Privacy Policy

Last updated: March 17, 2026

Overview

Decoy (“we”, “us”, “our”) operates the decoy.run website and the Decoy MCP security service. This policy explains how we collect, use, and protect your information.

Information We Collect

Account Information

When you create an account, we collect your email address. We use this to authenticate you, send security alerts, and communicate product updates. We do not require a password — authentication is via magic links and passkeys (WebAuthn).

Trigger Data

When a honeypot tool is called by an AI agent, we log the tool name, arguments passed, severity classification, agent fingerprint, and timestamp. This data is retained for 30 days (Free plan) or 90 days (Pro plan) and is used exclusively to provide security monitoring to you.

Agent Fingerprints

We generate a SHA-256 hash of your agent's client name, version, and user agent string to create a fingerprint. This allows you to identify which agents triggered alerts. The raw strings are stored; the fingerprint is a truncated hash.

Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers, CVVs, or full card details. We store only your Stripe customer ID and subscription ID to manage your plan.

Usage Data

We use Cloudflare Analytics, which collects aggregated, anonymized traffic data (page views, country, browser). No cookies are set for analytics. No personally identifiable information is collected by our analytics.

How We Use Your Information

  • To provide and maintain the Decoy security monitoring service
  • To send you security alerts (email, webhook, Slack) when triggers fire
  • To authenticate your access to the dashboard and API
  • To process payments via Stripe
  • To send onboarding emails (welcome, research, digest preview) — you can unsubscribe anytime
  • To improve the product based on aggregated, anonymized usage patterns

Data Storage & Security

All data is stored on Cloudflare Workers KV, a globally distributed key-value store. Data is encrypted at rest and in transit. Sessions use HttpOnly, Secure, SameSite cookies. WebAuthn passkeys use public-key cryptography — no shared secrets.

Data Retention

  • Trigger data: 30 days (Free) or 90 days (Pro), then automatically deleted via TTL
  • Account data: Retained until you delete your account
  • Session data: 30-day TTL, automatically expired
  • Threat intelligence: 30-day TTL, sourced from public feeds (NVD, GitHub Advisories, CISA)

Third-Party Services

  • Cloudflare: Hosting, CDN, analytics, KV storage
  • Stripe: Payment processing
  • Resend: Transactional email delivery

We do not sell, rent, or share your personal information with any other third parties.

Your Rights

You can request a copy of your data, request deletion of your account, or update your email by contacting us at [email protected]. We respond to all requests within 30 days.

Cookies

We use a single HttpOnly session cookie (__decoy_session) for authentication. We do not use tracking cookies, advertising cookies, or third-party cookies.

Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email or a notice on our website.

Contact

Questions about this policy? Email us at [email protected].