Privacy Policy

1.1 Data Controller. Phanes is the data controller for personal information collected through phanes.app and the Cloud Service. For self-hosted AEOS Protocol deployments, the deploying organization is the data controller; the Company has no access to data processed in self-hosted environments.

1.2 Scope. This Policy covers: (a) the phanes.app marketing website; (b) the Cloud Service and Enterprise managed infrastructure; (c) developer interactions with the REST API, SDKs, and MCP Server via the Cloud Service; and (d) communications with us via email, LinkedIn, Discord, or Twitter/X. It does not cover self-hosted deployments, which are governed by the deployer's own privacy practices.

2.1 Information You Provide Directly.

• Account Information: When you create a Cloud or Enterprise account, we collect your name, email address, organization name, and billing information (processed by Stripe; we do not store full payment card numbers).
• API Key Registration: When you generate API keys, we store a hashed representation of the key, the associated account, creation timestamp, and permission scopes.
• Communications: When you contact us via email (hossainmdtofael1@gmail.com, cloud@phanes.app, sales@phanes.app, spp@sigmapointpi.com), LinkedIn, Discord, or Twitter/X, we collect the content of your communications.
• Job Applications: If you apply for a position, we collect your name, email address, resume, LinkedIn profile, and any information you voluntarily provide.

2.2 Information Collected Automatically.

• Log Data: When you access phanes.app or the Cloud API, our servers may automatically record your IP address, browser type, operating system, referring URL, pages visited, timestamps, and request metadata.
• API Usage Telemetry: For Cloud Service users, we collect API endpoint, request timestamp, response latency, error codes, and rate-limit consumption. We do not log the content of API request or response bodies unless explicitly required for debugging with your consent.
• Device Information: Device type, screen resolution, language preference, and timezone offset for website analytics.

2.3 Information from Third Parties.

• Stripe: For billing and settlement, Stripe provides us with transaction confirmations, payment status, and billing address. See Stripe's Privacy Policy.
• Blockchain Networks: USDC settlement data (transaction hashes, wallet addresses, amounts) on public blockchains (Ethereum, Base, Arbitrum, Polygon) is inherently public and not within our control.

The AEOS Protocol processes several categories of data specific to AI agent operations. In Cloud deployments, the Company processes this data on your behalf:

Selective Disclosure. The AEOS Protocol supports selective disclosure via Pedersen commitments and Merkle membership proofs. Agents can prove specific attributes (e.g., "authorized to transact up to $50,000") without revealing their full identity, capability set, or transaction history. This privacy-preserving capability is a protocol-level feature, not a Company service.

We use the information we collect for the following purposes:

• Service Delivery: To provide, maintain, and improve the Cloud Service, REST API, MCP Server, and developer tools.
• Protocol Operations: To process agent registrations, execute contracts, manage escrow, run dispute resolution, compute risk scores, and maintain the immutable ledger (Cloud deployments only).
• Settlement Processing: To facilitate Stripe and USDC settlement, including authorization, capture, refund, and reconciliation.
• Security & Risk: To detect and prevent fraud, unauthorized access, abuse, and protocol-level threats (including Sybil attacks, behavioral drift, and consensus disruption).
• Analytics: To understand usage patterns, improve performance, and inform product development. Analytics are aggregated and do not identify individual users.
• Communications: To respond to your inquiries, provide technical support, send service-critical notifications, and (with your consent) share product updates.
• Legal & Compliance: To comply with applicable laws, respond to lawful requests, enforce our Terms of Service, and protect our rights and the rights of others.
• Hiring: To evaluate job applications submitted through our careers page.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Services you requested, including account management, API access, settlement processing, and protocol operations.
• Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate interests in operating, securing, and improving the Services, conducting analytics, preventing fraud, and enforcing our Terms, provided such interests are not overridden by your fundamental rights.
• Consent (Art. 6(1)(a)): Where you have given explicit consent, such as for marketing communications. You may withdraw consent at any time.
• Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with applicable laws, including tax reporting, sanctions screening, and responding to valid legal process.

