Privacy policy.
AttestSeal scores domains for AI agents. We collect the minimum data we need to do that and we sign what we publish so it is auditable. This page explains what we collect, why, how long we keep it, and what choices you have.
What we collect
About domains we score
Public web data: WHOIS records, DNS records, SSL certificates, HTTP responses from the apex and well-known paths, content of public pages (privacy policy presence, contact info, etc.), and reputation lookups from third-party feeds (Tranco, Google Safe Browsing, Spamhaus, SURBL, URLhaus). This is the same information any web crawler can collect.
About merchants who register
When a merchant chooses to register a domain at /register.html, we collect the business information they submit: business name, country, address, phone, contact name, contact email, EIN/VAT, and social profiles. Sensitive fields (contact name, email, phone, address, EIN/VAT) are encrypted at rest with NaCl SecretBox before they touch our database. Public fields (business name, country, business type) are returned by the API in checks.
About API consumers
We log API requests for rate limiting, abuse prevention, and operational debugging: request IP, user agent, requested domain, and response status. We do not require accounts and we do not track users across sites. Logs are retained for 30 days.
Why we collect it
- Domain data: to compute and publish trust scores.
- Merchant data: to verify identity claims that automated crawls cannot infer (business name match, EIN match, phone reachability), increasing the merchant's trust score.
- API logs: to enforce rate limits, prevent abuse, and debug production issues.
Who we share with
The signed check is public — that is the product. It includes the public fields of any merchant registration. Encrypted private fields (EIN, contact email, phone, address) are never returned by the API.
We do not sell data to third parties. We do not run advertising. We do not use merchant data to train models other than the scoring model itself.
We respond to lawful legal process. We will notify the affected party unless legally prohibited.
How long we keep it
- Domain scoring data: indefinitely. Longitudinal trust history is core to the dataset.
- Merchant registrations: until the registrant requests deletion.
- API logs: 30 days, then deleted.
Your rights
Merchants. Request a copy of your registration, correct it, or delete it by emailing [email protected] from the address on file. We respond within 30 days.
Domain operators (without registration). If your domain is in our dataset and you want it suppressed from public checks, email us. We will assess case-by-case — the public-web nature of the underlying signals constrains what we can remove, but we will work with you on legitimate concerns.
EU/UK residents: rights under GDPR including access, rectification, erasure, restriction, portability, and objection.
California residents: rights under CCPA/CPRA including the right to know, delete, correct, and opt out of sale (we do not sell personal information).
International transfers
Production infrastructure is hosted in the United States. Crawler nodes are distributed globally. By using the service you consent to processing in the US.
Security
See our security policy. Sensitive registration fields are encrypted at rest with NaCl SecretBox under deployment-specific keys. All public surfaces use TLS. The signing key is stored on a hardened API host with file-system mode 600.
Changes
We will update this page when our practices change and bump the "last updated" date. Material changes will be announced on the blog.
Contact
Privacy questions or data subject requests: [email protected].