Privacy Policy

Effective: February 7, 2026

1. Introduction

This Privacy Policy explains how Rizq Labs AI LLC ("API Toll", "we", "us") collects, uses, and protects information when you use our website (apitoll.com), SDKs, APIs, facilitator service, and dashboard (collectively, the "Service").

API Toll serves both human users and autonomous AI agents. This policy covers data handling for both categories of users.

2. Information We Collect

2.1 Account Information

When you create an account via Clerk authentication, we receive:

  • Email address
  • Display name
  • Authentication provider identifiers (Google, GitHub, etc.)

2.2 Wallet Information

When you register as a seller or deploy agents, we store:

  • Public wallet addresses (Base/Solana) — these are public blockchain data
  • We never store private keys, seed phrases, or signing credentials

2.3 Transaction Data

For each x402 payment processed through the Service, we record:

  • Transaction hash (public blockchain data)
  • Sender and recipient wallet addresses
  • Payment amount and currency (USDC)
  • Endpoint called, HTTP method, and response status
  • Timestamp and latency metrics
  • Platform fee amounts

All transaction data is inherently public on the blockchain. We index it for analytics and display it on your dashboard.

2.4 Agent Metadata

For AI agents using the Service, we collect:

  • Agent name and configuration (set by the operator)
  • Policy configurations (budget limits, vendor ACLs, rate limits)
  • Spending history and balance information
  • We do not collect or store agent prompts, instructions, or internal reasoning

2.5 Usage Data

We automatically collect:

  • IP addresses (for rate limiting and security only, not stored long-term)
  • Browser/user-agent information
  • Pages visited and features used in the dashboard

3. How We Use Information

  • Service delivery — process payments, display analytics, enforce policies
  • Security — detect fraud, prevent abuse, verify payment signatures
  • Improvement — understand usage patterns to improve the Service
  • Communication — send account-related notifications (not marketing)
  • Legal compliance — respond to lawful requests from authorities

4. Information Sharing

We do not sell your personal information. We share data only in these cases:

  • Transaction counterparties — sellers see buyer wallet addresses and vice versa (this is inherent to blockchain transactions)
  • Service providers — Clerk (authentication), Convex (database), Stripe (fiat deposits), Vercel (hosting)
  • Legal requirements — when required by law, subpoena, or to protect rights and safety
  • Business transfers — in connection with a merger, acquisition, or asset sale

5. Blockchain Data

By using the Service, you acknowledge that blockchain transactions are:

  • Public — all on-chain transactions are visible to anyone on the Base or Solana blockchain
  • Permanent — blockchain data cannot be deleted or modified
  • Pseudonymous — wallet addresses are not inherently linked to real-world identity, but may be correlated through other means

We cannot delete on-chain transaction data, as it exists on a decentralized public ledger outside our control.

6. Data Security

We implement reasonable security measures including:

  • Clerk-managed authentication with industry-standard encryption
  • Timing-safe API key comparisons to prevent timing attacks
  • Webhook signature verification (HMAC-SHA256) for all payment events
  • Role-based access controls on all dashboard mutations
  • No plaintext storage of secrets or private keys

7. Data Retention

  • Account data — retained while your account is active, deleted upon request
  • Transaction data — retained indefinitely for analytics and compliance (on-chain data is permanent regardless)
  • Usage logs — retained for 90 days
  • IP addresses — retained for 30 days (security purposes)

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and associated off-chain data
  • Export your data in a portable format
  • Object to certain processing activities

To exercise these rights, contact us at privacy@apitoll.com. Note that we cannot delete on-chain blockchain data.

9. Cookies

We use minimal cookies necessary for authentication (Clerk session cookies) and basic analytics. We do not use advertising cookies or third-party tracking.

10. Children

The Service is not directed at individuals under 18. We do not knowingly collect personal information from minors.

11. International Users

The Service is operated from the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. By using the Service, you consent to this transfer.

12. Changes

We may update this Privacy Policy periodically. Material changes will be posted on this page with an updated effective date.

13. Contact

For privacy-related questions, contact us at privacy@apitoll.com.

Rizq Labs AI LLC
Florida, United States