Privacy & Data Retention
Effective July 13, 2026
What we collect on each request
- Timestamp, request path/method, processing latency
- IP address and approximate geography (country/city, via Cloudflare)
- Request headers (excluding cookies, authorization, and raw payment signatures)
- Payer wallet address, payment nonce, network, and settlement transaction hash
- Receipt email — only if you voluntarily provide one
What we never collect
- Card numbers or bank details — none exist in this flow. Payment authorization is a signed on-chain transfer handled by the x402 facilitator; settlement occurs on a public blockchain. PCI-scope data never touches our systems.
- Private keys or wallet credentials — your agent signs locally; we only ever see the public authorization.
Why we collect it
To return your diagnostic report, to detect abuse, and for aggregate analytics on how agentic payments are being adopted (request volumes, geography, client stacks). Aggregates may be published; individual records are not sold or shared.
Retention
Request records are retained for up to 24 months, then deleted or irreversibly aggregated. Receipt emails are used to send your receipt and retained with the transaction record.
Security posture
TLS on every connection, encrypted tunnel to origin, least-privilege datastore access, and tamper-evident (hash-chained) request logging. Questions or deletion requests: contact us.