Privacy Policy

How leashd handles personal data. Short version: leashd is a non-custodial spend-governance layer for AI agents. It never holds your funds or private keys. We process your account data, the connection settings you configure for your own payment rails, the spending policies you define, and the audit logs leashd generates so you can see what your agents did.

Operator note: leashd is operated by HR Online Consulting LLC (DBA BrainBytes Studio) under the brand “BrainBytes Studio.” See Section 1.

Table of Contents

1. Controller (Operator)
2. Overview of Processing
3. Legal Bases for Processing
4. Non-Custodial Architecture (What We Do NOT Process)
5. Security Measures
6. Transmission of Personal Data
7. International Data Transfers
8. Data Storage and Deletion
9. Your Rights
10. California Consumer Privacy Act (CCPA / CPRA) Disclosure
11. Web Hosting (Vercel)
12. Database (Managed Postgres)
13. Authentication
14. Payment Processing for Your Subscription (Stripe)
15. Transactional Email (Resend)
16. Web Analytics
17. Connected Payment Rails (Lightning / Cashu / x402)
18. Use of Cookies and Local Storage
19. Do Not Track and Global Privacy Control
20. Age Requirements
21. Changes and Updates
22. Definitions
23. Contact

1. Controller (Operator)

HR Online Consulting LLC operates leashd under the brand “BrainBytes Studio.” The legal entity is a U.S. limited liability company with its principal office at the address above. There is no Data Protection Officer (DPO); questions about processing are answered directly at the email above.

2. Overview of Processing

Categories of data processed

• Anonymous visitors of the website: log data (IP address, user-agent, timestamp, requested URL). Server logs only, no analytics cookies.
• Registered users: email address, name (optional), password hash, session tokens, account creation and update timestamps, role.
• Workspace / organisation data: workspace name, members, and the spending policies you define (budget caps, per-agent limits, allowed endpoints/mints, time windows, kill-switch state).
• Agent identities: the labels, scoped credentials, and policy bindings you create for each AI agent. These are governance metadata, not wallets.
• Connection settings for your own payment rails: the configuration you enter to let leashd enforce policy against your rails, for example a Lightning node connection URI / macaroon reference, an NWC connection string, a Cashu mint URL, or an x402 wallet endpoint. See Sections 4 and 17 for the strict non-custodial boundary.
• Audit logs: timestamped records of payment-governance events. Which agent requested a payment, to which endpoint, the amount, the rail, and the policy decision (allowed / denied / capped). Generated by leashd so you have a verifiable trail.
• Paying users: Stripe customer ID, subscription ID, plan, status, billing email, payment timestamps, invoice IDs. No card numbers; we never see or store them.
• Anonymous usage analytics: pageviews, referrer, country, device class. No cookies, no person-linkable identifiers.

Categories of data subjects

• Visitors of leashd.dev (anonymous).
• Registered leashd users and their workspace members.
• Paying customers.

Purposes of processing

• Provision of the spend-governance service (defining, enforcing, and auditing agent spending policies).
• Authentication and session management.
• Subscription billing and post-sale support.
• Generating and retaining audit logs so you can verify agent behaviour.
• Transactional email (account, billing, security notices).
• Aggregate usage analytics.
• Security, abuse prevention, and audit-log retention.

3. Legal Bases for Processing

• Contract (Art. 6(1)(b) GDPR / equivalent): processing necessary to provide the service, charge for it, and operate your workspace.
• Legitimate interests (Art. 6(1)(f) GDPR): security, fraud prevention, server logs, IP-truncated aggregate analytics.
• Consent (Art. 6(1)(a) GDPR): we do not currently set any consent-requiring cookies. If we add an optional feature in the future, consent will be requested explicitly.
• Statutory obligation: retention of payment records for tax and accounting purposes per applicable U.S. law.

4. Non-Custodial Architecture (What We Do NOT Process)

This is the most important section. leashd is non-custodial software.

