Privacy Policy — address.bot

1.1 Our Privacy Commitment

Golden Ratio, LLC (“Company,” “we,” “us,” “our”), the operator of address.bot, is committed to protecting the privacy and security of the personal information of the Owners who run accounts, the Agents that operate under those accounts, and the anonymous Recipients who interact with the recipient flow at /v/[token]. The Platform's currently live offering is a physical-address evidence channel: an Owner (or an Agent acting under an Owner's account) submits an address, request type, instructions, and evidence requirements; we mail a postcard bearing a QR code and short printed code; a non-account Recipient at the address scans the QR, optionally enters the code, and uploads requested evidence; the Owner receives signed webhook events and can review evidence in the dashboard or via the API.

1.2 Scope

This Privacy Policy applies to all information collected through the address.bot website (address.bot), the address.bot REST API, the OpenAPI surface at /api/openapi.json, the machine-readable discovery surface at /llms.txt, the Operator Dashboard, the public recipient page at /v/[token], MCP and agent adapters, webhook deliveries to Owner-configured endpoints, and any related services, tools, or communications (collectively, the “Platform”).

1.3 Agreement

By using the Platform, creating an account, claiming an Account Intent, completing the recipient flow, or interacting with our services in any way, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Platform. Capitalized terms used but not defined here have the meanings given in the Terms of Service at /terms.

2.1 Information Owners Provide Directly

We collect information that you voluntarily provide to us as an Owner, including:

• Account registration information: legal/business name, owner email address (used as magic-link login), business profile, operating intent (human, agent, hybrid), billing email, and physical/billing address where required
• Webhook configuration: webhook destination URL and HMAC signing secret
• Agent and integration metadata: agent labels, framework identifiers, and (where supplied) capability declarations or tool descriptors
• Account-Intent metadata: where an Agent created a draft via POST /api/v1/account-intents, the listed owner email, business name, and any provided context
• Live policy configuration: first-live approval state, per-request cap, monthly budget, and review decisions
• Payment information: Stripe customer reference and payment-method metadata (processed and stored by Stripe, not by us beyond reference identifiers)
• Communications: support requests, contact-form messages, and other correspondence you send to us

2.2 Information We Collect Automatically

When you access or use the Platform, we automatically collect:

• Log data: IP address, user agent, request path, status codes, latency, timestamps, and request identifiers
• Device information: device type, screen size, language preferences, and (where the browser provides them) other standard request headers
• Usage data: features used, dashboard pages viewed, API endpoints called, webhook events triggered, and aggregated interaction patterns
• Cookie data: session identifiers, authentication tokens, and (where you consent) first-party analytics cookies (see Section 9)

2.3 Information Generated Through Our Services

In the course of providing the Service, we generate and collect:

• Verification data: target address (recipient, line1, line2, city, region, postal code, country), request type, recipient-facing instructions and message, evidence requirements, sandbox/live mode, idempotency keys, batch/tranche identifiers, and customer-supplied references and metadata
• Address-scoped channel data: address state object identifiers, physical challenge metadata (postcard variant, token issuance, code value), evidence session lifecycle, task definitions and inputs, evidence events, and follow-on task versions
• Token and code records: high-entropy URL tokens for the recipient flow and short printed codes (these are operational secrets and are not exposed via the public API)
• Postcard fulfillment data: print/mail status transitions, queue assignment, photo or status snapshots captured by staff, and (where applicable) carrier tracking data
• Recipient evidence data: photos, videos, files, free-form notes, signatures or attestation answers, and code-confirmation events submitted by the Recipient through /v/[token]
• Webhook delivery data: event payloads, signing metadata, delivery attempts, response codes, and retry history
• Billing data: preflight estimates, line items, billing events (manual_invoice, credits, auto_charge), Stripe customer/payment-method readiness, monthly live spend, and refunds where applicable
• Manual review data: review_requests rows, request fingerprint, reasons, and resolution decisions

2.4 Information from Third Parties

We may receive information about you from third-party sources, including:

• Supabase Auth: magic-link sign-in events and verified-email confirmations
• Stripe: payment-method readiness, billing portal sessions, customer creation, and (where enabled) live capture results
• Email delivery providers (such as Resend, where configured): delivery, bounce, and complaint events for transactional email
• Postal carriers: where applicable, fulfillment and tracking data for postcards we tender on your behalf
• Hosting and DNS providers (such as Vercel): request logs and request-routing telemetry necessary to operate the Platform
• AI/inference providers, where used in specific features such as address normalization, evidence classification, manual-review heuristics, OCR, or support

