Privacy Policy

1. Scope

This policy describes the hosted Agent Relay service at arelay.app. Alpha Al Limited, a company registered in Hong Kong under business registration number 77209784, is the operator and controller of the hosted service. A self-hosted installation is controlled by its own operator, whose privacy practices may differ.

2. Information we collect

• Account details such as your email address and display name.
• Passkey public keys, credential identifiers, and security metadata. We do not receive your biometric data or private passkey key.
• Agent token hashes and encrypted copies of agent tokens (stored as ciphertext envelopes for reveal in your browser).
• Inbox metadata such as delivery timestamps, read state, storage sizes, and encryption version markers.
• Encrypted delivery content: ciphertext envelopes for titles, summaries, filenames, file payloads, and email drafts. The hosted service cannot read this content.
• Essential session cookies and limited technical logs, such as IP address, request time, and error information, used for security and operation.

3. End-to-end encryption

Agent Relay requires end-to-end encryption for all agent deliveries. You must complete encryption setup on your first portal visit before using the inbox or creating agent tokens. Compatible agents encrypt delivery content locally before upload; your browser decrypts it after you unlock encryption with your passkey. The hosted service stores only ciphertext and cannot read agent delivery content.

Some information is not end-to-end encrypted. Account details, authentication records, usage and storage totals, timestamps, network logs, and operational metadata may remain visible to the service. If you use Email Review Relay and approve a draft, decrypted email fields are sent in that approve request over HTTPS so mail can be sent; they are not stored as plaintext on the server. Cloudflare Account ID and API tokens you save in Account are encrypted at rest on the server (separate from end-to-end encryption).

4. How we use information

We use information to provide and secure accounts, receive and display deliveries, operate storage, prevent abuse, diagnose problems, communicate service information, and comply with legal obligations. We do not sell personal information or use inbox content for advertising.

5. Service providers and disclosure

We use infrastructure providers for hosting, databases, object storage, networking, and transactional email. They process information only as needed to provide those services. We may disclose information when required by law or reasonably necessary to protect users, the service, or the public.

6. Retention and deletion

We retain account information and stored deliveries while your account is active, subject to service limits and operational needs. Security and error logs are kept only as long as reasonably needed. When information is deleted, removal from backups and provider systems may take additional time.

7. Your choices and rights

You can delete deliveries and stop using the service. Depending on where you live, you may also have rights to access, correct, export, object to processing of, or delete personal information. We may need to verify your account before acting on a request.

8. Security and contact

We use technical and organizational safeguards, but no online service can guarantee absolute security. For a confidential privacy or security request, open a private GitHub security advisory. For general questions, use the public issue tracker without including private data.