Privacy Policy

If you connect a wallet

• Public Base wallet address
• Signed messages (SIWE for sign-in, manifest signatures for API registration)
• Onchain transactions to/from your address — but these are public on Base anyway

If you sign up with email / OAuth

• Email address (or hashed identifier from OAuth provider)
• OAuth profile basics (display name, avatar URL) — if you authorize them
• No password content — we use OAuth tokens or hashed passwords only

If you call APIs (even anonymously)

• Request timestamp + endpoint called + status code (for rate-limit + analytics)
• Truncated IP address (last octet zeroed) — only for rate-limit / abuse prevention
• User-agent string
• No request body content is logged

If you register an API

• Endpoint URL (public — listed in marketplace)
• Display name, description, provider handle, pricing, category
• Lifetime call count + cumulative USDC earned (public on the marketplace + your profile)

• Private keys, seed phrases, or wallet passwords — we never see them
• API request payloads (the actual prompt / token / params you send)
• API response bodies
• Cross-site tracking pixels, ad attribution, fingerprinting
• Real-time location, contacts, or anything beyond the listed items

• Operate the marketplace — list APIs, route calls, settle payments
• Rate-limit abuse — 100 req/min/IP on the public MCP endpoint
• Builder dashboard — show your registered APIs + accrued USDC
• Newsletter / alerts — only if you opted in
• Aggregate analytics — total marketplace volume, top APIs, etc. (de-identified)
• Detect fraud — wash-trading, fake review patterns, sanctioned wallets

We share data with a small set of vendors needed to run the service:

• Vercel — hosting and edge functions
• Upstash Redis (KV) — rate-limit counters, registry persistence
• Coinbase CDP — x402 facilitator for USDC settlement on Base
• Base mainnet (public blockchain) — anything settled on-chain is public
• Google / GitHub — only if you used their OAuth to sign in

We don't sell data to advertisers, brokers, or third parties not listed above. If law-enforcement requests data with valid process, we'll comply while pushing back on overbroad requests where possible.

Everything that touches Base mainnet is public forever:

• Your wallet address
• Every USDC transfer (calls you paid for, revenue you received)
• Stake / unstake transactions for $BLUEAGENT
• API registration manifests (signed message hash)

We can't delete onchain history. If you want privacy from blockchain analytics, use a fresh wallet — that's the standard playbook.

We use:

• Session cookie (if you sign in with email/OAuth) — strictly necessary
• localStorage — for theme preference, sidebar collapse, cached results
• No third-party tracking cookies. No advertising cookies.

Depending on where you live (GDPR, CCPA, etc.) you have rights to:

• Access — request a copy of data we hold about you
• Delete — request removal of email/OAuth data; wallet + onchain history can't be deleted
• Object — opt out of newsletter or non-essential processing
• Portability — export your data (CSV) from the dashboard

Request these by emailing the address in our GitHub README, or DM @blueagent_ on X. We respond within 30 days.

Blue Agent isn't designed for users under 13 (or under 16 in EEA). We don't knowingly collect data from minors. If you believe a minor has used the service, contact us and we'll delete the account.

• Email / OAuth identifiers — until you delete your account
• Wallet manifest signatures — kept while APIs remain listed; archived 90 days after delist
• Request logs — 30 days rolling window for rate-limit / abuse review
• Aggregate analytics — kept indefinitely (de-identified)

Data is processed in the United States (Vercel) and the region you connect from. If you're in the EEA / UK, we rely on Standard Contractual Clauses where applicable.

We encrypt data in transit (HTTPS) and at rest (Upstash + Vercel defaults). We don't custody your funds — your wallet holds them. No system is perfectly secure; we'll notify users of breaches that affect them in line with applicable law.

We'll update this policy as the product evolves. Material changes ship with a blog post and a banner on the site. You can always read the latest version here.

Privacy questions: @blueagent_ on X or Telegram. Formal notices: see the registered entity disclosure in our GitHub README.