3.1 Service Provision

We use your information to operate, maintain, and improve the Platform, including:

• Verifying owner email and maintaining account security
• Provisioning sandbox and live API keys, webhook secrets, and dashboard sessions
• Pricing and validating Verifications via preflight
• Producing, printing, mailing, and tracking postcards through the fulfillment lifecycle
• Rendering the recipient page at /v/[token] and resolving the latest active task on the address-scoped channel
• Issuing short-lived signed upload URLs for direct-to-storage Evidence uploads, and short-lived signed download URLs for Owner/dashboard access
• Sending HMAC-signed webhook notifications and email alerts about Verification and billing events
• Managing billing, payments, live policy, and the manual-review queue
• Maintaining the address-scoped state object, evidence sessions, task versions, and evidence events that make follow-on tasks possible on the same channel

3.2 Security and Fraud Prevention

• Detecting and preventing fraudulent or suspicious activity, including credential stuffing, brute-force, scraping, automation abuse, and prompt-injection attacks
• Screening for sanctions, watchlist, OFAC, or other compliance signals where applicable
• Enforcing the Terms of Service and any Acceptable Use Policy in force
• Investigating security incidents, unauthorized-access attempts, and platform-integrity issues
• Operating the Manual Review queue for risky live requests and applying live-policy controls

3.3 Communications

We use your information to communicate with you about your account, security alerts, billing events, Verification lifecycle, manual-review notifications, and other transactional matters. We do not send unsolicited marketing email without your explicit opt-in consent.

3.4 Legal Compliance

We use your information to comply with applicable laws, regulations, and legal processes, including responding to lawful subpoenas, court orders, search warrants, and law- enforcement requests (see Section 6).

3.5 Improvement and Analytics

We use aggregated, anonymized telemetry (latency, error rates, queue depth, request-type mix, conversion-tier outcomes) to improve the Service. We do not use Owner content, recipient instructions, follow-on task inputs, recipient submissions, evidence files, recipient names, or recipient addresses to train AI models, fine-tune models, build advertising audiences, or build profiles of any individual.

WE DO NOT SELL YOUR PERSONAL INFORMATION. WE HAVE NEVER SOLD PERSONAL INFORMATION. WE WILL NEVER SELL PERSONAL INFORMATION. THIS IS NOT A CONDITIONAL STATEMENT — IT IS AN ABSOLUTE COMMITMENT.

WE DO NOT SHARE YOUR PERSONAL INFORMATION WITH THIRD PARTIES FOR THEIR MARKETING, ADVERTISING, OR PROMOTIONAL PURPOSES. WE DO NOT PARTICIPATE IN DATA BROKERAGES. WE DO NOT MONETIZE YOUR DATA IN ANY WAY OTHER THAN PROVIDING THE SERVICES YOU PAY FOR.

4.1 Limited Disclosure

We disclose your personal information only in the following circumstances:

• Service providers: We share information with third-party service providers who perform services on our behalf (see Section 5), subject to strict contractual or platform-level obligations to protect your data and use it only for the purposes we specify
• Legal requirements: We may disclose information when required by law, regulation, legal process, or governmental request (see Section 6)
• Safety and security: We may disclose information when we believe it is necessary to protect the safety, rights, or property of the Company, our users, our Recipients, or the public
• Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction, subject to the same privacy protections described in this Policy
• With your consent: We may share information with your explicit consent for purposes you have approved

4.2 No Third-Party Marketing

We do not provide your owner name, owner email, billing email, phone number, recipient instructions, recipient names, recipient addresses, or Recipient-submitted Evidence to third parties for the purpose of sending marketing communications, targeted advertising, or promotional materials. If this ever changes, we will obtain your explicit, affirmative opt-in consent before any such sharing occurs.

5.1 Service Providers We Use

We work with the following categories of third-party service providers to operate the Platform. Specific providers used at any time are subject to change as we improve or refactor the Platform.

5.2 Database, Auth, and Storage

Supabase. Our application database (Postgres with row-level security), authentication (magic- link login for Owners and staff), and private object storage (the verification-mediabucket and any related buckets) are hosted on Supabase. Owner data, Verification rows, address-scoped state, evidence requirements, evidence metadata, webhook delivery rows, billing records, manual- review queue, and Recipient-uploaded Evidence are stored in Supabase under encryption-at-rest and access controls. The Owner's magic-link sign-in flow and staff sign-in flow are managed by Supabase Auth.

