Privacy Policy

This Privacy Policy describes how Tadeáš Raška, a natural person doing business at Praha, Czech Republic, contact tadeas@raska.eu (the "Controller", "we", "us"), processes personal data in connection with the AAM Platform service (the "Service") operated at aam-platform-gamma.vercel.app.

We process personal data in accordance with Regulation (EU) 2016/679 (the "GDPR"), Act No. 110/2019 Sb. on the Processing of Personal Data, and Act No. 480/2004 Sb. on Certain Information Society Services. Capitalised terms not defined here have the meanings given in the Terms of Service.

1. Identity of the Controller

Controller: Tadeáš Raška, Praha, Czech Republic.
Contact for privacy matters: tadeas@raska.eu.
Postal address: available on written request to the email above.

A Data Protection Officer has not been appointed under Article 37(1) GDPR because (i) we are not a public authority, (ii) our core activities do not consist of regular and systematic monitoring of data subjects on a large scale, and (iii) we do not process special categories of personal data on a large scale. The Controller acts as the single privacy point of contact.

2. Categories of personal data we process

• Account identification. Email address. If you sign in with Google, additionally: Google account ID, display name, profile photo URL.
• Authentication artefacts. Firebase user ID (UID), session-cookie token, password hash (stored only by Firebase Authentication using SCRYPT, never visible to us).
• Site & configuration data. Site name, domain you declare, network preference (e.g. base, base-sepolia), payment recipient wallet address. Where you connect a third-party integration (Stripe, Reservio, Calendly), the resulting OAuth refresh tokens stored encrypted at rest with AES-256-GCM.
• Action definitions. Action identifier, label, parameter schema (JSON Schema-like), pricing, executor type, and executor configuration including any webhook URL and headers (header values flagged secret are encrypted at rest).
• Audit Events. For each consent grant, payment challenge, action invocation, or related event: timestamp; agent vendor identifier supplied by the agent (HTTP header X-Agent-Vendor); agent run identifier; end-user wallet address (the public address of the end user's wallet, if any); action identifier; HTTP status; structured detail (e.g. error reason, payment proof identifier).
• Operational logs. Vercel hosting logs and Google Cloud Logging entries containing IP address, user-agent, request method, path, response status, and response time. Short-lived (typically 24-72 hours).
• Communications. The contents of any email or message you send to us in support of the Service.

We do not knowingly collect special categories of personal data (Article 9 GDPR), data of children under 16, location data, behavioural advertising identifiers, or biometric data.

3. Lawful bases per processing activity

The following table sets out, per processing activity, the purpose, the categories of personal data, the lawful basis under Article 6(1) GDPR, and the retention period.

4. Service-as-Processor scenarios

When the Customer (the site operator) configures Actions that cause the Service to process personal data of the Customer's end users (e.g. an Action that forwards an end-user's order details to the Customer's webhook), the Service acts as a processor within the meaning of Article 4(8) GDPR and the Customer is the controller for those data.

For such processing, the standard processing terms set out in Section 12 below apply automatically. The Customer remains responsible for all controller obligations, including providing transparency notices to its end users, ensuring a lawful basis for the processing, and responding to data-subject rights requests it receives.

5. Recipients & international transfers

We engage the following sub-processors. Each is governed by a written processing arrangement consistent with Article 28(3) GDPR and, where applicable, by the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914 of 4 June 2021, "SCCs").

We do not sell personal data, do not engage in cross-context behavioural advertising, and do not share personal data with data brokers. The current sub-processor list is published here; we will update this Policy at least thirty (30) days before adding a new sub-processor and the Customer may object on reasonable grounds.

6. Legitimate-interest balancing for Audit Events

We rely on Article 6(1)(f) GDPR for the maintenance of Audit Events. Our balancing test (Recital 47 GDPR) is summarised below for transparency:

• Purpose: security, abuse detection, dispute resolution, regulatory traceability of agent invocations, and providing the Customer (site operator) with a reliable record of agent activity.
• Necessity: The Service's value depends on producing a tamper-evident chronological record of consent grants, payment events, and action invocations. No less intrusive means achieves the same purpose.
• Data-subject impact: Audit Events typically contain only a public wallet address and high-level metadata, not direct identifiers. We do not aggregate Audit Events into behavioural profiles or enrich with third-party identity data.
• Reasonable expectations: Operating an autonomous agent that pays for or invokes paid services creates a reasonable expectation that the receiving service will keep records of the interaction.
• Safeguards: 24-month retention with automated purge; deny-by-default Firestore rules; access on a need-to-know basis; right to object under Article 21 GDPR honoured (subject to overriding legitimate grounds for retention pertaining to litigation defence).

7. Security measures (Article 32 GDPR)

Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to data-subject rights, we apply the following technical and organisational measures:

• TLS 1.2+ in transit; HSTS on production domains.
• Firestore deny-by-default security rules; all writes via the application server using the Firebase Admin SDK with a dedicated service account holding least-privilege roles.
• Server-side validated session cookies (Firebase session cookie) with HttpOnly, Secure, SameSite=Lax flags.
• AES-256-GCM encryption at rest for sensitive integration secrets, with the encryption key held in environment configuration outside the database.
• Replay protection on x402 payment proofs via atomic nonce reservation in Firestore transactions.
• Sub-processor selection based on EU-region availability and SOC 2 / ISO 27001 attestation.
• Periodic credential rotation; logging of administrative access to the project console.

