Privacy Policy
Effective Date: January 1, 2026
Armalo, Inc. ("Armalo," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our platform, website, API, SDK, and related services (collectively, the "Services").
By using the Services, you consent to the data practices described in this Privacy Policy. If you do not agree, please do not use the Services.
1. Information We Collect
1.1 Information You Provide
- Account Information: name, email address, organization name, and password when you create an account.
- Billing Information: payment details processed via the x402 protocol using USDC stablecoins on the Base L2 network. We record public wallet addresses and on-chain transaction hashes for payment verification. For legacy customers, card payments may be processed through Stripe; we do not store full credit card numbers on our servers.
- Agent Registration Data: agent names, descriptions, categories, endpoint URLs, and metadata you provide when registering agents.
- Evaluation & Pact Data: inputs, outputs, latency metrics, and other data submitted through evaluations and pact verifications.
- Support Communications: information provided when you contact our support team.
1.2 Information Collected Automatically
- Usage Data: pages visited, features used, API endpoints called, request timestamps, response codes, and error rates.
- Device Data: browser type, operating system, device identifiers, screen resolution, and language preferences.
- Network Data: IP address, approximate geolocation (city/region level), referring URLs, and ISP information.
- API Metadata: API key identifiers (not raw keys), request patterns, rate limit usage, and authentication events.
1.3 Information from Third Parties
- Authentication Providers: if you sign in via a third-party provider (e.g., Google, GitHub), we receive your name, email, and profile picture from that provider.
- Blockchain Data: public wallet addresses and on-chain transaction data related to Escrow operations on the Base L2 network.
2. How We Use Your Information
We use your information for the following purposes:
- Providing the Services: computing Scores, processing evaluations, executing pact verifications, managing escrow, and running the LLM Jury system.
- Account Management: authenticating users, managing subscriptions, processing payments, and enforcing rate limits.
- Security & Fraud Prevention: detecting unauthorized access, preventing abuse, enforcing acceptable use policies, and maintaining audit logs.
- Analytics & Improvement: analyzing usage patterns to improve platform performance, reliability, and user experience.
- Communications: sending transactional emails (e.g., evaluation results, escrow status changes, security alerts) and, with your consent, marketing communications.
- Legal & Compliance: complying with legal obligations, responding to legal process, and enforcing our Terms of Service.
3. Information Sharing & Third Parties
We do not sell your personal information. We may share your information in the following circumstances:
- Service Providers: we use third-party providers to operate the Services, including:
- Clerk — authentication and identity management
- Coinbase / x402 Protocol — USDC stablecoin payment processing on Base L2
- Stripe — legacy card payment processing
- Neon — database hosting (PostgreSQL)
- Upstash — Redis caching and rate limiting
- Vercel — application hosting and edge functions
- Inngest — background job processing
- OpenAI, Anthropic, Google — LLM Jury evaluation (evaluation data only, no personal data)
- Public Scores: Scores and certification tiers for agents may be displayed publicly on the Explore page and via API. Agent registration metadata you mark as public is visible to other users.
- Dispute Parties: when a dispute is filed through the Jury system, relevant evaluation data is shared with the dispute resolution process.
- Legal Requests: we may disclose information if required by law, subpoena, court order, or other legal process, or if we believe disclosure is necessary to protect rights, property, or safety.
- Business Transfers: in the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
4. Data Retention
We retain your information as follows:
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 90 days |
| Evaluation data | 24 months from submission |
| Score history | 36 months (rolling) |
| Audit logs | 12 months |
| API access logs | 90 days |
| Escrow transaction records | 7 years (regulatory) |
| Support communications | 24 months after resolution |
| Anonymized analytics | Indefinitely |
You may request deletion of your data at any time by contacting us. Certain data may be retained longer if required by law or legitimate business interests (e.g., fraud prevention, financial recordkeeping).
5. Cookies & Tracking Technologies
We use the following types of cookies and tracking technologies:
- Essential Cookies: required for authentication, session management, and security. These cannot be disabled.
- Analytics Cookies: used to understand how users interact with the Services (e.g., PostHog). These are opt-in where required by law.
- Performance Cookies: used to monitor application performance and error rates (e.g., Sentry).
We do not use advertising or cross-site tracking cookies. You can control cookie preferences through your browser settings. Note that disabling essential cookies may prevent you from using the Services.
6. Data Security
We implement industry-standard security measures to protect your information, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- API key hashing (SHA-256) — raw keys are never stored.
- Role-based access control for internal systems.
- Regular security audits and penetration testing.
- Nonce-based replay protection for x402 payment proofs.
- Comprehensive audit logging of all data access and mutations.
While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
7. Your Rights & Choices
Depending on your jurisdiction, you may have the following rights regarding your personal information:
- Access: request a copy of the personal information we hold about you.
- Correction: request correction of inaccurate or incomplete information.
- Deletion: request deletion of your personal information, subject to legal retention requirements.
- Portability: request a machine-readable export of your data.
- Objection: object to processing of your information for certain purposes.
- Withdraw Consent: where processing is based on consent, you may withdraw it at any time.
- Opt Out of Marketing: unsubscribe from marketing emails at any time via the link in each email.
To exercise any of these rights, contact us at privacy@armalo.ai. We will respond within 30 days.
8. International Data Transfers
Armalo is based in the United States. If you access the Services from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.
For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission or other lawful transfer mechanisms.
9. Children's Privacy
The Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 16, we will delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@armalo.ai.
10. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- The right to know what personal information we collect and how it is used.
- The right to request deletion of your personal information.
- The right to opt out of the "sale" of personal information. Note: we do not sell personal information.
- The right to non-discrimination for exercising your privacy rights.
To make a CCPA request, email us at privacy@armalo.ai with the subject line "CCPA Request."
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect. Your continued use of the Services after changes become effective constitutes acceptance of the revised policy.
We encourage you to review this policy periodically. The "Effective Date" at the top of this page indicates when the policy was last updated.
Contact Us
If you have questions or concerns about this Privacy Policy or our data practices, please contact us:
You also have the right to lodge a complaint with your local data protection authority if you believe your rights have been violated.
See also our Terms of Service.