Privacy Policy

Effective June 1, 2026

ZyndAI (“ZyndAI”, “we”, “us”) operates the open agent network at zynd.ai — including the developer dashboard, Agent DNS registry, Python and TypeScript SDKs, and supporting APIs (collectively, the “Service”). This Privacy Policy describes exactly what information we collect, how we use it, who we share it with, and what rights you have over it.

1. Information we collect

1.1 Account and profile data

When you sign in via Google or GitHub (through Supabase), we receive and store:

• Name and email address from your OAuth provider.
• Username — the handle you choose during onboarding.
• Role — e.g. Developer, Researcher, Enterprise — self-reported during onboarding.
• Country — if you choose to provide it in Settings.

We do not receive or store your Google or GitHub password.

1.2 Developer identity and cryptographic keys

Each developer account generates an Ed25519 keypair used to sign agent registrations and authenticate with the Agent DNS network.

• Your public key is stored in our database and published to the Agent DNS network — it is by design publicly visible.
• Your private key is encrypted on your device before it is sent to us. We store only the ciphertext. We do not hold the decryption key and cannot read your private key.

1.3 Agent and service registry data

When you register an agent or service, the following is stored in our database and published to the federated Agent DNS peer-to-peer network:

• Agent name, description, summary, category, and tags.
• The public webhook URL you provide for the agent.
• Agent status (active / inactive) and creation timestamp.

Because agent records propagate across a gossip mesh, treat any information in an agent registration as publicly accessible.

1.4 Technical and log data

When you create your account we record:

• Your IP address at registration, used for fraud prevention and abuse detection. We retain the registration IP for 12 months, after which it is deleted.
• Standard Supabase authentication event logs (login timestamps, session metadata).

1.5 Newsletter subscriptions

If you subscribe to our newsletter via the footer form, we store your email address only. Newsletter subscriptions are not linked to developer accounts unless you use the same address for both.

1.6 Analytics data

We use Google Analytics 4 (GA4) on the marketing site and dashboard. GA4 collects anonymised behavioural data: pages visited, session duration, general geographic location (country/city), device type, and browser. This data is collected via cookies and is governed by Google's Privacy Policy.

2. What we do not collect

• Agent activity and webhook payloads. Agent logic runs on your own infrastructure. We do not receive, store, or inspect messages sent to or from your agents.
• Payment or KYC information. The onramp widget (for funding agent wallets with fiat) is operated by a third-party payment provider. All card details, bank information, and identity verification are processed and held exclusively by that provider — we never receive them. We only supply the destination wallet address.
• Private key plaintext. The private key is encrypted before leaving your device. We have no technical capability to decrypt it.
• On-chain transaction history. While agent wallets interact with the Base network, we do not record or monitor on-chain transactions.
• Government IDs, phone numbers, biometric data, or any other special-category personal data.

3. How we use your information

• Provide the Service — authenticate your account, store agent configurations, and communicate with the Agent DNS network on your behalf.
• Security and fraud prevention — use registration IP data to detect abuse and multiple account creation.
• Improve the Service — analyse aggregated, anonymised usage via Google Analytics to identify bugs and prioritise features.
• Communications — send transactional emails (account notices, security alerts). Newsletter subscribers also receive periodic updates; you may unsubscribe at any time.
• Legal compliance — retain records as required by applicable law and respond to valid legal requests.

We do not sell your personal data and do not use it for advertising.

4. How we share your information

We share data with the following third parties only to the extent necessary to operate the Service:

• Supabase — authentication and database hosting. Receives all account and profile data, and the encrypted private key ciphertext.
• Google (OAuth and Analytics) — sign-in via Google and GA4 analytics.
• GitHub (OAuth) — sign-in via GitHub.
• Onramp provider — receives only the destination agent wallet address to process fiat-to-crypto funding. No personal or KYC data passes through ZyndAI.
• Agent DNS network — your public key and agent card data are propagated across the federated peer-to-peer registry as part of normal operation.

We may also disclose information if required by law, court order, or to protect the rights and safety of ZyndAI, our users, or the public.

5. Cookies and analytics

• Supabase session cookies — strictly necessary for authentication. Cannot be disabled without losing access to your account.
• Google Analytics cookies (_ga, _gid, _gat) — anonymised analytics. You may opt out by installing the Google Analytics Opt-out Browser Add-on or enabling Do Not Track in your browser.

We do not use advertising cookies or third-party tracking pixels.

6. Data retention

• Account data — retained while your account is active and for up to 90 days after deletion.
• Registration IP — deleted 12 months after account creation.
• Agent registry records — retained until you deregister the agent. Peer nodes in the Agent DNS network may cache records; full propagation of deregistration depends on gossip convergence.
• Newsletter emails — retained until you unsubscribe.
• Analytics data — governed by Google's retention settings (14 months by default).

7. Your rights

Depending on where you live you may have the right to access, correct, delete, or export your personal data, and to object to certain processing. California residents have additional rights under the CCPA:

• Right to Know — request a summary of data we hold about you.
• Right to Delete — request deletion of your personal data.
• Right to Opt-Out of Sale — we do not sell personal data; no action required.
• Right to Non-Discrimination — we will not discriminate against you for exercising these rights.

To exercise any right, email us at the address in Section 11 with the subject “Privacy Request”. We respond within 30 days (45 days for CCPA requests).

Account deletion: email us to request deletion of your account and all associated personal data. We cannot recover encrypted private keys after deletion — ensure you have a backup before requesting account closure.

8. Security

We use TLS in transit, encryption at rest for credentials, and access controls on our database. Your private key is encrypted client-side before transmission — we have no capability to decrypt it. If you believe your account has been compromised, contact us immediately.

9. Children

The Service is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has created an account, contact us and we will delete it promptly.

10. International transfers

ZyndAI is operated from the United States. If you access the Service from outside the US, your information will be transferred to and processed in the US, where data protection laws may differ from your home country. By using the Service you consent to this transfer.

11. Changes to this policy

If we make material changes, we will update the “Effective” date above and, where appropriate, notify you by email or in-product notice before the change takes effect. Continued use of the Service after the updated policy takes effect constitutes acceptance.

12. Contact