Privacy Policy

How AEOESS, Inc. collects, uses, shares, and protects personal data when you use the Agent Passport System hosted gateway, the SDK, the website, or any related service.

Effective date · 2026-05-12 · Version 1.0 (draft)

Contents

Who we are
What we collect
How we use it
Legal basis (GDPR)
Who we share with
Retention
Security
Your rights
International transfers
Cookies and tracking
Children
Changes to this policy
Contact

1.Who we are

AEOESS, Inc. (“AEOESS”, “we”, “us”) is a Delaware corporation operating the Agent Passport System (“APS”) hosted gateway at gateway.aeoess.com, the website at aeoess.com, and related services (collectively, the “Service”). For purposes of the EU General Data Protection Regulation (“GDPR”), AEOESS is the data controller for the personal data described in this policy, except where we act as a processor on behalf of a paying customer (in which case the customer is the controller and we are the processor under a Data Processing Addendum).

Registered office: Delaware, United States. Contact details for privacy matters are in section 13.

2.What personal data we collect

2.1 Information you provide

Account data. Email address, name, and (if you set one) password. Stored as a salted bcrypt hash; we never store the plaintext password.
Authentication data. If you sign in via GitHub OAuth, we receive your GitHub user identifier, login, name, and verified email addresses.
Billing data. When you subscribe to a paid plan, our payment processor (Stripe) collects your payment method and billing address. We receive a Stripe customer ID and subscription metadata; we do not store full card numbers.
Support and correspondence. If you email us, contact us through the site, or open a support ticket, we keep the contents of that correspondence and any contact details you supply.

2.2 Information generated by use of the Service

Tenant operational data. Agents, delegations, policy evaluations, signed receipts, revocations, audit log entries, and other records you create when you use the Service. This is the data the Service is designed to produce; it includes identifiers and metadata you supply, plus signed cryptographic evidence we generate.
API and request logs. IP address, user-agent string, request paths, response codes, timing, and rate-limit counters. Retained for security, abuse prevention, and capacity planning.
Webhook events. Payment events from Stripe are stored to ensure idempotent processing.

2.3 Information from third parties

Stripe. Subscription status, customer ID, payment events.
GitHub. Profile and verified email addresses if you authenticate via GitHub.
Email delivery providers. Bounce, complaint, and delivery telemetry from our transactional-email vendor (Resend).

2.4 What we do not collect

We do not collect special-category personal data (race, ethnicity, religion, health, biometric, sexual orientation), and we do not knowingly collect personal data from children under 16. We do not buy personal data from data brokers, and we do not enrich your contact record with third-party behavioural profiles.

3.How we use personal data

Provide the Service. Authenticate you, run policy evaluations on your behalf, store and surface receipts and audit logs, deliver email notifications, support integrations (Stripe Issuing, MCP, etc.).
Billing and accounting. Charge subscriptions, generate invoices and receipts, comply with tax and accounting law.
Security and abuse prevention. Detect credential stuffing, rate-limit by IP, investigate suspected misuse, respond to incidents.
Service improvement. Diagnose errors, measure performance, plan capacity. Where we use aggregate statistics publicly, we do so only on counts that cannot reasonably identify a tenant.
Communications. Send transactional email (signup welcome, password reset, payment receipt, security alerts) and, only if you have not opted out, occasional product updates.
Legal compliance. Respond to lawful requests, enforce our terms, defend or assert legal claims.

We do not use your operational data — agents you register, evaluations you run, receipts emitted on your behalf — to train AI models, sell to third parties, or share with other tenants. Your operational data is yours.

4.Legal basis for processing (GDPR)

Where GDPR applies, we rely on the following legal bases:

Performance of a contract (Art. 6(1)(b)) — for account, billing, and Service operation data.
Legitimate interests (Art. 6(1)(f)) — for security telemetry, abuse prevention, and limited operational analytics. Our legitimate interest is in keeping the Service available and reliable; this is balanced against your privacy interests, and we minimise data accordingly.
Consent (Art. 6(1)(a)) — for optional product-update emails. You can withdraw consent at any time by unsubscribing.
Legal obligation (Art. 6(1)(c)) — for retention required by tax, accounting, or sanctions law.

We share personal data only with the categories of recipients listed below, and only for the purposes stated. We do not sell personal data.