5.3 Hosting and Edge

Vercel. The dashboard, recipient pages, REST API, OpenAPI surface, docs, and lightweight cron routes are hosted on Vercel. Vercel processes request logs (IP, user agent, request path) in the course of serving the application.

5.4 Payment Processing

Stripe. Where billing is enabled, Stripe handles payment-method storage, payment-method readiness checks, hosted billing portal sessions, and (where configured) future live capture. Card numbers, CVVs, and full payment details are transmitted directly to Stripe and are not stored on our servers; we receive only a tokenized customer reference, payment-method readiness flags, and last-four/expiration metadata. Stripe is PCI DSS Level 1 certified.

5.5 Postcard Production and Mail Delivery

Postcards are currently produced through the Company's internal print/admin workflow, with admin status transitions (queued for print, printed, mailed, undeliverable). We may introduce third-party print-and-mail providers (such as Lob, PostGrid, or Click2Mail) at any time. Where used, those providers will receive recipient address, sender business name, recipient instructions, the QR Token URL, and the printed Code as needed to produce and mail the postcard. The United States Postal Service (and, where designated, other carriers) handle the postcard once tendered, under their own handling practices.

5.6 Transactional Email and SMS

Transactional email (magic-link sign-in, owner-claim handshake, security alerts, Verification lifecycle, billing events, manual-review notifications) is sent via Supabase Auth (for magic links) and, where configured, Resend or an equivalent transactional-email provider for non-magic-link product email. We do not currently send marketing email and do not currently send Recipient SMS.

5.7 Analytics

address.bot uses minimal first-party product telemetry to understand how the Platform is used, debug issues, and improve developer ergonomics. We do not embed third-party advertising SDKs, cross-site trackers, retargeting pixels, or data-broker feeds. Where any analytics provider is used, it is configured for first-party analytics only and is not permitted to use your data for its own advertising, model training, or third-party sharing. You may opt out of non- essential analytics by declining analytics cookies in the cookie banner or by emailing the privacy address in Section 19.

5.8 AI / Inference Providers

Where features such as address normalization, evidence classification, manual-review heuristics, OCR, or support use third-party AI/inference providers, those providers will receive only the data needed to perform the requested inference. We do not authorize AI providers to retain Owner recipient instructions, follow-on task inputs, or Recipient-submitted Evidence for model training or for any purpose other than serving our request.

5.9 Bot and Abuse Protection

We may use bot-protection services (such as Cloudflare Turnstile or equivalent) on signup, contact, and account- intent forms to deter automated abuse. These services may collect device and browser signals to distinguish humans from bots, processed under the provider's own privacy policy.

5.10 Contractual Protections

All third-party service providers are bound by contractual obligations (or, where applicable, by their published Data Processing Addenda) to: process your data only for the purposes we specify; maintain appropriate security measures; not sell, share, or use your data for their own advertising, marketing, or model training; notify us promptly of any security incidents; and delete your data upon termination of our agreement or upon our instruction.

WE WILL COMPLY WITH ALL LAWFUL LEGAL PROCESS. WE MAY DISCLOSE YOUR INFORMATION IN RESPONSE TO VALID SUBPOENAS, COURT ORDERS, SEARCH WARRANTS, AND OTHER LEGAL REQUESTS. IN SOME CASES, WE ARE PROHIBITED FROM NOTIFYING YOU OF SUCH DISCLOSURES. SEE OUR TERMS OF SERVICE (SECTION 9) FOR COMPLETE DETAILS ON OUR LAW ENFORCEMENT COOPERATION POLICY.

6.1 What We May Disclose

• Owner verification records and account intents
• Account registration information and contact details
• Agent registration metadata and webhook configurations
• Verification rows, fulfillment status transitions, recipient instructions, and uploaded Evidence (photos, videos, notes, signatures)
• API access logs and webhook delivery logs
• Billing events and Stripe references
• Manual-review records and resolution history
• Communication records between you and the Company
• Any other information in our possession responsive to a lawful request

6.2 Voluntary Reporting

We may voluntarily report to law enforcement any activity we suspect involves fraud, money laundering, terrorism financing, stalking, harassment, child exploitation, trafficking, or other criminal conduct, without prior notice to you. This is consistent with our commitment to operating a safe, lawful platform.

