APEIRON REGISTRY

Privacy Policy

Last updated: 15 May 2026 · Version 1.1 (WordPress plugin integration)

Jump to: WordPress plugin data · Your rights · Contact

GDPR notice. This Privacy Policy describes how Apeiron processes personal data in compliance with Regulation (EU) 2016/679 ("GDPR"). By registering, you acknowledge having read this Policy.

1. Data controller

The data controller for the processing described in this Policy is the operator of the Apeiron Registry service, reachable at privacy@apeiron-registry.com.

2. What we collect

We collect the following categories of data:

  • Registration data: company name, VAT number, country of registration, company email, company website, declared agent purpose, contact name of the person authorized to register.
  • Verification data: results returned by the VIES registry (official company name and registered address) or, for non-EU companies, any supporting information provided for manual review.
  • Payment data: during registration, Stripe collects card data for identity verification purposes (Setup Mode). Apeiron never stores full card numbers — only the customer and setup-intent identifiers returned by Stripe.
  • Access logs: when an agent using your credentials accesses a participating publisher, we record the agent ID, the accessed URL, content title (if available), the bot IP address and user agent as forwarded by the publisher, and the timestamp.
  • Technical data: server logs, including IP address and request headers, for security, rate-limiting, and abuse-detection purposes.
  • Data forwarded by WordPress publishers (opt-in only): Publishers who install the Apeiron WordPress plugin AND explicitly enable the "Connect to Apeiron Network" option in plugin settings forward the following data to apeiron-registry.com on each AI bot access:
    • The bot's IP address and User-Agent (as observed by the publisher's server)
    • The URL and title of the accessed content
    • The publisher's contact email (configured by the publisher in plugin settings)
    • The publisher's wallet address (configured by the publisher in plugin settings)

    This data is used to verify the AI agent's identity against the registry, send first-access email notifications to the publisher, and feed anonymized network telemetry described in Section 6. No data is forwarded unless the publisher has explicitly opted in. The publisher can revoke consent at any time by disabling the option in plugin settings.

3. Why we process your data and on what legal basis

PurposeLegal basis (GDPR Art. 6)
Providing the Service (registration, credentials, logging)Contract performance — Art. 6(1)(b)
KYC verification via VIESLegitimate interest + legal obligation — Art. 6(1)(f),(c)
Security, fraud prevention, rate limitingLegitimate interest — Art. 6(1)(f)
Accounting and tax complianceLegal obligation — Art. 6(1)(c)
Forwarding publisher data via WordPress plugin (opt-in)Consent — Art. 6(1)(a)
Service-related communications (transactional email)Contract performance — Art. 6(1)(b)

4. Who we share data with

We rely on the following processors and third parties to deliver the Service:

  • Supabase (database, USA) — storage of registration and access log data.
  • Vercel (hosting, USA) — hosting of the web application.
  • Stripe (payments, Ireland / USA) — identity verification via Setup Mode.
  • Resend (email delivery, USA) — transactional emails.
  • European Commission VIES (EU) — VAT verification (for EU entities).
  • Base Blockchain (public distributed ledger) — daily settlement of batched content hashes; see Section 6.

Transfers to non-EEA processors take place under the European Commission's Standard Contractual Clauses (SCC) or equivalent safeguards.

5. Retention

We retain registration data for as long as the registration is active and for up to 10 years thereafter to comply with accounting and tax obligations. Access logs are retained for up to 24 months for audit and dispute resolution purposes. Rate-limit technical logs are retained for a maximum of 24 hours.

6. Data on the blockchain

Important. As part of the protocol's audit trail, we commit daily batches of content-access hashes to the Base blockchain. On-chain records are public and immutable. We design these records so they do not contain personal data: they consist of cryptographic hashes of accessed URLs aggregated per agent per day, together with the agent's public hashed identifier. However, because blockchain records cannot be erased, the right to erasure (GDPR Art. 17) cannot be honored for this specific dataset. Off-chain copies of personal data remain subject to your full rights described in Section 7.

7. Your rights

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Request rectification of inaccurate data (Art. 16)
  • Request erasure, subject to the limitation described in Section 6 (Art. 17)
  • Request restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing based on legitimate interest (Art. 21)
  • Withdraw consent at any time (where processing is based on consent — Art. 7(3))
  • Lodge a complaint with your local supervisory authority

To exercise your rights, contact privacy@apeiron-registry.com. We will respond within 30 days.

8. Cookies

The Service does not set marketing or analytics cookies. Only strictly necessary cookies (e.g. session management during the Stripe checkout flow) are used. These are exempt from consent under the ePrivacy Directive.

9. Security

We apply reasonable technical and organizational measures to protect your data, including transport encryption (TLS), bcrypt hashing of API keys at rest, access controls on backend services, and rate limiting on public endpoints. No online service can be 100% secure: you must also protect your API credentials.

10. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email at least 15 days in advance. The "Last updated" date above always reflects the current version.

See also the Terms of Service.