Stripe, Inc. — payment processing. Subject to Stripe’s privacy policy.
Resend, Inc. — transactional email delivery. The email contents and recipient address are transmitted to Resend at send time.
Railway Corp. — application hosting. Operational data sits on Railway-managed infrastructure under a contractual security commitment.
GitHub, Inc. — only if you authenticate via GitHub OAuth.
Cloudflare, Inc. — DNS and edge routing. May see IP-level request metadata.
Professional advisors — accountants and legal counsel, under confidentiality, when necessary.
Authorities — to comply with lawful orders, subpoenas, or to defend our rights. We will narrow disclosure to what is legally required and, where lawful, notify the affected user.
Successor entities — in the event of merger, acquisition, or asset sale, your data may be transferred to the successor under no less protective terms than this policy.

We do not share personal data with advertising networks or analytics vendors that profile users across sites.

6.How long we keep it

Active account data. Retained for the life of the account.
Receipts and audit records. Retained for the period stated in your plan (1 year on Production, up to 7 years on Enterprise). After the live-querying window expires, receipts remain cryptographically verifiable against the public spec, but are no longer indexed in the Service.
Closed accounts. Within 30 days of account closure, we delete personal data not subject to a legal-retention obligation. We retain a minimal record (email, account ID, deletion date) for fraud prevention and audit purposes for up to 24 months.
Backups. Backups may retain copies of deleted data for up to 90 days before being overwritten by retention rotation.
Tax and accounting records. Retained for the period required by US tax law (currently seven years).

7.How we protect personal data

We take commercially reasonable technical and organisational measures, including:

TLS 1.2 or higher for all data in transit. HSTS enabled on the public domain.
Encryption at rest on the managed database volume.
API keys stored as SHA-256 hashes; passwords stored as bcrypt hashes at cost factor 12.
Cryptographically signed receipts (Ed25519, RFC 8785 JCS canonicalisation) for every policy evaluation, so tampering is detectable post hoc.
Single-use, time-limited tokens for password reset and email verification.
Per-IP rate limiting on every authentication endpoint and webhook receiver.
Least-privilege access controls on the production database; access logged and audited.
Strict-by-default Content Security Policy on the dashboard surface.
Stripe webhook signature verification before any state change.

No system is impenetrable. If we become aware of a personal-data breach affecting you, we will notify you without undue delay and in any event consistent with applicable law (in the EU, within 72 hours of becoming aware where required).

8.Your rights

Depending on where you live, you have the following rights regarding your personal data. We will respond to verified requests within 30 days, or as required by applicable law.

Access. Request a copy of personal data we hold about you.
Rectification. Correct inaccurate personal data.
Erasure. Delete personal data where we no longer have a legal basis to keep it.
Restriction. Restrict processing in specified circumstances.
Portability. Receive your data in a structured, machine-readable format. Tenant operational data is already exportable through the audit log CSV download in the dashboard.
Objection. Object to processing based on legitimate interests, including direct marketing.
Withdraw consent. Where processing relies on consent, withdraw it at any time without affecting prior lawful processing.
Lodge a complaint. EU/EEA residents may lodge a complaint with a supervisory authority. California residents have rights under the CCPA / CPRA, including the right to know, delete, correct, and opt out of sale or sharing. We do not sell personal data and do not engage in cross-context behavioural advertising as defined under the CCPA.

To exercise any of these rights, email [email protected]. We may need to verify your identity before fulfilling a request.

9.International data transfers

Our primary infrastructure is in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. For transfers of personal data subject to GDPR or UK GDPR, we rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum where applicable) with our processors. A list of our subprocessors and the legal basis for each transfer is available on request.

10.Cookies and tracking

The website and dashboard use a small number of first-party cookies and local-storage entries strictly necessary for the Service (session state, your API key in localStorage on the dashboard, CSRF protection on payment flows). We do not use third-party advertising or cross-site tracking cookies. We do not deploy a consent banner because we do not set non-essential cookies; if that changes, we will add appropriate consent controls.

11.Children

The Service is not directed to and is not intended for individuals under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact [email protected] and we will delete it.

12.Changes to this policy

We may update this policy from time to time. The effective date at the top of the page reflects the current version. Material changes will be announced to account-holders via email at the address on file at least 14 days before the new version takes effect, except where a shorter notice period is required by law or by an imminent security need.

13.Contact

Privacy questions, data-subject requests, and complaints:
[email protected]

General contact: [email protected]
Postal address: available on request from the email above.
EU representative under Art. 27 GDPR: to be appointed; current users in the EU should contact [email protected] while the representative is named.

See also: Terms of Service · Portal · Security disclosure