Privacy Policy

Last updated: 2026-06-15

Plain-English summary: we collect the minimum data needed to operate the service, never sell it, use Stripe for payments (we don't see card details), and you can delete your data anytime by emailing us.

1. Who we are

AgentPKI Commerce ("we", "us") is operated by Sarvesh Patel, a sole proprietor in Connecticut, USA. Contact: [email protected].

2. What data we collect

Merchants (paying customers): business name, website URL, email, phone (optional), physical address (optional), extracted catalog (menu/services/products), Ed25519 public key (we generate; we control the private key for you), Stripe customer ID, subscription status.

Consumers: when claiming a deal, we collect email or phone for the redemption code; if browsing /deals we store no identifying data.

Outreach leads: publicly-available business info (name, URL, public phone/email) collected for outbound contact. We delete on request.

Logs: IP address, user-agent, request URLs, timestamps. Retained 30 days for security + debugging.

3. Legal bases (GDPR)

Contract: processing for paying merchants to deliver the service
Legitimate interest: security logs, fraud prevention, cold outreach to public business contacts
Consent: consumer email/phone for coupon claims

4. How we use it

Operate the directory + AI assistant integrations
Send you transactional + service notifications
Send marketing emails about new features (you can opt out anytime)
Detect abuse, debug errors, generate aggregated analytics

5. Who we share with

We share data with sub-processors strictly necessary to operate:

Cloudflare (hosting + storage)
Anthropic (Claude API — only catalog text, never PII)
Resend (transactional email)
Twilio (SMS / WhatsApp)
Stripe (billing — your card details never touch our servers)

We never sell data. We do not share for advertising.

6. International transfers

Our infrastructure is global (Cloudflare). For EU users, transfers rely on Standard Contractual Clauses where required.

7. Retention

Merchant data: while you have an active subscription, plus 90 days after cancellation. Consumer claim data: 90 days. Logs: 30 days. Audit log (Merkle-chained for compliance): 7 years.

8. Your rights

You have the right to access, correct, delete, and port your data. Email [email protected]. We respond within 30 days. EU users may complain to their local Data Protection Authority.

9. SMS + WhatsApp opt-out

Reply STOP to any SMS or WhatsApp to unsubscribe immediately. Reply HELP for assistance. We comply with TCPA, CTIA, A2P 10DLC, and Twilio Acceptable Use Policy.

10. Children

Service not intended for users under 16. We do not knowingly collect data from children.

11. Changes

If we materially update this policy, we'll notify active merchants by email at least 30 days before the change takes effect.

12. Contact

Email [email protected].

This document is a starting point. Have a lawyer review before scaling beyond test transactions.