Privacy Policy | AGIRAILS

1. Introduction

AGIRAILS Inc. ("AGIRAILS", "we", "us", or "our") is a Delaware C-Corporation that operates the Agent Commerce Transaction Protocol (ACTP) infrastructure platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

Our Services include:

AGIRAILS SDK (TypeScript, Python)
AGIRAILS CLI
Web Dashboard
n8n Community Node
Smart contracts deployed on blockchain networks
Documentation website (with AI assistant)

By using our services, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

Data Type	Purpose	Storage
Email address	Account creation, communication, support	Off-chain (encrypted)
Wallet address	Transaction execution, identity verification	On-chain (public)
Organization name	Enterprise accounts, billing	Off-chain
API keys	Service authentication	Off-chain (hashed)

2.2 Information Collected Automatically

Data Type	Purpose	Storage
Transaction data	Protocol execution, escrow, settlements	On-chain (public)
Attestations	Reputation scoring, trust verification	On-chain (public)
Usage analytics	Service improvement, debugging	Off-chain
IP address	Security, fraud prevention	Off-chain (anonymized)
Device information	Compatibility, support	Off-chain

2.3 Blockchain Data (Important Notice)

When you use AGIRAILS, certain data is recorded on public blockchain networks (Base, Ethereum).

This includes:

Wallet addresses
Transaction amounts and timestamps
State transitions (INITIATED, COMMITTED, DELIVERED, SETTLED, etc.)
Cryptographic attestations (reputation proofs)
Escrow deposits and releases

This data is:

Public - Viewable by anyone with blockchain access
Immutable - Cannot be modified or deleted once recorded
Permanent - Will exist as long as the blockchain exists

We cannot delete, modify, or restrict access to on-chain data. By using AGIRAILS, you acknowledge and accept this fundamental characteristic of blockchain technology.

3. How We Use Your Information

We use collected information to:

Purpose	Legal Basis
Provide and maintain our services	Contract performance
Process transactions and settlements	Contract performance
Send service-related communications	Legitimate interest
Provide customer support	Contract performance
Detect and prevent fraud	Legitimate interest
Improve our services	Legitimate interest
Comply with legal obligations	Legal requirement
Generate anonymized analytics	Legitimate interest

We do not:

Sell your personal data to third parties
Use your data for advertising purposes
Share your email with marketing partners

4. Information Sharing and Disclosure

We may share your information with:

4.1 Service Providers

We use the following third-party service providers:

Provider	Purpose	Data Shared	Privacy Policy
Vercel	Hosting, CDN	Usage logs, IP	vercel.com/privacy
Groq	AI Assistant (LLM)	Documentation queries	groq.com/privacy
Upstash	Vector database (RAG)	Indexed documentation	upstash.com/privacy
PostHog	Analytics	Anonymized usage	posthog.com/privacy

Enterprise customers may request a Data Processing Agreement (DPA) at our contact page.

4.2 Blockchain Networks

Transaction data is broadcast to and stored on public blockchain networks. This is inherent to the service and not a "sharing" decision - it is how the protocol functions.

4.3 Legal Requirements

We may disclose information when required by:

Court orders or subpoenas
Regulatory requirements
Law enforcement requests
Protection of rights and safety

4.4 Business Transfers

In the event of merger, acquisition, or asset sale, user information may be transferred as part of business assets.

5. Data Security

We implement industry-standard security measures:

Measure	Description
Encryption	TLS 1.3 for data in transit, AES-256 for data at rest
Access control	Role-based access, principle of least privilege
API security	Rate limiting, API key rotation
Smart contract security	Third-party audits, bug bounty program
Monitoring	24/7 security monitoring and alerting

Private keys: We never have access to your private keys. Wallet connections use standard Web3 protocols (WalletConnect, injected providers) that do not expose private keys.

Data Breach Notification: In the event of a data breach involving personal information, we will notify affected users within 72 hours of discovery, as required by GDPR. Notification will include the nature of the breach, data affected, and remediation steps.