6.3 Preservation Requests

We honor lawful preservation requests from law enforcement and will preserve relevant records for the period specified, or one hundred eighty (180) days if no period is specified.

7.1 Encryption

• Encryption in transit: All data transmitted between your browser or application and our servers is encrypted using TLS 1.2 or higher (HTTPS). All API communications require HTTPS. Webhook delivery URLs configured by Owners must use HTTPS except where localhost is used in development.
• Encryption at rest: Owner data, Verification records, Evidence files, and metadata stored in Supabase Postgres and Supabase Storage are encrypted at rest using AES-256 or stronger.
• Key management: Encryption keys are managed through industry-standard practices with regular rotation and strict access controls.

7.2 Access Controls

• Role-based access control: Access to Owner and Recipient data is restricted to authorized personnel on a need-to-know basis.
• Row-level security: Our database enforces row-level security policies so that Owners can only access their own Business Account data through the API and dashboard.
• Token-scoped recipient access: Recipient pages are scoped to a single high-entropy Token; recipient access does not rely on broad anonymous database access. Server actions resolve the Token, validate state, and create narrowly-scoped signed upload targets.
• API authentication: All API access requires valid sandbox or live API credentials scoped to a Business Account.
• Webhook signing: Webhook payloads are HMAC-signed with the per-business webhook secret so that consumers can verify authenticity.
• Service-role isolation: Service-role Supabase access is confined to server-only modules and is never exposed to the browser, recipient, or third party.
• Principle of least privilege: Personnel and systems are granted the minimum access necessary to perform their functions.

7.3 Infrastructure Security

• Our infrastructure is hosted on platforms that publish their own security and compliance posture.
• We conduct ongoing review of access patterns, request logs, and webhook-delivery health.
• Database backups are encrypted; backup configuration is managed by our database provider.
• We avoid logging raw API keys, webhook secrets, postcard Tokens, or printed Codes.

7.4 Recipient Evidence Safeguards

• Direct-to-storage upload: Recipient-uploaded files travel directly from the Recipient browser to a private Supabase Storage bucket via a short-lived signed upload URL. We do not proxy media files through Next route handlers.
• Signed download: Owners and dashboard staff retrieve Evidence through short-lived signed URLs; we do not generate permanent public URLs for Recipient Evidence.
• Scoped storage paths: Files are stored under stable, scoped paths (businesses/{business_id}/verifications/{verification_id}/...) so that one Owner cannot reach another's data.
• Size and MIME limits: Uploads are constrained by per-requirement and global maximums.

7.5 Security Limitations

While we implement commercially reasonable security measures, no system is 100% secure. We cannot guarantee the absolute security of your data. In the event of a security incident that affects your personal information, we will notify you in accordance with applicable law.

8.1 Retention Periods

• Account information: For the duration of your account plus five (5) years after account closure.
• Verification records, fulfillment data, and follow-on task history: For the duration of your account plus five (5) years after account closure.
• Recipient-uploaded Evidence: For the duration of your account plus five (5) years, subject to your earlier deletion request and to legal-hold and active-litigation exceptions.
• API access logs: Rolling twelve (12) month retention.
• Webhook delivery logs: Rolling twelve (12) month retention.
• Billing records: Seven (7) years for tax and accounting compliance.
• Account intents: Pending account intents may be deleted or expired at our discretion if the listed Owner email never claims the draft.
• Aggregated analytics: Aggregated, anonymized analytics may be retained indefinitely; any raw analytics records are retained for no longer than commercially necessary.

8.2 Extended Retention

We may retain information beyond the standard retention periods if required by law, regulation, or legal process; subject to a pending or anticipated legal hold or litigation; necessary for the investigation of fraud or security incidents; or subject to a law-enforcement preservation request.

8.3 Deletion

When data reaches the end of its retention period and no exception applies, it is permanently deleted or irreversibly anonymized. Deletion is performed through procedures that render the data unrecoverable in our active systems.

9.1 What Cookies We Use

• Essential cookies: Required for the Platform to function, including session management, authentication, and CSRF protection. These cannot be disabled.
• Analytics cookies: First-party analytics cookies used for product telemetry. These can be declined in the cookie banner.
• Bot-protection cookies: Where bot-protection services are used (such as Cloudflare Turnstile) on signup, contact, or account-intent forms.
• Preference cookies: Cookies that store your preferences, including cookie consent state.

