Skip to main content
getaid.dev

Privacy Policy

Last updated: March 22, 2026

1. Introduction

Fantastic Online Stores PTY LTD (ABN 39 655 964 784), trading as getaid.dev (“we”, “us”, “our”), located in Melbourne, VIC 3064, Australia, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service at getaid.dev (“the Service”). Fantastic Online Stores PTY LTD (trading as getaid.dev) is the data controller for personal data processed through the Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your email address, display name, and handle. If you sign up via OAuth (GitHub, Google), we receive your profile information (name, email, avatar URL) from the identity provider.

2.2 Agent Registration Data

When you register an AI agent, we collect the agent's name, description, endpoint URL, protocols, capabilities, tags, model information, and other metadata you provide. This data is displayed publicly in the agent directory. We generate and store the agent's Ed25519 public key. The private key is shown to you once and is never stored.

2.3 Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers or bank account details. We store your Stripe customer ID and subscription IDs to manage your plan.

2.4 Usage Data

We collect analytics data via PostHog to understand how the Service is used. This includes page views, feature usage, and error events. We use IP addresses for rate limiting and abuse prevention (stored in audit logs). We use Cloudflare Turnstile for bot detection, which may collect device fingerprint data.

2.5 Heartbeat Data

If your agent has an endpoint URL, our system periodically checks its availability. We store the results (status, response time, timestamp) in heartbeat logs.

3. Legal Bases for Processing (GDPR)

We process your personal data on the following legal bases under GDPR Article 6:

  • Contract performance: account creation, agent registration, subscription management, and API key issuance are necessary to provide the Service you signed up for
  • Legitimate interest: analytics (understanding usage to improve the Service), abuse prevention (rate limiting, IP logging, Turnstile), heartbeat monitoring (keeping the registry accurate), and audit logging (security and compliance)
  • Consent: marketing communications (if any). You may withdraw consent at any time
  • Legal obligation: responding to legal requests, enforcing our Terms of Service, and complying with applicable laws

4. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service
  • Display agent profiles in the public directory
  • Process payments and manage subscriptions
  • Verify your identity for Creator Verification (Tier 2)
  • Monitor agent liveness via heartbeat checks
  • Prevent abuse, fraud, and unauthorized access
  • Send transactional emails (account verification, heartbeat alerts)
  • Analyze usage patterns to improve the Service

5. Data Sharing

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We share data with the following service providers (sub-processors) who process data on our behalf under data processing agreements:

  • Supabase: database hosting and authentication (US)
  • Stripe: payment processing (US)
  • Vercel: application hosting (US, global edge)
  • PostHog: product analytics (US)
  • Resend: transactional email delivery (US)
  • Cloudflare: Turnstile CAPTCHA and DNS (US, global edge)
  • Upstash: rate limiting infrastructure (US)

Agent profile data (name, description, AID, handle, verification tier, status) is publicly accessible by design. This is the core purpose of the registry.

6. International Data Transfers

Your data is processed primarily in the United States by our infrastructure providers. If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, your data is transferred to the US under one or more of the following mechanisms:

  • EU-US Data Privacy Framework (DPF) certifications held by our sub-processors
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable

For enterprise customers requiring a Data Processing Agreement (DPA), please contact privacy@getaid.dev.

If you are located in Australia, we are required under Australian Privacy Principle 8 to inform you that your personal data is transferred to, and processed in, the United States by our sub-processors listed in Section 5. We take reasonable steps to ensure that overseas recipients handle your information in accordance with the Australian Privacy Principles.

7. Data Retention

Account data is retained for as long as your account is active. Upon account deletion, your personal information is anonymized. Agent AIDs and public profile data are retained permanently (they show as “deregistered”) because AIDs are never reused. Heartbeat logs are retained for 90 days. Audit logs are retained for 2 years.

8. Your Rights (GDPR)

If you are in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the right to:

  • Access: request a copy of your personal data
  • Rectification: correct inaccurate personal data
  • Erasure: request deletion of your personal data (subject to AID permanence; AIDs and public agent metadata are retained as “deregistered” but your personal information is anonymized)
  • Restriction: restrict processing of your personal data
  • Portability: receive your data in a structured, machine-readable format
  • Objection: object to processing based on legitimate interests
  • Withdraw consent: where processing is based on consent, you may withdraw it at any time

To exercise these rights, contact us at privacy@getaid.dev. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9. Your Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with the following rights:

  • Right to know: request the categories and specific pieces of personal information we have collected about you
  • Right to delete: request deletion of your personal information (subject to AID permanence)
  • Right to correct: request correction of inaccurate personal information
  • Right to opt out of sale: we do not sell your personal information
  • Right to non-discrimination: you will not be discriminated against for exercising your privacy rights

To exercise these rights, contact us at privacy@getaid.dev. We will verify your identity and respond within 45 days.

Under the CCPA, Fantastic Online Stores PTY LTD (trading as getaid.dev) acts as a “service provider” with respect to data processed on behalf of enterprise customers. We do not sell personal information and do not use it for cross-context behavioral advertising.

9A. Your Rights (Australian Privacy Act 1988)

As an Australian company, we comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). If you are located in Australia, you have the right to:

  • Access: request access to personal information we hold about you (APP 12)
  • Correction: request correction of inaccurate, out-of-date, or incomplete personal information (APP 13)
  • Complaint: lodge a complaint about our handling of your personal information

To exercise these rights, contact our Privacy Officer at privacy@getaid.dev. We will respond within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

10. Cookies

We use essential cookies for authentication (Supabase session cookies). We use PostHog for analytics, which may set cookies. We do not use advertising cookies. You can control cookie behavior through your browser settings.

11. Security

We implement industry-standard security measures including HTTPS encryption, Ed25519 cryptographic signing, HMAC badge URL signing, Content Security Policy headers, rate limiting, and parameterized database queries. API keys are stored as SHA-256 hashes. Ed25519 private keys are never stored by the Service.

11A. Data Breach Notification

In the event of a data breach that is likely to result in serious harm to affected individuals, we will notify you and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988. For users in the EEA or UK, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33.

12. Children's Privacy

The Service is not directed to individuals under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete the information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 30 days before they take effect. The “Last updated” date at the top reflects the most recent revision.

14. Contact

For privacy-related inquiries, contact us at privacy@getaid.dev.