• We never take custody of your funds, your bitcoin, your sats, your stablecoins, or any balance.
• We never hold, generate, escrow, or have unilateral control over your private keys, seed phrases, or any equivalent security element. Where leashd enforces spending limits, it does so through scoped, revocable credentials and policy checks, not by controlling your keys.
• We are not a money transmitter, money services business, exchange, custodian, or financial intermediary. leashd does not move money on your behalf; it authorises or denies payment requests that your own connected rail then settles directly.
• Funds always flow between your connected wallet/node/mint and the counterparty endpoint. leashd sits in the policy path, not the custody path.

Practical consequence: even in a total compromise of leashd, an attacker cannot move your funds, because leashd never holds the keys that can.

5. Security Measures

• TLS/SSL encryption (HTTPS) for all data in transit.
• Password storage uses industry-standard one-way hashing; we cannot recover plaintext passwords.
• Connection secrets you provide (e.g. macaroon references, NWC strings) are encrypted at rest with envelope encryption; they are scoped to the minimum permission needed to enforce policy and are never logged in plaintext.
• Session tokens are short-lived and rotated.
• The database is hosted on private subnets with TLS to the application server.
• No card data is ever stored on our infrastructure; Stripe is the PCI-DSS-compliant processor.
• Access to production secrets is limited to the operator, via least-privilege scoped tokens.

6. Transmission of Personal Data

We disclose personal data only to the processors listed in this Policy and only to the extent strictly necessary to provide the service. We do not sell personal data, and we do not share it for cross-context behavioural advertising.

We may disclose data in response to a valid legal request (court order, subpoena) when compelled by U.S. law. If we receive such a request and the law does not prohibit it, we will notify the affected user.

7. International Data Transfers

Our operator is U.S.-based. Personal data is processed in the U.S. and in any region our service providers operate. For transfers from the EU/EEA/UK to the U.S., we rely on the EU-U.S. Data Privacy Framework (DPF) and, as a safeguard, Standard Contractual Clauses with our service providers. For each provider listed below we indicate the transfer basis.

8. Data Storage and Deletion

• Server logs: retained 30 days, then deleted or anonymised.
• Account & workspace records: retained for the life of the account. Deleted within 30 days of an account-deletion request.
• Spending policies & agent identities: retained while the workspace exists; deleted when removed or when the account is deleted.
• Connection secrets: deleted immediately when you disconnect a rail or delete the account.
• Audit logs: retained for the life of the workspace (you can export them anytime). You can request earlier deletion, subject to fraud-prevention and statutory exceptions.
• Stripe billing data: retained as long as required by tax and accounting law, typically seven (7) years.

9. Your Rights

You have the rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent, and the right to lodge a complaint with your supervisory authority. To exercise any right, email support@leashd.dev. We respond within 30 days; complex requests may be extended by an additional 60 days with notice.

10. California Consumer Privacy Act (CCPA / CPRA) Disclosure

If you are a California resident, the CCPA as amended by the CPRA grants you specific rights, supplementing Section 9.

• Categories collected: identifiers (email, account ID, IP), customer records (billing email), commercial information (subscription tier), internet activity (aggregate analytics), approximate IP-derived geolocation. Inferences: none, we build no behavioural profiles.
• We do not collect: SSNs, financial-account numbers, biometric, health, education, or employment data.
• Sources: directly from you; from your browser; from Stripe on payment events.
• Sale / sharing: we do not sell personal information and do not share it for cross-context behavioural advertising.
• Sensitive personal information: none collected.
• Your rights: to know, delete, correct, opt out of sale/sharing (already the default), and non-discrimination. Email support@leashd.dev with subject “California Privacy Request.” We respond within 45 days.

11. Web Hosting (Vercel)

The Service is hosted on Vercel. Provider: Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA. Privacy policy: vercel.com/legal/privacy-policy. Transfer basis: DPF certified. Vercel processes server log files to deliver the Service and detect abuse; retention up to 30 days.

12. Database (Managed Postgres)

Account records, workspace data, spending policies, agent identities, encrypted connection secrets, and audit logs are stored in a managed Postgres database. Provider details and privacy policy are published on our website and kept current; transfer basis is Standard Contractual Clauses.

