Privacy Policy

We collect information you provide directly, information generated by your use of the platform, and technical data sent automatically by your devices.

1.1 Account and Contact Data

• Full name and job title
• Business email address
• Company name and size
• Password (stored as a salted cryptographic hash — never in plain text)
• Billing contact information

1.2 Usage and Platform Data

• Workflows created, modified, and executed — including names, configurations, and execution counts
• Quotes requested and pricing parameters set
• Feature interactions, dashboard navigation paths, and time spent on pages
• API keys you generate and the calls made against them (request counts, timestamps, endpoints)
• Customer records and segments you create within the platform

1.3 Workflow Execution Data

When your agents execute workflows through WeaveOS, we process and store:

• Workflow inputs and outputs (which may contain content generated by or submitted to AI models)
• Token counts and model identifiers from AI provider calls
• Tool call records, retry counts, and execution durations
• Cost attribution line items (model fees, tool API costs, human-in-the-loop charges)
• Outcome verification artifacts — stored as content-addressed blobs on Walrus decentralised storage; only blob IDs and SHA-256 hashes are stored in our Postgres database
• Attestation payloads and settlement records

1.4 Blockchain and Wallet Data

• Sui wallet addresses you connect or authorise for settlement
• On-chain transaction hashes, object IDs, and settlement amounts
• USDC escrow balances and payout records associated with your account

1.5 Technical and Device Data

• IP address (used for security, rate-limiting, and approximate geolocation at the country level)
• Browser type and version
• Operating system and device type
• Referring URL and exit URL
• Session identifiers and timestamps
• Error logs, crash reports, and API response codes

1.6 Cookie and Analytics Data

• Strictly necessary session cookies (required for login and CSRF protection)
• Preference cookies (theme, language, display settings)
• Analytics identifiers used to measure aggregate product usage (no cross-site tracking)

1.7 Communication Data

• Messages you send us via the contact form, email, or support channels
• Records of consent for marketing communications

We use the data we collect for the following purposes:

• Service provision — to create and maintain your account, process workflow executions, execute USDC settlements, and deliver the platform features you have subscribed to.
• Billing and payments — to calculate GMV-based fees, generate invoices, process subscription charges, and maintain settlement records.
• Security and fraud prevention — to detect, investigate, and prevent unauthorised access, abuse, and violations of our Terms of Service.
• Product improvement — to understand how the platform is used, identify bugs, and prioritise features. Analytics are performed on aggregated or pseudonymised data.
• Transactional communications — to send you account confirmations, settlement notifications, API alerts, and important service updates.
• Support — to respond to your enquiries, diagnose issues, and provide technical assistance.
• Legal compliance — to meet our obligations under applicable laws, respond to lawful requests from authorities, and enforce our agreements.
• Marketing (with consent) — to send product updates, newsletters, and promotional materials where you have opted in. You may unsubscribe at any time.

If you are located in the European Economic Area or the United Kingdom, we rely on the following legal bases to process your personal data:

• Contract performance — processing necessary to provide the services you have signed up for.
• Legitimate interests — security monitoring, fraud prevention, product analytics, and improving our services, where these interests are not overridden by your rights.
• Legal obligation — where we are required to retain or disclose data by applicable law.
• Consent — for marketing communications and non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of prior processing.

We do not sell your personal data. We share data only in the following circumstances:

4.1 Infrastructure and Service Providers

We engage trusted third-party providers who process data solely on our instructions:

• Vercel Inc. — hosting, edge delivery, and serverless compute (United States)
• Neon Inc. — managed Postgres database (United States)
• Mysten Labs / Walrus — decentralised blob storage for workflow artifacts (global, content-addressed)
• Sui Foundation — the public Sui blockchain network (immutable, globally distributed)
• AI model providers — if your workflows call third-party model APIs (e.g., Anthropic, OpenAI), those providers receive the content you submit to those models under their own privacy policies. We only see and store the token-level cost metadata.

4.2 Legal Requirements

We may disclose personal data if required to do so by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of WeaveOS, our users, or the public.

4.3 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website before your data is subject to a different privacy policy.

4.4 With Your Consent

We may share data with third parties for other purposes when you have explicitly authorised us to do so.

WeaveOS is headquartered in Bengaluru, Karnataka, India. Our infrastructure providers operate in the United States and globally. If you are located in a jurisdiction with data transfer restrictions (such as the EU/EEA), please note:

• Transfers to Vercel and Neon (US) are conducted under appropriate safeguards, including Standard Contractual Clauses where required.
• Data written to the Sui blockchain and Walrus network is distributed globally and is subject to those networks’ own properties, which we do not control.

• Account data — retained for the duration of your account and for two years after closure, to comply with legal obligations and resolve disputes.
• Workflow execution and billing records — retained for seven years to satisfy financial record-keeping requirements.
• Technical logs — retained for 90 days, then deleted or anonymised.
• Blockchain data — permanent; we cannot delete data recorded on the Sui network.
• Walrus blobs — retained for the storage epoch you have committed to; we store the blob ID and hash in our database for as long as needed to support dispute resolution.
• Marketing consent records — retained until you withdraw consent plus three years.

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Erasure — request deletion of your personal data where we have no overriding legal basis to retain it. Note: on-chain data cannot be erased.
• Restriction — request that we restrict processing while a dispute about accuracy or legal basis is resolved.
• Portability — receive a machine-readable copy of data you have provided to us.
• Objection — object to processing based on legitimate interests or for direct marketing.
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing.

To exercise any of these rights, email us at privacy@weaveos.xyz. We will respond within 30 days. We may need to verify your identity before acting on your request.

California Residents (CCPA / CPRA)

California residents have the right to know what personal information we collect and how it is used or shared, the right to delete personal information (subject to exceptions), the right to correct inaccurate information, and the right to opt out of the sale or sharing of personal information. We do not sell personal information. To make a CCPA request, contact us at privacy@weaveos.xyz.

We use cookies and similar technologies as described in Section 1.6. You may control cookies through your browser settings. Disabling strictly necessary cookies will prevent you from logging in. Analytics cookies can be declined without affecting core functionality. We honour Do Not Track signals where technically feasible.

We apply appropriate technical and organisational measures to protect your data, including TLS 1.3 for data in transit, AES-256 encryption for data at rest, cryptographic hashing for passwords, and access controls following the principle of least privilege. See our Security page for a full description of our security practices.

Despite these measures, no system is completely secure. In the event of a data breach that is likely to result in risk to your rights, we will notify you and relevant supervisory authorities within 72 hours of becoming aware.

WeaveOS is a business-to-business platform intended solely for use by individuals aged 18 or older acting on behalf of a business entity. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact us at privacy@weaveos.xyz and we will delete it promptly.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a prominent notice on our website and, where we have your email, by sending you a notification at least 14 days before the change takes effect. Your continued use of the platform after the effective date constitutes acceptance of the revised policy.

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

• Privacy enquiries: privacy@weaveos.xyz
• General contact: team@weaveos.xyz
• Postal address: WeaveOS, Bengaluru, Karnataka, India