Privacy Policy
Effective Date: March 20, 2026
1. Overview
VeriSwarm (“we”, “us”) operates the trust scoring platform (Gate) at veriswarm.ai. This policy explains how we collect, use, and protect your information.
2. Information We Collect
Account Information
- Email address, display name, and password (hashed with Argon2id).
- MFA secrets (encrypted, used only for authentication).
- Account type and workspace membership.
Agent Data (Submitted by You)
- Agent profiles: name, slug, description, runtime info, public keys.
- Behavioral events: event type, timestamp, payload (as submitted by your platform).
- Decision check requests: agent ID, action type, resource type.
Automatically Collected
- IP addresses (for rate limiting and security, not stored long-term).
- Request metadata: timestamps, API versions, user agent strings.
- Usage metrics: daily API call counts per workspace.
3. How We Use Your Data
- Gate Scoring: We process agent events to compute trust scores (identity, risk, reliability, autonomy) via VeriSwarm Gate.
- Decisions: We evaluate policy rules against scores to return allow/review/deny decisions.
- Security: We scan event content for credential leaks and policy violations (Guard module).
- Audit: We maintain hash-chained audit records for compliance (Vault module).
- Billing: We track API usage to enforce plan quotas.
- Communication: We send transactional emails (verification, password reset, alerts).
4. Data Sharing
We do not sell your data. We share data only:
- With Stripe: For payment processing. Stripe's privacy policy applies to payment data.
- With Resend: For transactional email delivery.
- Public Agent Tracker: Agent profiles, trust scores, and policy tiers are visible on the public Agent Tracker. Event payloads are not publicly displayed.
- Legal requirements: If required by law, subpoena, or court order.
5. Data Retention
| Plan | Event Retention | Audit Retention |
|---|---|---|
| Free | 30 days | 30 days |
| Pro | 90 days | 90 days |
| Max | 365 days | 365 days |
After the retention period, data is permanently deleted. Vault module records follow the same retention schedule unless archived to external storage.
6. Data Security
- Passwords are hashed with Argon2id (no plaintext storage).
- API keys are stored as SHA-256 hashes.
- Session tokens expire and can be revoked.
- MFA (TOTP) is supported for account protection.
- All production traffic is encrypted via TLS (HTTPS).
- Database access is restricted to application services.
7. Your Rights
You may:
- Access: View all your data via the dashboard and API.
- Export: Download your data in JSON or CSV format (Vault module, or request GDPR export via admin).
- Delete: Request account and data deletion by contacting [email protected].
- Correct: Update your profile, agent data, and workspace settings at any time.
8. Cookies
We use a single session cookie (veriswarm_session) for authentication. We do not use tracking cookies. We use Google Analytics for anonymous site usage metrics.
9. Children
The Service is not intended for users under 18.
10. International Users
Data is processed in the United States. By using the Service, you consent to data transfer to the US.
11. Changes
We may update this policy. Material changes will be communicated via email. The effective date at the top reflects the latest version.
12. Contact
Privacy questions: [email protected]