We do not sell your personal information. We share information only in the following circumstances:

• Service Providers: With vendors who process data on our behalf (hosting, payment processing, analytics), subject to contractual data processing agreements that restrict their use of your data.
• Settlement Partners: With Stripe for fiat settlement processing. With blockchain networks for USDC settlement (note: on-chain transactions are publicly visible).
• Protocol Participants: In the course of AEOS Protocol operations, certain data is shared with counterparties as required by the protocol (e.g., public keys for contract signing, evidence during dispute resolution, Merkle proofs for verification). This sharing is inherent to protocol functionality.
• Legal Requirements: When required by law, regulation, court order, subpoena, or other lawful process, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the successor entity. We will notify you of any such transfer and any changes to this Policy.
• With Your Consent: In any other circumstances where you have given explicit consent to sharing.

The Services integrate with or link to third-party services that have their own privacy policies:

• Stripe — Payment processing and fiat settlement. stripe.com/privacy
• GitHub — Source code hosting, issue tracking, CI/CD. GitHub Privacy Statement
• Discord — Community communication. discord.com/privacy
• LinkedIn — Professional networking and hiring. LinkedIn Privacy Policy
• Twitter/X — Social media. X Privacy Policy
• Ethereum, Base, Arbitrum, Polygon — Blockchain networks for USDC settlement. On-chain data is public and immutable; we do not control data published to public blockchains.

We encourage you to review the privacy policies of these third-party services before using them.

8.1 Transfer Mechanisms. If you are located outside the United States, your information may be transferred to and processed in the United States. For transfers from the EEA, UK, or Switzerland, we rely on: (a) Standard Contractual Clauses (SCCs) approved by the European Commission; (b) the UK International Data Transfer Addendum; or (c) other lawful transfer mechanisms as applicable.

8.2 EU-U.S. Data Privacy Framework. We are committed to complying with applicable data transfer frameworks. If the EU-U.S. Data Privacy Framework is applicable to our processing, we will self-certify compliance.

8.3 Blockchain Data. USDC settlement transactions are published to public, globally distributed blockchain networks. By initiating on-chain settlement, you acknowledge that transaction data will be replicated across nodes in multiple jurisdictions and cannot be deleted or restricted by geography.

9.1 General. We retain personal information for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

9.2 Specific Periods.

• Account data: Duration of your account plus 30 days for data export, then deleted per our retention schedule.
• API logs: 90 days for operational purposes; aggregated analytics retained indefinitely.
• Settlement records: 7 years to comply with financial record-keeping requirements (26 U.S.C. § 6001; IRS Rev. Proc. 98-25).
• Communications: Duration of the business relationship plus 3 years.
• Job applications: 2 years from submission date, unless you request earlier deletion.
• Ledger data: See Section 16 (Immutable Ledger).

10.1 Measures. We implement administrative, technical, and physical safeguards designed to protect information, including: encryption in transit (TLS 1.3) and at rest (AES-256-GCM), Ed25519 cryptographic authentication at every API boundary, role-based access controls, regular security assessments, and incident response procedures.

10.2 Protocol Security. The AEOS Protocol has undergone a security audit (v0.1) covering cryptographic primitives, identity management, contract execution, dispute resolution, risk engine, ML anomaly detection, BFT consensus, and settlement integration. The audit found zero critical vulnerabilities. The full audit report is available at phanes.app/audit.

10.3 Limitations. No security system is impenetrable. We cannot guarantee absolute security. You are responsible for securing your own credentials, private keys, and deployment environment.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Rectification: Request correction of inaccurate or incomplete information.
• Erasure: Request deletion of your personal information, subject to legal retention requirements and the immutability constraints described in Section 16.
• Restriction: Request that we restrict processing of your information in certain circumstances.
• Portability: Request a machine-readable copy of your personal information.
• Objection: Object to processing based on legitimate interests.
• Withdrawal of Consent: Withdraw consent at any time where processing is based on consent.
• Complaint: Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at hossainmdtofael1@gmail.com. We will respond within 30 days (or the period required by applicable law). We may require verification of your identity before processing your request.

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) provides you with additional rights:

• Right to Know: You may request the categories and specific pieces of personal information we have collected, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share.
• Right to Delete: You may request deletion of personal information, subject to statutory exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt Out of Sale/Sharing: We do not sell personal information as defined under the CCPA/CPRA. We do not share personal information for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: We only use sensitive personal information (if any) for purposes permitted under the CCPA/CPRA.
• Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To submit a CCPA/CPRA request, contact us at hossainmdtofael1@gmail.com. We will verify your identity and respond within 45 days.