9.2 Cookie Consent

When you first visit our website, we present a cookie consent banner. You may accept or decline non-essential cookies. Your preference is stored and respected across sessions. You can change your cookie preferences at any time by clearing your browser cookies and revisiting the site.

9.3 Do Not Track

We respect Do Not Track (DNT) browser signals. When we detect a DNT signal, we disable non-essential analytics for that session.

9.4 No Cross-Site Tracking

We do not engage in cross-site tracking. We do not use advertising cookies, retargeting pixels, or any technology that tracks your activity across other websites. We do not participate in ad networks or behavioral advertising programs.

10.1 Access

You have the right to request access to the personal information we hold about you. We will provide a copy of your data in a structured, machine-readable format within thirty (30) days of a verified request.

10.2 Correction

You have the right to request correction of inaccurate or incomplete personal information. You can update most account information directly through the Operator Dashboard or by contacting us.

10.3 Deletion

You have the right to request deletion of your personal information, subject to the following exceptions:

• Verification, KYC-style, and account records that we are legally required to retain for five (5) years
• Records subject to a legal hold, pending litigation, or law-enforcement request
• Information necessary to complete a pending Verification, billing event, or contractual obligation
• Records required for tax, accounting, or regulatory compliance

To request deletion, email privacy [at] address [dot] botwith the subject “Data Deletion Request.” We will process your request within thirty (30) days and confirm deletion in writing.

10.4 Portability

You have the right to receive your personal data in a portable, machine-readable format (JSON or CSV). This includes your account information, agent metadata, Verification records, and API logs.

10.5 Restriction of Processing

You have the right to request that we restrict the processing of your personal information in certain circumstances, such as when you contest the accuracy of your data or when processing is no longer necessary but you need the data for legal claims.

10.6 Objection

You have the right to object to our processing of your personal information for analytics and improvement purposes. To exercise this right, email privacy [at] address [dot] bot.

10.7 Withdrawal of Consent

Where our processing of your information is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

10.8 Recipient Rights

Recipients are anonymous to the Platform — we do not collect Recipient name, contact information, or identity unless the Recipient elects to include such information in a free-form note, signature, or other Evidence field. A Recipient who wishes to exercise rights with respect to Evidence they uploaded may contact us at privacy [at] address [dot] botwith sufficient information (such as the recipient URL or postcard reference) to identify the Verification. We will work with the relevant Owner Business Account to evaluate and, where appropriate, honor the request, subject to the Owner's rights and to our legal-hold and law-enforcement obligations.

10.9 Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. You will not receive a different level of service or pricing for making a privacy request.

10.10 Exercising Your Rights

To exercise any of these rights, contact us at privacy [at] address [dot] bot. We will verify your identity before processing any request to protect against unauthorized access. We will respond to all verified requests within thirty (30) days.

11.1 Categories of Personal Information

Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), California residents have specific rights regarding their personal information. In the preceding twelve (12) months, we have collected the following categories of personal information:

• Identifiers: owner name, owner email, billing email, IP address, account name; recipient address (provided by the Owner) where used to address a postcard
• Personal information under Cal. Civ. Code §1798.80(e): name, address, financial-account reference (Stripe customer/payment-method reference)
• Internet or electronic network activity: dashboard browsing history, API usage logs, recipient page interaction telemetry
• Geolocation data: approximate location derived from IP address
• Audio, visual, or similar information: photos, videos, signatures, and free-form notes voluntarily uploaded by Recipients through the recipient flow
• Professional or employment-related information: only if voluntarily provided during registration or in business-profile fields

11.2 Your California Rights

• Know what personal information we collect, use, disclose, and sell (we sell none)
• Delete your personal information (subject to legal exceptions)
• Opt out of the sale of your personal information (we do not sell personal information, so no opt-out is necessary, but you may still submit a request)
• Opt out of sharing for cross-context behavioral advertising (we do not share for this purpose)
• Correct inaccurate personal information
• Limit use and disclosure of sensitive personal information to what is necessary for the services
• Non-discrimination for exercising your CCPA/CPRA rights

11.3 Authorized Agents

California residents may designate an authorized agent to submit privacy requests on their behalf. Authorized agents must provide written authorization from the consumer and verify their own identity. We may deny requests from agents who cannot provide adequate proof of authorization.

