Privacy

Effective May 23, 2026

The short version: we collect the store URL you audit, your email (for verification), your IP, and your user-agent. We use them to run the audit and email you a one-time code — nothing else. No tracking cookies, no ads, no resale. Email hello@serafimtech.io any time to delete what we have.

1. Who we are

agentfit (“we,” “us”) is a free agent-readiness diagnostic for Shopify merchants, operated by Serafim Tech from the European Union. Contact: hello@serafimtech.io.

2. What we collect

When you submit the form on the landing page, we receive:

The Shopify store URL you typed (the URL we audit)
Your IP address
Your browser user-agent
A timestamp
A Cloudflare Turnstile token (used once and discarded — see §4)

When you proceed to verification we additionally collect:

The email address you enter
A 6-digit verification code we email to that address (stored on the session, expires after 15 minutes)

When you run the audit, we also store the resulting report (probe results, score, top fixes) so you can revisit /audit/<slug>/ without re-running.

If you email us directly, we store the contents of that conversation as long as it’s an active thread.

We do not run analytics, advertising pixels, or session-replay tools. The site does not set cookies. Standard server logs (CloudFront access logs) are automatically deleted after 90 days.

3. Why we collect it

Store URL — to fetch your UCP profile and run live MCP probes against the endpoint declared there.
Email — to send the one-time code and confirm the audit is being requested by a real person, not a bot scraping the diagnostic.
IP & user-agent — rate limiting and abuse detection. Kept only to investigate suspicious patterns.
Audit report — lets you reload your report URL without re-running every probe (the live MCP calls cost both us and your store latency).

4. Third parties

We use a small number of third-party services to run the site and the audit:

Amazon Web Services (us-east-1) — hosts the static site, the audit Lambda, and the S3 storage for session + audit data.
Cloudflare Turnstile — bot-protection challenge on the landing form. Cloudflare may set a short-lived cookie scoped to challenges.cloudflare.com to remember that you passed the check. See Cloudflare’s privacy policy.
Resend — delivers the verification email containing your 6-digit code. See Resend’s privacy policy.
Shopify (the merchant’s storefront) — to run live probes we make HTTPS calls to {store}.myshopify.com/.well-known/ucp and the MCP endpoint advertised there. These calls identify us via a UCP agent profile, never carry your email, and follow the public UCP/MCP protocol.

We do not share, sell, rent, or trade your data with any third party for marketing or advertising.

5. How long we keep it

Session JSON (your URL + email + verification code) — 24 hours, then auto-deleted by the bucket lifecycle rule.
Audit report — 90 days, then auto-deleted. After that, re-running is free.
CloudFront access logs — 90 days.
Email correspondence — as long as the thread is active.

6. Your rights

You can ask us at any time to:

Tell you what data we hold about you
Correct anything that’s wrong
Delete it
Export it in a machine-readable format

Email hello@serafimtech.io with the subject line “data request” and we’ll respond within 30 days. If you’re in the EU/EEA, you also have the right to lodge a complaint with your local data-protection authority.

7. Children

agentfit is a B2B tool for Shopify merchants. The site isn’t directed at anyone under 16 and we don’t knowingly collect data from minors.

8. Changes

We’ll update this page when we change anything material and bump the effective date at the top. If a change materially affects audits you’ve already run, we’ll also email anyone whose audit report is still inside the 90-day retention window.