Privacy Policy

Last updated: March 2026

1. Introduction

Sgraal Protocol ("Sgraal", "we", "us", or "our") is operated by Sgraal Protocol. This Privacy Policy explains how we collect, use, and protect information when you use our Memory Governance Protocol service at sgraal.com and api.sgraal.com.

2. Information We Collect

2.1 API Usage Data

When you call our API, we process memory state objects you submit. By default, we do not store the content of memory entries — only metadata (timestamps, decision outcomes, omega scores, domain labels).

2.2 Account Data

If you create an account at app.sgraal.com, we collect your email address, API key usage statistics, and billing information processed by Stripe.

2.3 Log Data

We collect standard server logs including IP addresses, request timestamps, and response codes for security and debugging purposes. Logs are retained for 30 days.

3. How We Use Your Data

  • To provide and improve the Sgraal API service
  • To generate compliance reports when requested
  • To detect abuse and enforce our Terms of Service
  • To send critical service notifications (not marketing)
  • To comply with legal obligations under EU law

4. Zero-Knowledge Mode

Enterprise customers may enable ZK mode, in which memory content is never transmitted to our servers. Validation is performed using cryptographic proofs. In ZK mode, we store only the omega score, decision outcome, and proof hash.

5. Data Sharing

We do not sell your data. We share data only with:

  • Supabase — database infrastructure (EU region)
  • Railway — API hosting infrastructure
  • Stripe — payment processing
  • Upstash — Redis state management

All subprocessors are bound by data processing agreements compliant with GDPR Article 28.

6. Data Retention

Decision metadata is retained for 90 days by default. Enterprise customers may configure custom retention periods. Upon account deletion, all personal data is purged within 30 days. Audit logs required for compliance (EU AI Act, GDPR) may be retained for up to 10 years as required by law.

7. Your Rights (GDPR)

As a data subject under GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Request erasure ("right to be forgotten")
  • Data portability
  • Object to processing
  • Lodge a complaint with your national supervisory authority

To exercise these rights, contact us at: hello@sgraal.com

8. Cookies

sgraal.com uses no tracking cookies. app.sgraal.com uses essential session cookies only. We do not use advertising or analytics cookies.

9. Contact

Data Controller: Sgraal Protocol
Email: hello@sgraal.com
EU Representative: Sgraal Protocol team