11.4 California Consumer Complaint

Pursuant to California Civil Code §1789.3, California residents may contact the Complaint Assistance Unit of the Division of Consumer Services at 1625 North Market Blvd., Suite N 112, Sacramento, CA 95834, or by telephone at (800) 952-5210.

11.5 Shine the Light

Under California Civil Code §1798.83, California residents may request information regarding the disclosure of personal information to third parties for direct marketing purposes. As stated in this Policy, we do not disclose personal information to third parties for their direct marketing purposes.

12.1 Data Location

The Platform is operated from the United States. If you access the Platform from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Platform, you consent to this transfer.

12.2 GDPR (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply:

• Legal basis: We process your personal data based on contractual necessity (to provide the services you requested), legitimate interests (security, fraud prevention, service improvement), legal obligations (sanctions screening, law-enforcement cooperation), and consent (where applicable, such as for analytics cookies)
• Data transfers: Transfers of personal data from the EEA to the United States are conducted in compliance with applicable data-transfer mechanisms
• Data Protection Officer: For GDPR-related inquiries, contact privacy [at] address [dot] bot
• Supervisory authority: You have the right to lodge a complaint with your local data protection supervisory authority

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will promptly delete that information. If you believe a child under 18 has provided us with personal information, please contact us at privacy [at] address [dot] bot.

Owners are responsible for ensuring that recipient instructions, evidence requirements, and follow-on tasks they create do not solicit information from children under 18 in violation of the Children's Online Privacy Protection Act (COPPA) or any equivalent law.

14.1 Our Commitment

In the event of a data breach that compromises your personal information, we will:

• Notify affected individuals via email within seventy-two (72) hours of discovering the breach, or as soon as reasonably practicable
• Notify applicable regulatory authorities as required by law
• Provide a clear description of what happened, what information was involved, what we are doing to address it, and what steps you can take to protect yourself
• Offer appropriate remediation, which may include credit-monitoring services for breaches involving sensitive personal information

14.2 Incident Response

We maintain a documented incident-response plan that includes procedures for identifying, containing, investigating, and remediating security incidents. Our response team is trained and prepared to act swiftly in the event of a breach.

15.1 Use of Aggregated Data

We may create aggregated, anonymized, or de-identified data from your personal information. This data cannot reasonably be used to identify you. We may use aggregated data for:

• Service improvement and feature development
• Industry reports and benchmarking (e.g., average request volume, request-type distribution, response-rate ranges)
• Marketing and promotional materials (only aggregate statistics, never individual data)

We do not use Owner-supplied content (recipient instructions, recipient messages, follow-on task inputs) or Recipient-submitted Evidence (photos, videos, files, notes, signatures) to train or fine-tune AI models, even in aggregated form.

15.2 Opt-Out of Aggregated Data Use

You may opt out of having your account included in non- essential aggregated reporting (security, billing, fraud- prevention, and reliability telemetry are essential to the Service and not subject to opt-out) by emailing privacy [at] address [dot] botwith the subject “Opt-Out: Aggregated Data.”

The Platform exposes its capabilities to AI agents and developers via REST API, OpenAPI, MCP/agent adapters, OpenClaw descriptors, and signed webhooks. This section describes the data we collect and retain in connection with those programmatic interfaces.

16.1 API and MCP Request Data

Data transmitted through the REST API and MCP/agent adapters (including account-intent metadata, preflight inputs, Verification submissions, follow-on task inputs, billing-policy updates, manual-review resolutions, and webhook payloads) is encrypted in transit (TLS 1.2+) and at rest (AES-256 or stronger). We log request/response metadata (endpoint, status code, latency, IP, user agent, mode, key fingerprint, idempotency key) to operate, secure, and bill the Platform. API access logs are retained for twelve (12) months. We do not analyze the body of recipient instructions beyond what is necessary to render the postcard, the recipient page, and the Verification record.

16.2 API Keys and Credentials

API keys (sandbox sk_test_* and live sk_live_*) and webhook signing secrets are issued by the Platform and shown only once at creation. We store a salted hash of the secret portion server-side; we cannot recover the original secret. You are responsible for protecting these credentials. See the Terms of Service for the full credential-security obligations and the Company's position on liability for credential compromise.

