APort

The Passport Office for AI Agents

APort Privacy Policy

Last Updated:September 21, 2025
Version:0.0.1

This Privacy Policy explains how APort ("we", "our", "us") collects, uses, and shares information when you use our websites, dashboards, APIs, SDKs, and related services (the "Service"). We build a neutral trust rail for AI agents. Transparency is foundational: we describe what we collect and why.

Information We Collect

1) Account & Organization Info

Contact details (name, email), authentication identifiers (e.g., GitHub user ID). Organization profile (name, domain, membership; where you connect GitHub "read:org" we receive org and membership metadata).

2) Passport Content

Template and Instance Passport data you submit (e.g., owner/controller, capabilities, limits, regions, assurance evidence, links, logos). Public "About" pages you enable. You control what is public.

3) Verification & Policy Calls

Request metadata (timestamps, IP, user agent, headers), agent IDs, policy context fields (e.g., refund amount, export row count), allow/deny results, and reason codes. We intentionally avoid processing sensitive payload data (e.g., raw PII) beyond the minimally necessary context. You should never send confidential data fields beyond what a policy requires.

4) Attestations

Evidence you submit for assurance (e.g., email challenge, GitHub org membership, domain TXT or /.well-known file). We store facts and timestamps; we do not store your GitHub password or OAuth tokens beyond the minimum needed scope.

5) Webhooks & Integrations

Endpoint URLs and delivery logs (success/failure, signatures). We store HMAC secrets to sign events.

6) Cookies & Analytics

Functional cookies (session/auth). Basic analytics (page views, feature usage) to improve the Service. We avoid invasive tracking.

How We Use Information

  • Provide, secure, and improve the Service.
  • Verify Passports and evaluate policy packs.
  • Generate Verifiable Attestation and countersign attestations.
  • Detect abuse, investigate incidents, enforce rate limits.
  • Communicate with you (product updates, security notices, billing).
  • Comply with legal obligations.
We do not sell personal data. We do not train ML models on verification payloads.

Legal Bases (where applicable)

  • Performance of a contract (to provide the Service).
  • Legitimate interests (security, abuse prevention, product improvement).
  • Consent (where required, e.g., certain emails).
  • Legal obligations.

Sharing

We may share with:

  • Service providers (hosting, email, monitoring) under contracts with confidentiality and security obligations.
  • Third-party services you connect (e.g., GitHub) per your authorization.
  • Legal: to comply with law, enforce Terms, or protect rights and safety.
  • Business transfers: in a merger, acquisition, or sale, per applicable law.
We do not publish private Passport data unless you mark it public (e.g., Agent Passport pages).

Data Retention

  • Account and org records: for the life of your account and as required by law.
  • Verify logs: typically 90–180 days for security and audit, unless you request a different retention or law requires otherwise.
  • Attestations: until expiry or revocation.
You can request deletion subject to our need to retain minimal logs for security and legal compliance.

Security

We use reasonable administrative, technical, and organizational measures (e.g., key rotation, HMAC signatures, TLS, access controls). No system is perfect; you are responsible for securing your credentials, API keys, and webhook endpoints.

International Transfers

Your data may be processed in countries other than your own. Where required, we implement appropriate safeguards (e.g., SCCs).

Your Rights

Depending on your location, you may have rights to access, correct, delete, or restrict processing of your personal data. Contact us at support@aport.io. We may ask you to verify your identity.

Children

The Service is not intended for children under 16. We do not knowingly collect data from children.

Changes

We may update this Policy. We will notify you of material changes (e.g., email or in-product notice). Continued use after the effective date constitutes acceptance.

Contact

  • APort — Liftrails Inc.
  • Kitchener, Ontario, Canada
  • Privacy inquiries: support@aport.io
  • Security reports: security@aport.io

This document is part of the APort platform. For questions or clarifications, please contact our support team.