you when an invitation is available. Basis: consent (you asked to be on the list); you can opt out anytime.

We do not sell your personal data, and we do not use your chat content to serve third-party advertising.

04Who we share data with

We share personal data with the service providers that make AgentRex work. Each acts under a contract and only for the purposes below. Several are independent controllers of the data you provide directly to them (notably identity verification and payments) — review their own privacy policies for full detail.

Authentication & wallet provider
Signs you in and manages your non-custodial wallet keys. Receives your email/phone and authentication data. [Name the provider and link its privacy policy.]
Payments & card issuer
Verifies your identity (KYC), issues your card, and processes transactions. Receives your identity and payment data directly. Acts as an independent controller for that data. [Name the provider and link its privacy policy.]
Identity-verification subprocessor
Performs the document and liveness check on behalf of the payments partner. [Name if known; link policy.]
Travel providers
Search and fulfil your bookings. Receive the booking and traveller details needed to complete a purchase you confirm. [Name your travel providers and link their policies.]
AI processing
The in-app agent is powered by a third-party large-language-model provider that processes your chat messages to select travel-search actions. [Name the provider and link its policy; confirm its data-retention terms.]
Email delivery
Sends confirmations and invite emails. Receives your email address and message content. [Name the provider and link its policy.]
Infrastructure & hosting
Hosts our servers and database. [Name the provider and region; link its policy.]

We may also disclose data where required by law, to enforce our terms, or to protect the rights, safety, and security of our users and the Service.

05International transfers

Some providers process data outside the UK/EEA. Where that happens, we rely on appropriate safeguards such as UK International Data Transfer Agreements, the EU Standard Contractual Clauses, or an adequacy decision. [Confirm the actual transfer mechanism for each provider above — particularly any US-based processors — and reflect it here.]

06How long we keep data

We keep personal data only as long as necessary for the purposes above. Booking and transaction records are retained as required by financial and tax law [specify the retention period your obligations require]. Chat history is retained while your account is active [specify]. Waitlist data is kept until you ask us to remove it or you join the Service. Identity-verification records are retained by our payments partner under its own AML obligations.

07Your rights

Subject to applicable law, you have the right to access, correct, delete, or receive a portable copy of your personal data; to object to or restrict certain processing; and to withdraw consent where we rely on it. To exercise any of these, email privacy@agentrex.xyz. We will respond within the timeframe the law requires.

Because some of your data (identity verification, card transactions) is held by our payments partner as an independent controller, certain requests may need to be directed to them; we will help you do so.

If you are in the UK or EEA and believe we have mishandled your data, you may complain to your supervisory authority — in the UK, the Information Commissioner's Office (ICO) at ico.org.uk.

08Security

We use technical and organisational measures to protect your data, including encryption in transit, access controls, redaction of sensitive tokens from our logs, and storing only a hashed form of abuse-prevention identifiers. No system is perfectly secure, but we work to protect your information and to limit what we collect in the first place.

09Children

The Service is not directed to anyone under 18, and you must be at least 18 (and old enough to hold a payment card in your jurisdiction) to use it. We do not knowingly collect data from children.

10Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you in the app or by email. The "Last updated" date at the top reflects the current version.

11Contact

Questions about this policy or your data: privacy@agentrex.xyz.