16.3 Agent Decision and Activity Logs

For accounts with Agents configured, request-and-response logs — which API call was made, with which key, at what time, with what idempotency key, and the resulting Verification state — are available to the Owner via the dashboard at /app/logs and via the API. Decision logs are retained for the duration of your account plus five (5) years.

16.4 Webhook Security

Webhook payloads are HMAC-signed with your webhook signing secret so that you can verify their authenticity. We recommend always verifying webhook signatures and rotating signing secrets periodically. Webhook delivery logs (event metadata, delivery attempts, response status) are retained for twelve (12) months and are also surfaced to you via the dashboard.

17.1 Recipient Anonymity

Recipients do not create accounts on the Platform. Recipient access is scoped to a single high-entropy Token (URL secret) and an optional printed Code (second-factor possession proof). The Platform does not collect Recipient name, contact information, government identifiers, social security number, biometric identifiers, or identity- document data unless the Recipient elects to include such information in a free-form note, signature, or other Evidence field.

17.2 Recipient-Submitted Evidence

Recipient-submitted Evidence (photos, videos, files, notes, signatures, code-confirmation events) is uploaded directly from the Recipient's browser to a private Supabase Storage bucket via a short-lived signed upload URL. Evidence is accessible only to (a) the Owner Business Account that created the Verification and any Agent acting under that Owner's account, (b) authorized Company personnel with a legitimate operational need (such as quality review, troubleshooting, fulfilling a service request, or investigating a safety or abuse report), and (c) law enforcement pursuant to valid legal process.

What we will not do. The Company will not sell, rent, license, or commercially distribute Recipient- submitted Evidence to any third party — ever. The Company will not use Recipient-submitted Evidence for advertising, marketing, data mining, AI model training, or any purpose other than delivering the Service the Owner has requested.

17.3 Sensitive Content Recipient May Submit

Recipient-submitted Evidence may contain sensitive, confidential, or regulated information that the Recipient elects to capture, including but not limited to:

• Photographs of property interiors or exteriors that incidentally include people, vehicles, license plates, or personal items
• Photographs of utility meters, serial numbers, asset tags, or installation labels
• Photographs or videos that incidentally include children, pets, neighbors, co-tenants, or other non-Recipient individuals
• Free-form notes that include personal opinions, contact information, complaints, or sensitive disclosures
• Signature or attestation fields where the Recipient writes their own name

No HIPAA / FCRA / regulated-content safe harbor. The Platform is not a HIPAA covered entity, business associate, or consumer reporting agency, and is not configured for handling Protected Health Information, consumer-report data, or other regulatory-framework content. Owners must not configure evidence requirements that solicit such content, and Recipients should not upload such content. See Section 9B of the Terms of Service.

17.4 Address-Channel State Data

The address-scoped channel foundation (state objects, physical challenges, evidence sessions, task definitions, task inputs, evidence events) is stored in our database under the same security, access-control, and retention rules described elsewhere in this Policy. This data lets the Platform support follow-on tasks and channel-bound evidence without rewriting the Verification record on every task version.

17.5 Postcard Tokens and Codes

Postcard Tokens (the high-entropy URL secret) and printed Codes (the short physical-possession secret) are operational secrets. We do not expose Tokens via the public API. We maintain Tokens and Codes in our database under access controls and use them only for recipient flow resolution, second-factor confirmation, and audit.

17.6 Retention of Recipient Evidence

Recipient Evidence is retained for the duration of the Owner Business Account plus five (5) years for audit, dispute, and potential downstream-action review, subject to earlier deletion at the Owner's request and to legal-hold and active-litigation exceptions.

18.1 Notification of Changes

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the updated Privacy Policy on this page with a new "Last Updated" date
• Notify you via email at least thirty (30) days before the changes take effect
• Provide a summary of material changes
• For significant changes affecting your rights, give you the opportunity to review and consent before the changes take effect

18.2 Continued Use

Your continued use of the Platform after the effective date of an updated Privacy Policy constitutes your acceptance of the updated terms. If you disagree with any changes, you may terminate your account before the effective date.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Golden Ratio, LLC dba address.bot
Privacy Inquiries
3556 S 5600 W, Suite #1-1038
Salt Lake City, UT 84120
Email: privacy [at] address [dot] bot
General Support: support [at] address [dot] bot

We will acknowledge receipt of all privacy-related inquiries within two (2) business days and provide a substantive response within thirty (30) days.

By creating an account on address.bot, claiming an Account Intent, completing the recipient flow, or using our services, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.