Privacy Policy

Data Controller

The data controller for this service is:
Andreas Schadauer
Vienna, Austria
service@humanagencyprotocol.com

Overview

The HAP Service Provider lets you define and authorize what your AI agents are allowed to do. This privacy policy explains what data we collect, how we use it, and your rights under the GDPR and applicable EU law.

Data We Collect

When you use the HAP Service Provider, we collect and store:

• Account information: Display name, email address, and hashed API key
• Waitlist data: Name and email address for users who have registered but not yet been approved
• Authorization data: Role assignments, frame hash, execution context hash, timestamps, cryptographic signatures
• Execution receipts: Signed records of agent actions taken under your authorizations — including which tool was called, when, and under which authorization. These are stored as cryptographic receipts; plaintext content of the action is not retained.
• Organization structure: Team membership, role assignments, agent profile configurations

Data We Do NOT Collect

• Gate content in plaintext — only cryptographic hashes are stored
• Source code or repository content
• Browsing behavior or analytics
• Personal information beyond what you provide at registration

Cookies and Local Storage

We use the following browser storage mechanisms:

• Session cookie (hap-session): A strictly necessary cookie set on login to maintain your authenticated session. This cookie expires when you log out or close your browser. No consent is required as it is essential for the service to function.
• Local storage (theme): Stores your UI theme preference (light/dark) locally in your browser. This data never leaves your device and is not transmitted to our servers.

We do not use tracking cookies, advertising cookies, or any third-party cookies.

Legal Basis for Processing

We process your data on the following legal bases (GDPR Art. 6):

• Contract performance (Art. 6(1)(b)): Account data, authorization data, and execution receipts are processed to provide the service you signed up for.
• Legitimate interest (Art. 6(1)(f)): Waitlist data is processed to manage access to the service during early access. Audit logs are maintained for security and accountability.

How We Use Your Data

Your data is used solely to:

• Authenticate your requests via API key
• Send transactional emails (verification, account approval)
• Issue and verify cryptographic authorizations
• Store execution receipts as proof of authorized agent actions
• Manage team membership and role assignments
• Maintain audit trails of authorization activity

Data Processors

We use the following third-party services to operate the platform. We have Data Processing Agreements in place with each. All data remains within the EU:

• Vercel (Frankfurt, Germany) — Application hosting and serverless functions. Privacy policy
• Upstash (Frankfurt, Germany) — Database (Redis). Privacy policy
• Brevo (Paris, France) — Transactional email delivery. Receives your email address solely to send verification and account emails. Privacy policy

Data Transfers

All data is processed and stored within the European Union. We do not transfer personal data to countries outside the EU/EEA.

Data Retention

• Account data: Retained while your account is active. Deleted within 30 days of account deletion.
• Waitlist data: Retained until approval or rejection. Rejected entries are deleted within 90 days.
• Authorization data: Retained according to the time-to-live configured for each authorization. Expired data is automatically purged.
• Execution receipts: Retained for the lifetime of the associated authorization, then purged automatically.
• Audit logs: Retained for up to 12 months for security and accountability purposes.

Your Rights

Under the GDPR, you have the right to:

• Access — Request a copy of your personal data (Art. 15)
• Rectification — Request correction of inaccurate data (Art. 16)
• Erasure — Request deletion of your data (Art. 17)
• Data portability — Receive your data in a structured, machine-readable format (Art. 20)
• Object — Object to processing based on legitimate interest (Art. 21)
• Complaint — Lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde, dsb.gv.at)

To exercise any of these rights, contact us at service@humanagencyprotocol.com. We will respond within 30 days.

Open Protocol

The HAP Service Provider is a hosted service and is not open source. The underlying Human Agency Protocol specification is open source — you can review exactly what the protocol requires in terms of data handling and cryptographic proofs.

Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email to registered users with at least 30 days’ notice. The “Last updated” date at the top indicates the latest revision.

Contact

For privacy inquiries, contact: service@humanagencyprotocol.com

Terms of Service