The Services are not directed to individuals under the age of 18 (or the age of majority in the applicable jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete such information promptly. If you believe we have collected information from a child, please contact us at hossainmdtofael1@gmail.com.

14.1 Current Usage. The phanes.app marketing website is a statically generated Next.js application that does not currently deploy third-party cookies, tracking pixels, or analytics scripts. No advertising networks are integrated.

14.2 Essential Cookies. We may use strictly necessary cookies for session management, security (e.g., CSRF protection), and load balancing in Cloud Service interfaces. These cookies are required for the Services to function and cannot be opted out of.

14.3 Future Analytics. If we introduce analytics or non-essential cookies in the future, we will update this Policy, provide notice, and implement a consent mechanism where required by applicable law (including the ePrivacy Directive, GDPR, and applicable U.S. state laws).

When you self-host the AEOS Protocol, you are the sole data controller. The Company does not collect, access, process, or store any data from self-hosted deployments. This Policy does not apply to data processed in self-hosted environments. If you deploy the protocol for third parties, you are responsible for providing your own privacy policy and complying with all applicable data protection laws, including GDPR, CCPA/CPRA, and any sector-specific requirements (e.g., GLBA, HIPAA, if applicable).

16.1 Immutability by Design. The AEOS Protocol's immutable ledger is an append-only, hash-chain-linked log with Merkle proof support. This design provides tamper evidence, auditability, and non-repudiation — critical properties for an economic infrastructure layer. By design, ledger entries cannot be modified or deleted without breaking the hash chain.

16.2 GDPR Right to Erasure. We acknowledge the tension between ledger immutability and the right to erasure under GDPR Article 17. To reconcile these requirements: (a) the protocol stores hashed and committed data on the ledger, not plaintext personal information; (b) the off-chain data linked to ledger entries can be deleted, rendering the on-chain hashes unlinkable; (c) Pedersen commitments are computationally hiding — the committed values cannot be recovered without the blinding factor; and (d) where deletion of off-chain data is insufficient, we will implement cryptographic erasure (destruction of decryption keys) to render residual data permanently inaccessible.

16.3 Blockchain Settlement. Data published to public blockchains (Ethereum, Base, Arbitrum, Polygon) as part of USDC settlement is immutable and outside our control. By initiating on-chain settlement, you acknowledge and consent to the permanent, public nature of blockchain data.

17.1 Behavioral Profiling. The AEOS Risk Engine maintains per-agent behavioral profiles for anomaly detection and risk scoring. These profiles include statistical summaries of transaction patterns, counterparty interactions, and temporal behavior. Profiles are used exclusively for security and risk management — never for marketing, advertising, or profiling of natural persons.

17.2 ML Models. The protocol's ML engine (Isolation Forest, Markov behavioral models, ensemble scoring) processes agent behavioral data to detect anomalies. These models operate on agent-level data, not natural person data. In Cloud deployments, model parameters are derived from your agents' operational data and are not shared with other customers.

17.3 Automated Decision-Making. Risk scoring and automatic dispute resolution involve automated processing that may have significant effects (e.g., circuit breaker activation blocking transactions). Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you. You may request human review of any automated risk decision by contacting us. Note: this right applies to natural persons using the Services, not to AI agents themselves.

17.4 Graph Intelligence. PageRank trust scoring, collusion detection, and Sybil detection analyze the graph of agent interactions. This analysis is used for network security and trust assessment and does not involve profiling of natural persons.

We may update this Policy from time to time. Material changes will be communicated by: (a) posting the updated Policy on phanes.app with a revised "Effective" date; (b) email notification to Cloud and Enterprise account holders; and (c) a conspicuous notice on our website. Your continued use of the Services after the effective date of any update constitutes your acceptance of the revised Policy.

For questions about this Privacy Policy, to exercise your data protection rights, or to file a complaint:

If you are located in the EEA and are not satisfied with our response, you may lodge a complaint with your local supervisory authority. A list of EEA data protection authorities is available at edpb.europa.eu.