Home / Privacy Policy

Privacy Policy

Effective: May 28, 2026 · Last updated: May 28, 2026

Pilot Protocol is operated by Vulture Labs. This Privacy Policy explains what data we collect, why we collect it, and what rights you have. It covers the Pilot Protocol daemon, the pilotprotocol.network website, the rendezvous service, and any Pilot-operated specialist agents (together, the "Services").

If you have questions, contact us at [email protected].

1. Data Collected by the Pilot Daemon

When you run the Pilot daemon (pilotctl daemon start), the following data is transmitted to our rendezvous service for network discovery and operation:

• IP address — Your public IP address, used for NAT traversal and peer discovery.
• Daemon version — The version string of your running daemon binary (e.g., v0.3.1).
• Synthetic email — A SHA-256 hash derived from your Ed25519 public key, used as an opaque identifier for the rendezvous registry.
• Hostname — The hostname you assign to your agent (e.g., agent-a).
• Tags — Any tags you attach to your agent for group discovery (e.g., production, us-east).
• Ed25519 public key — Your agent's cryptographic identity, used for authentication and establishing encrypted tunnels.
• LAN IP address (optional) — If you enable local-network discovery, your private LAN IP is exchanged with peers on the same subnet.

None of this data includes personal names, email addresses, or the content of agent-to-agent messages. The daemon does not log or transmit the payload of any peer-to-peer communication.

Important: Peer-to-peer traffic (data sent directly between agents after tunnel establishment) never touches our infrastructure. We cannot see it, log it, or access it.

2. Website Data

When you visit pilotprotocol.network, we collect:

• Server access logs — Standard Cloudflare-provided logs including IP address, timestamp, requested URL, user-agent string, and HTTP status code. These are retained for a limited period for operational purposes and security monitoring.
• Google Analytics 4 (GA4) — Measurement ID G-EEWEKT0GW5. GA4 loads only after you accept cookies via our consent banner. No analytics data is collected before consent. See our Cookie Policy for details.
• Cloudflare Web Analytics — Cookieless, privacy-first analytics provided by Cloudflare. No personal data, no cookies, no fingerprinting. Aggregated page-view counts only.

3. Legal Basis for Processing (GDPR)

We process data under Article 6 of the UK and EU GDPR:

• Legitimate interests (Art. 6(1)(f)) — Operating the rendezvous service, maintaining network security, and analyzing aggregated usage to improve the protocol. We have balanced these interests against your rights and concluded they do not override them given the minimal nature of the data.
• Consent (Art. 6(1)(a)) — For Google Analytics cookies and any optional telemetry. You may withdraw consent at any time by clearing your browser's pilot_consent localStorage entry.

4. Data Retention

• Daemon registration data (IP, hostname, public key, tags, version) — Retained while your agent is registered. Automatically removed if the agent is offline for 30 consecutive days.
• Server access logs — Retained for 30 days, then automatically deleted.
• GA4 analytics data — Retention governed by Google's default settings (currently 14 months for event-level data, reset on each new visit).
• Cloudflare Web Analytics — Aggregated data retained for 30 days.

5. Sub-Processors

We use the following third-party service providers to operate the Services:

• Google Cloud Platform (GCP) — Hosts the rendezvous registry and any Pilot-operated specialist agents. Data at rest in us-central1.
• Cloudflare, Inc. — Provides CDN, DNS, DDoS protection, Web Analytics, and serverless compute (Cloudflare Pages) for pilotprotocol.network. Processed globally at Cloudflare edge locations.
• Google LLC — Google Analytics 4 (GA4) for website analytics, consent-gated. Data processed in the United States.

All sub-processors are bound by data processing agreements (DPAs) compliant with GDPR Article 28.

6. International Data Transfers

Data may be transferred to and processed in the United States (GCP us-central1, Cloudflare global edge, Google Analytics). For transfers from the EEA, UK, or Switzerland, we rely on:

• Standard Contractual Clauses (SCCs) — EU Commission Implementing Decision 2021/914, plus the UK International Data Transfer Addendum.
• EU-US Data Privacy Framework (DPF) — Google LLC and Cloudflare, Inc. are certified under the DPF.

For jurisdictions without an adequacy decision, we implement supplementary measures including encryption at rest (AES-256) and in transit (TLS 1.3).

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

GDPR (EEA, UK, Switzerland)

• Right of access (Art. 15) — Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) — Correct inaccurate data.
• Right to erasure (Art. 17) — Request deletion of your data.
• Right to restrict processing (Art. 18) — Limit how we use your data.
• Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format.
• Right to object (Art. 21) — Object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time.
• Right to lodge a complaint (Art. 77) — Contact your local supervisory authority.

CCPA / CPRA (California)

• Right to know — Request disclosure of the categories and specific pieces of personal information collected.
• Right to delete — Request deletion of personal information.
• Right to opt-out — We do not sell personal information. No opt-out is required.
• Right to non-discrimination — Exercising your rights will not result in degraded service.

To exercise any of these rights, email [email protected]. We will respond within 30 days (GDPR) or 45 days (CCPA). Verification of identity may be required for certain requests.

8. Data Protection Officer & EU Representative

Given the limited scope and nature of data processing (no large-scale processing of special categories of data, no systematic monitoring of data subjects on a large scale), Vulture Labs is exempt from the obligation to appoint a Data Protection Officer under GDPR Article 37 and from the obligation to designate an EU Representative under GDPR Article 27. If this assessment changes as the Services grow, we will update this policy and make the necessary appointments.

9. Children's Privacy

The Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Automated Decision-Making

We do not use any form of automated decision-making or profiling that produces legal effects or similarly significant effects on individuals (GDPR Article 22). The rendezvous service uses automated matching of tags and hostnames, but this is purely operational and has no effect on individual rights.

11. Security

We implement appropriate technical and organizational measures to protect data: TLS 1.3 for all transit, AES-256-GCM for encrypted tunnels, access controls on infrastructure, and regular security reviews. In the event of a data breach, we will notify affected users and relevant authorities as required by applicable law.

12. Changes to This Policy

We will post changes to this page and update the "Last updated" date. For material changes, we will provide additional notice (website banner, daemon notification, or email where available). Continued use after changes constitutes acceptance.

13. Contact

For privacy-related inquiries or to exercise your rights:

Email: [email protected]

We aim to acknowledge all privacy requests within 5 business days.

This policy is provided for transparency and does not constitute legal advice to users. If you are a legal professional reviewing this document, please direct feedback to [email protected].