Privacy Policy
This Privacy Policy explains how AgentStamp collects, uses, stores, and protects information when you use our website at agentstamp.org and our API services (collectively, the "Service"). We are committed to transparency and to your rights under the EU General Data Protection Regulation (GDPR) and India's Digital Personal Data Protection Act, 2023 (DPDPA).
1. Data Controller
AgentStamp is operated by Vinay Bhosle, based in India.
- Controller: Vinay Bhosle (sole proprietor, trading as AgentStamp)
- Email: [email protected]
- Website: agentstamp.org
We do not currently appoint a Data Protection Officer (DPO). For all data-related requests, contact us at the email above.
2. What Data We Collect and Why
AgentStamp is designed to minimize personal data collection. Most of our data relates to AI agent identities, not human individuals. Below is a comprehensive breakdown:
2.1 Wallet Addresses
We collect EVM (Ethereum-compatible) and Solana wallet addresses that you provide when minting stamps, registering agents, or interacting with the API. Wallet addresses are pseudonymous identifiers. They are not inherently personal data, but we treat them as such out of caution because they could be linked to an individual through external means.
Purpose: identity attestation, stamp issuance, registry lookup, trust scoring.
2.2 Agent Metadata
When registering an agent, you provide a name, description, capabilities list, and endpoint URLs. This metadata describes the AI agent, not a human, and is stored in our public registry.
Purpose: agent discovery, trust evaluation, registry services.
2.3 Human Sponsor Field (Optional)
When registering an agent, you may optionally provide a human_sponsor field containing an email address or URL identifying the responsible human behind the agent. This field is personal data when it contains an email address. It is collected only with your explicit consent and is not required to use the Service.
Purpose: accountability, human-in-the-loop transparency, EU AI Act readiness.
2.4 IP Address Hashes
We hash your IP address using a one-way cryptographic function for rate limiting and abuse prevention. We never store raw IP addresses. The hash cannot be reversed to recover your original IP.
Purpose: rate limiting, abuse prevention, DDoS mitigation.
2.5 Trust Scores
Trust scores are computed values derived from on-chain and registry activity. They are not collected from you; they are generated by our scoring algorithm based on observable behavior (endorsements, heartbeats, activity recency).
2.6 Audit Trail Events
We record audit trail events for actions taken through the Service, including stamp minting, registry modifications, endorsements, and API calls. These entries are stored in a tamper-evident hash chain. Each entry references the hash of the previous entry, forming a cryptographic chain of custody.
Purpose: security, fraud prevention, dispute resolution, regulatory compliance.
2.7 Webhook URLs
If you register webhooks to receive event notifications, we store the URLs you provide. These may contain server hostnames or paths that could identify your infrastructure.
Purpose: delivering event notifications you requested.
3. Legal Basis for Processing
We process data under the following GDPR legal bases:
- Article 6(1)(b) — Contract Performance: Processing wallet addresses, agent metadata, and webhook URLs is necessary to perform the services you requested (stamp issuance, registry listing, event notifications).
- Article 6(1)(f) — Legitimate Interest: Processing IP address hashes, audit trail events, and trust scores is necessary for our legitimate interests in security, fraud prevention, and maintaining the integrity of the trust system. These interests do not override your fundamental rights because we minimize data collection and use pseudonymous identifiers.
- Consent: The optional
human_sponsorfield is processed only with your explicit consent. You can withdraw consent at any time by updating your agent registration to remove this field.
Under India's DPDPA, we process data based on your consent (provided when you voluntarily interact with the Service) and for legitimate uses as permitted under the Act.
4. Data Retention
- Registration data (wallet addresses, agent metadata, webhook URLs): retained for the duration of your use of the Service. Deleted upon request, subject to the audit trail exception described in Section 6.
- Audit trail entries: retained indefinitely for legal compliance, security, and the integrity of the hash chain. See Section 6 for the erasure exception.
- IP address hashes: retained for up to 30 days in rate-limiting stores, then automatically purged.
- Trust scores: recomputed dynamically and decay to zero after 30 days of inactivity. Historical scores are not retained.
5. International Data Transfers
Our servers are located in India. India does not currently have an EU adequacy decision under GDPR Article 45. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data is transferred to India for processing.
We rely on Standard Contractual Clauses (SCCs) as the legal mechanism for these transfers. A copy of our SCCs is available on request by emailing [email protected].
Cloudflare, our CDN and DDoS protection provider, may process requests through edge nodes in various countries. Cloudflare maintains its own GDPR compliance documentation and has executed SCCs with us for EU data processing.
6. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
Right of Access
You can request a copy of all personal data we hold about you. Since most data is accessible via our public API and registry, you can also retrieve it directly.
Right to Rectification
You can update your agent metadata, webhook URLs, and human_sponsor field at any time through the API.
Right to Erasure (Right to be Forgotten)
You can request deletion of your registration data, including wallet associations, agent metadata, and webhook URLs. We will process erasure requests within 30 days.
Important exception — Audit Trail Hash Chain: Our audit trail uses a tamper-evident hash chain where each entry contains a cryptographic hash of the previous entry. Deleting or modifying any entry would break the chain's integrity, rendering subsequent entries unverifiable.
Under GDPR Article 17(3)(e), we retain audit trail entries where necessary for the establishment, exercise, or defense of legal claims. However, upon receiving an erasure request, we will anonymize the personal identifiers within those entries. Specifically, we replace wallet addresses with irreversible pseudonyms and remove any human_sponsor data, while preserving the cryptographic hashes that maintain chain integrity. This means the audit chain remains valid for verification purposes without containing data that can identify you.
Right to Data Portability
You can export your agent data in machine-readable JSON format via the API at any time.
Right to Object
You can object to processing based on legitimate interest (Section 3). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for legal claims.
Right to Withdraw Consent
Where processing is based on consent (the human_sponsor field), you may withdraw consent at any time by updating your registration to remove the field, or by contacting us. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
To exercise any of these rights, email [email protected]. We will respond within 30 days (GDPR) or as required under DPDPA.
7. Cookies and Tracking
AgentStamp does not use cookies. We do not use any analytics trackers, advertising pixels, session cookies, or fingerprinting techniques. The Service operates without any client-side tracking technology.
8. Third-Party Services
We use the following third-party service:
- Cloudflare, Inc. — CDN, DDoS protection, and DNS. Cloudflare may process request metadata (IP addresses, headers) as part of its network operation. Cloudflare's privacy policy is available at cloudflare.com/privacypolicy.
We do not use Google Analytics, Facebook Pixel, Hotjar, or any other analytics or advertising tracker. We do not sell, rent, or share your data with third parties for marketing purposes.
9. Children's Privacy
AgentStamp is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete that information promptly. If you believe a child has provided us with personal data, please contact us at [email protected].
10. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced on our website at least 30 days before they take effect. The "Last updated" date at the top of this page indicates the most recent revision. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.
11. Contact Us
For any questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us:
- Email: [email protected]
- Subject line: Privacy Request — [Your Name or Wallet Address]
If you are in the EEA and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EU DPAs is available at edpb.europa.eu.
If you are in India and wish to exercise your rights under the DPDPA, you may contact the Data Protection Board of India once it is constituted, or reach us directly at the email above.
This policy is effective as of March 25, 2026 and applies to all users of the AgentStamp Service worldwide.