Legal

Privacy Policy

Fidacy is a trust and verification layer for AI agents. It decides on signed mandates and risk metadata, not on funds, card numbers, or account credentials. This policy explains what data we process, why, and the choices you have. Effective 3 July 2026.

Fidacy is non-custodial. We never hold your money, and we never store card numbers or bank credentials. The free tier runs local-first on your machine and works with no account at all.

Who we are

The service at fidacy.com and api.fidacy.com is operated by Zeepcode Group (“Fidacy”, “we”). For privacy questions or requests, contact privacy@fidacy.com. For customers in the EU/UK, Fidacy acts as a data processor for the assessment data you send us, and as a data controller for account and billing data; a Data Processing Agreement is available on request.

What we process

CategoryWhat it isWhyBasis
Account dataEmail, organization name, API keys (hashed), billing identifiers.Create and operate your account, authenticate API calls, bill usage.Contract
Assessment metadataThe mandate, agent identity, risk_data, and decision you send to /v1/assess or the firewall. Never card numbers or credentials.Return and sign a verdict, and record it in the tamper-evident audit.Contract / legitimate interest
Anonymous usage telemetryA random install id (UUID), event type, a coarse decision-result enum, client version, and shell. No payee, amount, currency, content, or PII.Measure adoption and reliability. Never on the decision path.Legitimate interest · opt-out
Operational logsRequest timing, error codes, coarse IP for rate-limiting. No request bodies.Security, abuse prevention, reliability.Legitimate interest

What we never collect

Local-first free tier

The free tier of @fidacy/mcp and the OpenClaw plugin run entirely on your machine. Configuration and the audit log live under ~/.fidacy, and no account is required. The only data that leaves your machine is the anonymous telemetry described above, which you can disable completely by setting FIDACY_DISABLE_TELEMETRY=1.

Anonymous telemetry, in detail

Telemetry is declared, opt-out, anonymous, and best-effort. It carries only a random install id, a timestamp, the event type (install, active, decision, upgrade-intent), a coarse decision result (allow / deny-cap / deny-payee / deny-scope), the client version, and the shell it runs in. It never carries a payee, an amount, a currency, an email, or any request content, and it never sits on the critical path of a decision. Disable it with FIDACY_DISABLE_TELEMETRY=1.

Sharing and sub-processors

We do not sell personal data. We share data only with the small, named set of sub-processors needed to run the service (hosting, managed database, the LLM reasoner, and payment processing). The current list and change-notification policy live on the sub-processors page. Payment processing is handled by Stripe; Fidacy never sees full card numbers.

Retention and residency

For EU/UK customers, assessment data and the audit chain are kept in an EU region. We retain account and assessment records for the life of the account plus the period required for legal, audit, and dispute purposes, then delete or anonymize them. The append-only audit chain is designed to be tamper-evident and is anchored to Bitcoin; its hashes are, by nature, permanent, but they contain no personal data.

Your rights

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. Exercise any of these by writing to privacy@fidacy.com. Because the free tier stores your data only on your own machine, you can exercise most of these rights directly by editing or deleting the files under ~/.fidacy.

Security

Verdicts are Ed25519-signed and independently verifiable against our public keys. API keys are stored only as hashes. Access to production data is least-privilege and row-level-security enforced. See the Trust Center for our full security posture.

Changes

We may update this policy as the product evolves. Material changes will be reflected here with a new effective date, and, for account holders, announced by email. Continued use after an update means you accept the revised policy.

Questions? Write to privacy@fidacy.com. This policy is provided for transparency and is not legal advice.