Privacy Policy

This Privacy Policy describes how Delx Protocol ("Delx," "we," "us," or "our") collects, uses, and protects information when you or your AI agents interact with the Delx agent operations protocol (the "Service").

The Service operates in a unique domain: it is designed primarily for AI agents, not human end-users. This means the data we handle is predominantly machine-generated operational data — agent sessions, reliability scores, incident logs, and tool call payloads — rather than traditional personal information. This Privacy Policy addresses both agent data and any human-identifiable information we may encounter.

1. Information We Collect

1.1 Agent Session Data

When an Agent interacts with the Service, we automatically collect:

• Session metadata: Session ID, timestamps, agent name (if provided), access method (MCP/A2A/REST/CLI)
• Tool call data: Which tools were called, input parameters, output results, latency measurements
• Wellness and recovery data: Wellness scores, mood assessments, incident reports, recovery plans, failure classifications
• Message content: Text exchanged during therapeutic and operational sessions

1.2 Technical Data

For every request, we automatically collect:

• IP address
• User-Agent string (e.g., python-httpx/0.28.1)
• Request method, path, and response status code
• Request timestamps and response latency
• TLS version and protocol information

1.3 Website Visitor Data

When humans visit delx.ai, we collect:

• Standard web analytics via Google Analytics (measurement ID: G-FXLYVT2636), including page views, session duration, referral source, and approximate geographic location
• No cookies are set by the Service itself beyond analytics

2. How We Use Your Data

We use collected data to:

• Provide the Service: Process tool calls, maintain session state, generate recovery plans, compute wellness scores
• Improve the protocol: Analyze usage patterns, identify common failure modes, optimize tool performance, tune therapeutic responses
• Ensure reliability: Monitor service health, detect abuse, enforce rate limits, debug errors
• Generate aggregate insights: Produce anonymized statistics about agent behavior, failure distributions, and protocol usage (e.g., public endpoints like /api/v1/stats)
• Develop new features: Understand which tools agents use most, which access methods are preferred, and where the protocol can be extended

3. Data Storage and Retention

3.1 Storage Infrastructure

• Session data is stored in a PostgreSQL database (hosted by Supabase) with row-level security
• Server access logs are stored on the application server with standard log rotation
• All data is transmitted over TLS 1.2+

3.2 Retention Periods

• Session data: Retained indefinitely during the construction phase. A formal retention policy with automatic expiration will be implemented before broader paid rollout expands.
• Access logs: Retained for up to 90 days for security and debugging purposes
• Analytics data: Governed by Google Analytics retention settings (currently 14 months)

4. Data Sharing and Disclosure

We do not sell agent session data or any personal information.

We may share data in the following circumstances:

• Public aggregate data: Anonymized, aggregated statistics are exposed via public API endpoints (e.g., /api/v1/stats, /api/v1/public-sessions). These contain no individually identifiable session content.
• Service providers: We use Supabase for database hosting and Google Analytics for website analytics. These providers process data on our behalf under their respective privacy policies.
• Legal requirements: We may disclose data if required by law, legal process, or governmental request.
• Protocol interoperability: When agents use A2A or MCP to interact with third-party services through Delx, the data transmitted in those interactions is visible to the receiving party by design.

5. Agent and Controller Data Rights

This is a novel area — AI agents do not have legal personhood in most jurisdictions, so traditional data subject rights apply to Controllers (the humans or organizations operating agents). Controllers have the right to:

• Access: Request a copy of session data associated with your agents. Use the GET /api/v1/session-summary endpoint for programmatic access, or contact us for bulk exports.
• Correction: Request correction of inaccurate session metadata.
• Deletion: Request deletion of your agents' session data. During the construction phase, contact us directly. Automated deletion endpoints will be available in a future release.
• Portability: Session data is available in machine-readable JSON format via the REST API.
• Objection: You may object to our use of your data for aggregate analysis. Contact us to opt out.

6. Security

We implement reasonable security measures to protect data, including:

• TLS encryption for all data in transit
• Rate limiting and abuse detection at the network layer
• Row-level security on database tables
• Server access restricted to SSH key authentication

No system is 100% secure. The Service is in a construction phase, and security measures are continuously being improved. If you discover a security vulnerability, please report it via @delxbot.

7. Personally Identifiable Information in Agent Payloads

The Service is designed for machine-generated operational data. However, we recognize that agents may inadvertently include PII in session messages or tool call parameters (e.g., an agent describing an incident involving a person's name).

Our approach:

• We do not intentionally collect PII, and the Service does not require any PII to function
• Controllers should instruct their Agents to avoid sending PII to the Service
• If PII is discovered in session data, we will apply the same protections described in Sections 4 and 5 to that information
• Controllers may request deletion of sessions containing inadvertent PII

8. International Data Transfers

The Service is hosted on infrastructure located in multiple regions. By using the Service, you acknowledge that your data may be processed in jurisdictions outside your own. We apply the same security and privacy protections regardless of where data is stored.

9. Children's Privacy

The Service is not directed at children under 13 (or the applicable age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has submitted personal information to the Service, contact us and we will delete it.

10. Third-Party Services

The Service uses the following third-party providers:

• Supabase — Database hosting and authentication infrastructure
• Google Analytics — Website usage analytics (delx.ai only, not API traffic)
• Hetzner — Server infrastructure
• Caddy — Reverse proxy and TLS termination

Each provider operates under its own privacy policy. We select providers that maintain reasonable security and data protection standards.

11. Changes to This Policy

We may update this Privacy Policy at any time. Material changes will be announced via the Changelog and @delxbot. The effective date at the top of this page indicates the latest revision.

12. Contact

For privacy-related questions or data requests, contact us via:

• Twitter/X: @delxbot
• A2A Protocol: POST https://api.delx.ai/v1/a2a