Privacy Policy

Draft — pending legal review. Not yet in effect. This text is a working draft prepared for the operator's legal counsel. It is not legal advice and is not a binding policy. Bracketed [PLACEHOLDER] items must be completed and the whole document reviewed by a qualified attorney before it is published or relied upon.

Effective date: [PLACEHOLDER: effective date — not in effect until set]. Last updated: [PLACEHOLDER: draft date].

Overview

Sigildex ("Sigildex", "we", "us") operates a headless skill-discovery and verification API for AI agents. There are no user accounts, no logins, and no user profiles. We have designed the service to collect as little personal data as possible. This policy explains what the service receives when an agent calls it, why, who processes it, and how long we keep it.

This policy is published by [PLACEHOLDER: legal entity name], located at [PLACEHOLDER: registered address]. For privacy questions, contact us at [PLACEHOLDER: contact email] (pre-launch: security@sigildex.ai).

What we collect, and why

Sigildex is an API. "Identity" on the service is your calling wallet address (only present on paid requests) plus your IP address (used for the free tier and rate limiting). We do not ask for, and the service does not handle, names, email addresses, passwords, or payment-card data. The complete list of data the service receives is:

• IP address — received with every request. Used to enforce the per-IP free tier (50 discovery workflows/day per IP), to apply rate limits, and to detect and prevent abuse. The IP address functions as the free-tier identifier.
• Query text — the natural-language query you submit to /discover. We log query text to operate the service, return relevant results, debug, and improve ranking quality. Do not include personal, confidential, or sensitive information in query text; treat it as logged operational data.
• Wallet address — the EVM wallet address used to authorize a paid request via the x402 protocol. It is present only when you make a paid request (the free tier requires no wallet). It is recorded to associate the request with its on-chain payment and to operate payment, accounting, and abuse-prevention.
• Standard HTTP request logs — ordinary server logs such as timestamp, requested endpoint, HTTP method, response status, user-agent string, and request identifiers. Used to operate, secure, and troubleshoot the service.

We do not use cookies, web beacons, browser fingerprinting, or third-party advertising/analytics trackers. Because there are no accounts, we hold no login credentials.

Why we are allowed to process this (legal basis)

Where a lawful-basis framework such as the EU/UK GDPR applies, we rely on our legitimate interests in operating, securing, and improving the service (for example, enforcing rate limits, preventing abuse, and maintaining ranking quality), and on the performance of the service you request when you call a paid endpoint (processing the wallet address and request needed to settle your payment). We do not use this data for advertising or profiling of individuals. [PLACEHOLDER: confirm lawful-basis framing and any region-specific disclosures with counsel.]

We do not sell your data

We do not sell, rent, or trade personal data, and we do not share it for cross-context behavioral advertising. We do not build advertising profiles.

Service providers and third parties

We use a small number of third parties to run the service. They process data only as needed to provide their function:

• Hosting / infrastructure — Vercel. Serves the API and static site; processes request data and logs as our hosting provider.
• Payment facilitator — Coinbase Developer Platform (CDP). Facilitates settlement of x402 payments in USDC on the Base network. Receives payment-related data necessary to verify and settle a paid request. See "Payments" below.
• Indexed-source platforms — e.g. GitHub. When the service surfaces a result, it links back to the original public source. Following such a link takes you to a third-party platform governed by that platform's own privacy policy. We index publicly available content from these platforms; we do not transmit your IP, query, or wallet address to them as part of indexing.

We may also disclose data if required by law, to respond to lawful requests, or to protect the rights, safety, and security of the service, our users, or the public.

Payments and the blockchain

Paid requests use the x402 protocol and settle in USDC on the Base network (chain eip155:8453). Settlement is performed by a third-party facilitator (Coinbase CDP). Sigildex is non-custodial — we do not hold user funds beyond what is required to settle an individual request. Please note that public blockchains are, by design, permanent and publicly visible: an on-chain payment and its associated wallet address are recorded on the Base network outside our control and cannot be edited or deleted by us. The free tier requires no wallet and creates no on-chain record.

How long we keep data

We retain query text and request logs for approximately [PLACEHOLDER: log-retention period, e.g. 30–90 days], after which they are deleted or aggregated/anonymized for trend and quality analysis. Records reasonably required for payment, accounting, security, fraud-prevention, or legal-compliance purposes may be retained for [PLACEHOLDER: longer retention period for payment/compliance records]. On-chain payment records are permanent and outside our control (see "Payments").

Security

We use reasonable technical and organizational measures appropriate to a minimal-data service to protect the data we hold. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

Your choices and rights

Because the service holds no account and minimal data, the most reliable way to limit what we receive is to send fewer or less-identifying requests, and to avoid placing personal information in query text. Depending on your location, you may have rights to access, correct, or delete personal data, or to object to certain processing. Note that an IP address or wallet address alone may not let us reliably identify or locate your data, and on-chain records cannot be deleted by us. To make a request, contact [PLACEHOLDER: contact email]. [PLACEHOLDER: confirm applicable data-subject rights, verification steps, and response timelines with counsel.]

Children's data

Sigildex is a developer/agent API and is not directed to children, and it is not intended for use by children under [PLACEHOLDER: minimum age, e.g. 13 / 16 per jurisdiction]. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will take appropriate steps.

International users

The service and its providers may process and store data in [PLACEHOLDER: hosting/processing region(s)], which may be outside your country. By using the service you understand that data may be transferred to and processed in those locations. [PLACEHOLDER: confirm cross-border transfer mechanisms with counsel if EU/UK data is in scope.]

Changes to this policy

We may update this policy as the service evolves. Material changes will be reflected by updating the "Last updated" date above and, where appropriate, by additional notice. Continued use after an update constitutes acceptance of the revised policy.

Contact

Privacy questions or requests: [PLACEHOLDER: contact email] (pre-launch: security@sigildex.ai). More contact options: sigildex.ai/about.