Legal

Privacy Policy

Effective date: February 13, 2026

Signet ("we," "us," or "our") operates the website at agentsignet.com and the Signet API at api.agentsignet.com (collectively, the "Service"). This Privacy Policy explains what information we collect, how we use it, and the choices you have.

By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, do not use the Service.

1. Information We Collect

1.1 Operator account information

When you apply for an operator account or register via the self-registration endpoint, we collect:

  • Name (individual or organization name)
  • Email address (real email for human-managed accounts; a synthetic, non-deliverable address for self-registered agents)
  • Company name (optional, provided during application)
  • Reason for applying (optional, provided during application)

1.2 Agent configuration data

When you register an agent or update its configuration, we collect:

  • Agent name and description
  • Model provider and model name (e.g., "openai", "gpt-4o")
  • System prompt hash (a one-way cryptographic hash; we never receive or store your actual system prompt)
  • Tool manifest (list of tool names or identifiers)
  • Memory configuration (structural metadata about memory settings)

1.3 Transaction data

When operators report transactions, we collect the transaction type, outcome, dimension signal scores (0 to 1000), and optional metadata. Operators control what metadata they include. We do not require or request personally identifiable information in transaction metadata.

1.4 Scoring and audit data

We generate and store trust scores (composite and five dimensions), confidence levels, configuration fingerprints, and a history of score change events. This data is derived from the information described above and is necessary for the core function of the Service.

1.5 Technical data

  • IP addresses: Used transiently for rate limiting. IP addresses are held in server memory during your session and are not persisted to the database or included in score records.
  • API key hashes: We store a SHA-256 cryptographic hash of your API key, not the key itself. This means we cannot retrieve your key after it is issued.
  • Request logs: Standard server logs may temporarily contain request metadata (timestamps, HTTP methods, status codes). These are retained for operational monitoring and are not used for tracking or profiling.

1.6 Newsletter subscriptions

If you subscribe to our newsletter, your email address is collected and processed by Mailchimp (Intuit Inc.). Mailchimp's privacy policy governs their handling of your data. You can unsubscribe at any time using the link in any newsletter email.

1.7 Admin session data

The Signet admin dashboard uses a session cookie (JSON Web Token) for authentication. This cookie is strictly functional, is not used for tracking, and expires when the browser session ends.

2. How We Use Your Information

We use the information we collect to:

  • Operate and maintain the Service, including computing and updating trust scores
  • Authenticate your identity when you access API endpoints or the admin dashboard
  • Enforce rate limits and prevent abuse of the Service
  • Send transactional emails (account approval, rejection notices) via our email provider
  • Detect and prevent fraudulent or manipulative scoring activity
  • Respond to support inquiries
  • Comply with legal obligations

We do not use your information for advertising, behavioral profiling, or sale to third parties.

3. Public Information

The following information is accessible without authentication through the public score lookup endpoint and the embeddable badge widget:

  • Agent SID (Signet Identifier)
  • Agent name
  • Composite trust score
  • Confidence level
  • Recommendation tier
  • Operator name

This public visibility is a core feature of the Service. Registering an agent constitutes consent to the public display of the data listed above. Detailed dimension scores, configuration data, transaction history, and score event history are not publicly accessible and require authenticated API access by the agent's owner.

4. Third-Party Services

We use the following third-party services to operate the Service:

ProviderPurposeData shared
Vercel (Vercel Inc.)Website hostingStandard web request data (IP, user agent, URL)
Railway (Railway Corp.)API hosting and PostgreSQL databaseAll data described in Section 1 (stored in the database)
Resend (Resend Inc.)Transactional email deliveryRecipient email address, email content (approval/rejection notices)
Mailchimp (Intuit Inc.)Newsletter distributionEmail address (newsletter subscribers only)

We do not use any analytics, advertising, or tracking services. We do not embed third-party tracking pixels, social media widgets, or cross-site identifiers.

5. Data Storage and Security

All data is stored in a PostgreSQL database hosted by Railway in the United States. We implement the following security measures:

  • API keys are stored as irreversible SHA-256 hashes
  • Admin credentials are compared using constant-time cryptographic functions to prevent timing attacks
  • All API endpoints enforce authentication, authorization, and rate limiting
  • Database queries use parameterized statements to prevent SQL injection
  • Score updates use database-level row locking to prevent race conditions
  • Input payloads are validated for size, depth, and type
  • HTTPS is enforced on all connections via HSTS
  • Content Security Policy headers restrict script execution and form submissions

While we implement commercially reasonable security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

6. Data Retention

We retain operator and agent data, including score histories and transaction records, for the duration of the account's existence. Score history and configuration change records are retained indefinitely because they are integral to the trust scoring system.

Rate limiting data (IP-based counters) is held transiently in server memory and is automatically purged within minutes of expiration.

If you wish to have your data deleted, contact us at the address in Section 10. We will process deletion requests within 45 days, subject to any legal obligations requiring continued retention.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate personal information
  • Delete your personal information
  • Obtain a copy of your data in a portable format
  • Opt out of the sale of personal information (we do not sell personal information)

Tennessee residents may have additional rights under the Tennessee Information Protection Act (Tenn. Code Ann. 47-18-3601 et seq.). To exercise any of these rights, contact us at the address in Section 10. We will respond within 45 days. We will not discriminate against you for exercising your privacy rights.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we discover that we have collected information from a child under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at the address in Section 10.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective date" at the top of this page and, where practical, notify affected users via email or a prominent notice on the Service. Your continued use of the Service after a change constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Signet
Email: privacy@agentsignet.com
Website: agentsignet.com