Privacy policy

1. Who we are

BehalfID (“we”, “us”, “our”) operates behalfid.com and provides permission-verification infrastructure for AI agents. Questions about this policy may be directed to legal@behalfid.com.

2. Data we collect

Account data

When you create a developer account we collect your email address and a hashed password. We do not store your plaintext password at any point.

Agent and permission data

Agent names, permission configurations, scope definitions, and expiry dates you create inside the dashboard are stored and associated with your account. API keys are stored only as SHA-256 hashes and are shown to you once at creation.

Verification request data

When your integration calls POST /api/verify, we log the agent ID, action, vendor or resource, optional amount, decision outcome, risk level, and a stable request ID. We do not log your API key; only its hash is ever stored. Raw metadata fields are logged only when BEHALFID_LOG_METADATA is enabled. Verification logs are accessible only to the account that owns the agent.

Technical and usage data

We collect IP addresses for rate-limiting and abuse prevention. These are not linked to user accounts for analytics or profiling purposes.

Billing data

BehalfID does not currently process payments. No payment card or billing data is collected or stored.

3. Cookies and local storage

Authentication cookie

A session cookie (bhf_dev_session) is set when you log in to the developer dashboard. It is HTTP-only, scoped to this domain, and expires when your session ends or after 30 days of inactivity. This cookie is strictly necessary — the dashboard cannot function without it.

Preferences

Theme preference (light / dark) is stored in localStorage and never transmitted to our servers.

Cookie consent

Your cookie-consent choice is stored in localStorage under the key behalf_cookie_consent. It is not transmitted to our servers.

4. How we use your data

• To authenticate and operate your developer account.
• To execute, log, and deliver webhook events for verification requests.
• To enforce rate limits and detect abuse.
• To respond to support or security enquiries.

We do not sell your personal data. We do not use your verification request data to train machine-learning models.

5. Analytics

BehalfID does not currently use third-party analytics, advertising networks, or cross-site tracking. No tracking cookies or fingerprinting scripts are loaded on any page of the service.

6. Data retention

• Verification logs — retained for 90 days, then automatically purged.
• Webhook delivery records — retained for 30 days.
• Account data — retained for the lifetime of the account. Deleted within 30 days of a verified deletion request.
• IP addresses used for rate limiting — stored in memory only; not persisted to disk.

7. Third-party processors

8. Your rights

Depending on your jurisdiction you may have the right to access, correct, delete, or port your personal data, and to object to or restrict certain processing.

To exercise any of these rights, email legal@behalfid.com. We will respond within 30 days. Verification logs can also be deleted immediately from the dashboard logs page.

9. Security

All data is transmitted over TLS. API keys are stored as SHA-256 hashes. Developer passwords are hashed with scrypt. Sessions use HTTP-only cookies. See our security page for a detailed breakdown of the enforcement model, secrets handling, and known limitations.

10. Changes to this policy

We may update this policy to reflect product changes or legal requirements. The effective date at the top of this page is updated whenever a material change is made. Continued use of BehalfID after a change constitutes acceptance of the revised policy.