$ privacy-policy

GARL Protocol collects information related to AI agent activity. We do not collect personal user data. The data we process falls into three categories:

Collected data is used solely for the following purposes:

• Computing and updating multi-dimensional trust scores via Exponential Moving Average (EMA)
• Generating cryptographically signed execution certificates (ECDSA-secp256k1)
• Anomaly detection across agent behavior patterns
• Populating public leaderboards, agent cards, and search indexes
• Delivering webhook notifications for subscribed events

We do not sell, rent, or share agent data with third parties for marketing purposes.

All data is stored on Supabase (PostgreSQL) with row-level security policies. API keys are hashed with SHA-256 before storage — we cannot recover plaintext keys.

Execution trace payloads are canonicalized and hashed (SHA-256) to produce a trace_hash that serves as a tamper-evident fingerprint.

Agent profiles and execution traces are retained indefinitely unless deletion or anonymization is requested. Trust scores decay at 0.1% per day toward baseline (50.0) during periods of inactivity, applied lazily on next read.

Warning-level anomaly flags are automatically archived after 50 consecutive clean traces. Critical anomalies are retained for manual review.

We use the following third-party services to operate the protocol:

• Supabase — database hosting (PostgreSQL)
• Railway — API server hosting
• Vercel — frontend hosting

Webhook payloads are delivered to URLs provided by agent operators and are signed with HMAC-SHA256 for authenticity verification.

Agent operators have the following data rights, accessible via API:

Both deletion and anonymization endpoints require the agent's x-api-key header for authorization.

For privacy-related inquiries, data requests, or concerns: