Skip to contentAgent? Read agent.txt
DocumentationChangelog

Privacy Policy

Effective March 17, 2026

Decoy operates decoy.run and the Decoy security service ("Service"). This policy describes what we collect, how we use it, and the choices you have.

Information we collect

Account information

You give us an email address to sign in, receive security alerts, and get product updates. We use magic links and passkeys (WebAuthn) in place of passwords.

Trigger data

When an agent invokes one of your tripwires, we log the tool name, the arguments passed, the severity, the agent fingerprint, and the timestamp. This data is retained for 90 days and used exclusively for your security monitoring.

Agent fingerprints

We generate SHA-256 hashes from the client name, version, and user-agent string presented by an agent. The fingerprint is a truncated hash. We do not store the raw identifying strings.

Payment information

We do not store credit card numbers, CVVs, or full card details. Stripe handles payments. We retain only the Stripe customer ID and subscription ID against your account.

Usage data

Cloudflare Analytics collects aggregated, anonymized traffic data. We do not use cookies for analytics and do not collect personal identifiers through analytics.

How we use your information

  • To provide and maintain the Service
  • To deliver security alerts over email, webhook, and Slack
  • To authenticate you in the dashboard and API
  • To process payments through Stripe
  • To send onboarding communications (unsubscribe available at any time)
  • To improve the product using anonymized patterns

Data storage and security

Data is stored in Cloudflare Workers KV with encryption at rest and in transit. Sessions use HttpOnly, Secure, SameSite cookies. WebAuthn uses public-key cryptography with no shared secrets.

Data retention

  • Trigger data: 90 days, then automatically deleted
  • Account data: retained until you delete your account
  • Session data: 30-day TTL
  • Threat intelligence: 30-day TTL (sourced from public signals)

Third-party services

  • Cloudflare — hosting, CDN, analytics, and storage
  • Stripe — payment processing
  • Resend — transactional email delivery

We do not sell, rent, or share your personal information with any other third parties.

Your rights

You can request a copy of your data, request deletion of your account, or update your email address by contacting us. We respond within 30 days.

International privacy rights

GDPR (EEA, UK, Switzerland)

Legal basis for processing:

  • Contract performance to deliver the Service
  • Legitimate interest in analytics and fingerprinting for threat detection
  • Consent for onboarding and marketing email

Your rights: access, rectification, erasure, data portability, objection, restriction of processing, and the right to lodge a complaint with your supervisory authority.

International transfers: Cloudflare operates globally with EU-U.S. Data Privacy Framework certification and Standard Contractual Clauses. Stripe is similarly certified.

CCPA (California)

California residents may request disclosure of what we collect, deletion of their data, and opt-out of "sales" of personal information. We do not sell personal information. We respond within 45 days.

Cookies

We set a single HttpOnly session cookie (__decoy_session) to keep you signed in. We do not use tracking, advertising, or third-party cookies.

Changes to this policy

We will notify you by email or a notice on the website for significant changes.

Contact

Questions about this policy? Email [email protected].