8. Retention

Retention periods are set out in the table at Section 3. After the applicable period, data are deleted or fully anonymised. Backup copies inherent to our hosting infrastructure may persist for up to seven (7) days. We will not knowingly process data beyond the retention period unless required by law or to defend legal claims.

9. Your rights as a data subject

You have the following rights under the GDPR:

• Article 15 — confirmation of processing and access to your personal data;
• Article 16 — rectification of inaccurate or incomplete data;
• Article 17 — erasure ("right to be forgotten"), subject to legal grounds for retention;
• Article 18 — restriction of processing;
• Article 20 — data portability for processing based on consent or contract carried out by automated means;
• Article 21 — objection to processing based on legitimate interests; you may object at any time by writing to tadeas@raska.eu;
• Article 22 — not to be subject to a decision based solely on automated processing producing legal effects (we do not engage in such decision-making);
• Article 7(3) — withdraw consent at any time, without affecting the lawfulness of prior processing.

To exercise any right, write to tadeas@raska.eu. We will respond without undue delay and in any event within one (1) month of receipt (Article 12(3) GDPR), extendable by a further two (2) months for complex requests, in which case we will inform you of the extension and the reasons within the first month.

You have the right to lodge a complaint with the Czech supervisory authority:

Úřad pro ochranu osobních údajů (ÚOOÚ)
Pplk. Sochora 27, 170 00 Praha 7
telephone: +420 234 665 111
email: posta@uoou.cz
web: www.uoou.cz

You may also complain to the supervisory authority of your habitual residence or place of alleged infringement (Article 77 GDPR).

10. Children

The Service is not intended for users under 16 years of age. Pursuant to § 7 of Act No. 110/2019 Sb., the age threshold for valid consent to information-society services in the Czech Republic is 15 years; we apply the higher 16-year threshold conservatively. We do not knowingly collect data from children. If you believe we have, contact us and we will delete it.

11. Automated decision-making & profiling

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on data subjects. Service routing and rate-limiting use deterministic rules without individual evaluation.

12. Data Processing Terms (when we act as processor for the Customer)

Where Section 4 applies, the following terms (the "Processing Terms") form part of the Agreement between us and the Customer.

• Subject-matter: processing of personal data necessary to perform the Service.
• Duration: the term of the Customer's account.
• Nature and purpose: hosting, transmitting, transforming, and logging personal data submitted by Agents on behalf of End Users to fulfil Action invocations the Customer has declared.
• Categories of data subjects: the Customer's end users (typically identified by wallet address or by data fields the Customer chooses to expose in its Action schema).
• Categories of personal data: as configured by the Customer in its Action parameter schema; we have no visibility into or control over such fields.
• Processor obligations: we shall (i) process only on documented instructions (the configuration the Customer enters in the dashboard constitutes such instructions); (ii) ensure persons authorised to process are bound to confidentiality; (iii) implement Article 32 measures (Section 7); (iv) respect Article 28(2)/(4) constraints on engaging sub-processors (Section 5); (v) assist the Customer with Articles 32-36 obligations and data-subject rights; (vi) at the Customer's choice, delete or return personal data at termination, subject to retained Audit Events.
• Audit: we shall make available to the Customer all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by it, no more than once annually except in case of a documented incident; the Customer shall give thirty (30) days' written notice and bear its own costs.
• Sub-processors: the Customer hereby grants general written authorisation for the sub-processors listed in Section 5; any change is notified per Article 28(2) GDPR.
• International transfers: conducted under SCCs as identified in Section 5; the Customer is, where required, a co-data-exporter and accepts the SCC terms by accepting these Processing Terms.
• Personal-data breach notification: we shall notify the Customer without undue delay after becoming aware of a personal-data breach affecting Customer Data and provide the information set out in Article 33(3) GDPR to the extent then known.

The parties may execute a separate written Data Processing Addendum that, where in conflict, prevails over this Section 12.

13. Records of processing (Article 30 GDPR)

As required by Article 30(5) GDPR, we maintain a Record of Processing Activities covering the activities listed at Section 3. The Record is available to the supervisory authority on request.

14. Changes to this Policy

Material changes will be (a) emailed to registered account holders, (b) posted on the dashboard, and (c) reflected in the changelog below, in each case at least fourteen (14) days before they take effect. Continued use after the effective date constitutes acceptance of the updated Policy.

15. Contact

Tadeáš Raška, Praha, Czech Republic · tadeas@raska.eu

Changelog

• 2026-05-01 · v1.0 · expanded from v0.1 plain-language draft to GDPR-grade Policy with lawful-basis matrix, named sub-processors, Article 28 processing terms, Article 6(1)(f) balancing test, Article 32 measures.
• 2026-05-01 · v0.1 · initial publication.