6. Data Retention

Data Type	Retention Period	Reason
Account data	Until account deletion + 30 days	Service provision
Transaction logs	7 years	Regulatory compliance
Analytics data	2 years (anonymized)	Service improvement
Support tickets	3 years	Quality assurance
Blockchain data	Permanent	Immutable by design

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

7.1 General Rights (All Users)

Access - Request a copy of your personal data
Correction - Request correction of inaccurate data
Deletion - Request deletion of off-chain data
Portability - Receive your data in a portable format
Objection - Object to certain processing activities
Withdrawal - Withdraw consent where applicable

7.2 Blockchain Data Limitations

We cannot fulfill deletion or modification requests for on-chain data. This includes:

Transaction records
Wallet addresses in transaction history
Attestations and reputation proofs

This is a technical limitation of blockchain technology, not a policy choice.

7.3 Exercising Your Rights

To exercise your rights, visit our Contact page. Response time: Within 30 days.

8. International Data Transfers

AGIRAILS is based in the United States. If you access our services from outside the US, your data may be transferred to and processed in the US.

We implement appropriate safeguards for international transfers:

EU Standard Contractual Clauses (SCCs) - We use the 2021 version approved by the European Commission (Decision 2021/914)
Data Processing Agreements - Available upon request for enterprise customers
Transfer Impact Assessments - Conducted for high-risk data transfers; available upon request
Encryption - All data encrypted in transit (TLS 1.3) and at rest (AES-256)

9. Children's Privacy

AGIRAILS services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we discover we have collected data from a child, we will delete it promptly.

10. Future KYC/KYA Requirements

As regulatory requirements evolve, we may implement Know Your Customer (KYC) and Know Your Agent (KYA) verification processes. If implemented, this policy will be updated to reflect:

Additional data collected (government ID, biometrics, etc.)
Third-party verification providers used
Retention periods for verification data
Additional rights and protections

We will provide notice before any KYC/KYA requirements become effective.

11. Third-Party Links and Services

Our services may contain links to third-party websites or integrate with third-party services (blockchain explorers, wallet providers, etc.). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date.

For material changes, we will:

Notify you via email (if we have your email)
Display a prominent notice in our services
Provide 30 days notice before changes take effect

13. Contact Us

For privacy-related inquiries, please visit our Contact page.

AGIRAILS Inc.

14. Jurisdiction-Specific Provisions

14.1 European Economic Area (EEA) / UK

If GDPR applies to you:

Data Controller: AGIRAILS Inc.
Legal Basis: Contract performance, legitimate interest, consent (where applicable)
Supervisory Authority: You have the right to lodge a complaint with your local data protection authority

14.2 California (CCPA)

If you are a California resident:

You have the right to know what personal information we collect
You have the right to request deletion of personal information
You have the right to opt-out of "sale" of personal information (we do not sell personal information)
You will not receive discriminatory treatment for exercising your rights

14.3 Other Jurisdictions

We comply with applicable privacy laws in jurisdictions where we operate. Contact us for jurisdiction-specific inquiries.

15. Cookies and Tracking Technologies

15.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website or use our dashboard. We use cookies and similar technologies to provide, secure, and improve our services.

15.2 Types of Cookies We Use

Cookie Type	Purpose	Duration	Required
Essential	Authentication, security, load balancing	Session	Yes
Functional	User preferences, language settings	1 year	No
Analytics	Usage patterns, performance metrics	2 years	No

15.3 Third-Party Cookies

Provider	Purpose	Opt-Out
Vercel Analytics	Performance monitoring	Disabled via cookie settings
PostHog	Product analytics	posthog.com/privacy

15.4 Managing Cookies

You can control cookies through:

Browser settings - Most browsers allow you to block or delete cookies
Our cookie banner - Select your preferences when first visiting our site
Opt-out links - Use provider-specific opt-out mechanisms listed above

Note: Blocking essential cookies may prevent you from using certain features of our services.

15.5 Do Not Track

Our services do not currently respond to "Do Not Track" (DNT) browser signals. We honor cookie preferences set through our cookie banner instead.