13. Authentication

Authentication runs inside our own server using an open-source library. Password hashes, session tokens, and verification records stay in our database. The session cookie is first-party, HttpOnly, Secure, and SameSite=Lax. Magic-link sign-in (if enabled) uses a single-use 15-minute token, stored hashed and invalidated on first use.

14. Payment Processing for Your Subscription (Stripe)

Your subscription to leashd is billed by Stripe. Provider: Stripe, Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA. Privacy policy: stripe.com/privacy. Transfer basis: DPF certified. When you check out you are redirected to a Stripe-operated domain; Stripe processes payment data there under its own policy. We never receive card numbers. On success, Stripe sends a webhook (customer ID, subscription ID, billing email, plan, status, invoice IDs) which we use to set your subscription state and email your receipt.

This is entirely separate from the payments your agents make over your connected rails (Section 17), which never touch leashd's infrastructure or balance.

15. Transactional Email (Resend)

We use Resend to deliver account, billing, and security emails. Sender domain is leashd.dev, verified with SPF and DKIM. Provider: Resend, Inc., 2261 Market Street #4667, San Francisco, CA 94114, USA. Privacy policy: resend.com/legal/privacy-policy. Transfer basis: Standard Contractual Clauses. Only your email address, name (if provided), and the message body are sent to Resend.

16. Web Analytics

We use a cookieless, first-party analytics service that records pageviews, referrer, country (IP-derived), and a coarse device class. No client-side identifiers are stored. We do not use Google Analytics, Tag Manager, Facebook/TikTok/X/LinkedIn pixels, or any third-party tracking script.

17. Connected Payment Rails (Lightning / Cashu / x402)

When you connect a payment rail so leashd can enforce policy, the following applies:

• You provide connection settings (e.g. a Lightning node URI with a scoped, spend-limited macaroon, an NWC connection string, a Cashu mint URL, or an x402 wallet endpoint). These are encrypted at rest (Section 5).
• leashd uses these only to (a) read the state needed for policy decisions and (b) authorise or deny a payment request according to your policy. Settlement happens on your rail, between your wallet/node/mint and the counterparty.
• leashd never receives, holds, or routes your funds. See Section 4.
• We recommend connecting credentials that are themselves scoped (e.g. macaroons restricted to the minimum permissions, NWC budgets) so that the credential's own limits reinforce leashd's policy. Defence in depth.

18. Use of Cookies and Local Storage

We use first-party storage only: a necessary session_token cookie (HttpOnly, Secure) for your authenticated session, and a leash-theme localStorage entry for your light/dark preference. We set no third-party cookies. Stripe cookies, when present, are set by Stripe on its own checkout domain, not on leashd.dev.

19. Do Not Track and Global Privacy Control

We respect the Sec-GPC: 1 Global Privacy Control header and the legacy DNT: 1 header. Because we do not engage in cross-context behavioural advertising, the signal has no behaviour to suppress, but we treat it as a standing opt-out and document it for auditability.

20. Age Requirements

leashd is a developer tool not directed to children. Creating an account requires you to be at least 18 years old, in line with our payment processor's terms. We do not knowingly collect personal information from children under 13 (COPPA threshold). If a parent or guardian believes we have, email support@leashd.dev and we will delete it promptly.

21. Changes and Updates

We update this Policy as the service evolves. The “Last updated” date reflects the most recent substantive change. For material changes affecting your rights, we notify registered users by email and surface an in-product notice.

22. Definitions

• Personal data: any information relating to an identified or identifiable natural person.
• Controller (operator): the entity that determines the purposes and means of processing, here, HR Online Consulting LLC.
• Processor: a third party that processes personal data on behalf of the controller (Vercel, the database provider, Stripe, Resend).
• Non-custodial: an architecture in which the operator never holds or controls the user's funds or private keys.
• Audit log: a timestamped record leashd generates of agent payment-governance events.
• Sale / Sharing (CCPA): exchange or cross-context-advertising disclosure of personal information, we do neither.

23. Contact

For any privacy question, or to exercise any right described above: