StorkHost — Privacy Policy

Last updated: 2026-06-25 · Status: Beta · Companion to tos.md

StorkHost is built to need as little personal data as possible. The platform is agent-first: most accounts are AI agents authenticated by a wallet signature, with no name, no email, and no KYC collected at all. This policy explains the minimal data we do collect, why, how long we keep it, and what we never do with it.

1. Our data-minimization stance

We collect the minimum needed to operate the service, bill accurately, and keep the platform safe and abuse-free. We do not require identity documents. We do not build advertising or behavioral profiles of your usage. We do not sell, rent, or trade your data, ever.

2. What we collect

Account and authentication data

  • Wallet address (agents). When an agent signs up, we store the EVM wallet address that signed the admission nonce. This is a public blockchain identifier; we do not store your private key (we never see it). The address is used for account identity, Sybil resistance (one free account per wallet), payment attribution, and account reputation/blocklist.
  • API keys (sk_...). We store a hashed/identifier form of issued keys to authenticate requests and apply rate limits and metering. Keys are bearer credentials; treat them as secrets.
  • Human-account auth data. For humans using the web front end, we store the minimal identifier from the sign-in mechanism (e.g. a subject ID). We do not require additional profile data.

Usage and metering data

  • Per-second metering records: which workloads ran, for how long, and the resources consumed (compute, egress, provisioned storage, builds). This is the basis of billing and of any future SLA service-credit calculation (none offered during beta).
  • Account state: prepaid balance, tier, spend caps, and app/deployment metadata (app names, payload types, configuration you provide).

Crypto-payment data

  • On-chain payment references: transaction hashes, amounts, asset/network, the treasury deposit address used, and the credited µ amount. These are inherently public blockchain data. We use them solely to verify and credit top-ups, prevent double-spend/replay, and maintain the billing ledger. We do not collect bank details, card numbers, or fiat-payment PII for the agent (x402) rail. The human-facing hosted crypto checkout is operated by a third-party payment processor under its own privacy terms; we receive a payment confirmation, not your underlying payment instrument.

Logs and operational data

  • Platform logs (control plane): request metadata such as timestamps, endpoint, account/key identifier, IP address, status codes, and rate-limit events. IP and request logs are used for security, abuse prevention, rate limiting, and debugging.
  • Tenant workload logs: logs your application emits, made available to you. These may contain whatever your code logs — you control their content; avoid logging secrets or third-party personal data you are not entitled to process.
  • Content you deploy: code, container images, environment variables, files, and data your workloads store (including PVC volumes). We process this only to run your workload; we do not inspect it except as needed to operate the service, enforce the AUP, respond to a legal obligation, or investigate abuse.

3. What we do not collect

  • No KYC, no government ID, no real name (for agent accounts).
  • No card numbers or bank details on the agent rail.
  • No advertising/tracking cookies that profile you across other sites. The marketing website may use privacy-respecting analytics (see §8); the API and MCP surfaces set no tracking cookies.

4. How we use data

  • Operate the service — run, deploy, and meter your workloads.
  • Bill accurately — compute usage and apply prepaid balance, credits, and caps.
  • Keep the platform safe — rate limiting, abuse detection, containment, account reputation/blocklist, and fraud/double-spend prevention.
  • Support and debugging — diagnose issues you report.
  • Legal compliance — respond to lawful requests and meet obligations (including mandatory CSAM reporting per the AUP).

We do not use your data for advertising profiling, and we do not sell it.

5. Sharing

We share data only with: - Infrastructure providers that host the underlying compute, network, and storage, strictly to provide the service. - The human-checkout payment processor, for fiat-adjacent/hosted crypto checkout, under its own terms. - Authorities, when legally required, or for mandatory CSAM reporting.

We do not otherwise disclose your data to third parties for their own purposes.

6. Retention

  • Account, wallet address, and key identifiers: kept while the account exists and for a limited period afterward for ledger integrity, abuse/reputation, and dispute resolution.
  • Metering and billing/ledger records: retained as needed for accounting, SLA claims, and fraud prevention.
  • Logs: retained for a limited operational window for security and debugging, then rotated/deleted, except where retained longer for an open abuse/security investigation or legal hold.
  • Tenant content and PVC data: retained while the workload exists; deleted on workload deletion. Remember: we do not guarantee durability — keep your own backups (see Terms §5).
  • On-chain payment data is, by nature, permanently public on the blockchain and outside our control.

Exact retention windows may be tuned during beta; material changes are announced via the status page and/or email.

7. Agent-vs-human considerations

  • Agent accounts are pseudonymous by design: identity is a wallet address, not a person. Where an agent acts on behalf of a human or organization, that human/org is responsible for the data the agent processes and for compliance with applicable data-protection law.
  • Human accounts involve only minimal sign-in data; we do not request additional profile information.
  • If your workload processes personal data of your end users, you are the controller of that data and StorkHost is a processor acting on your instructions; you are responsible for your lawful basis, notices, and end-user rights.

8. Website analytics and cookies

The marketing website may use privacy-respecting analytics (e.g. Google Analytics / Google Ads conversion measurement) to understand traffic and signup conversion. Where used, we configure it to minimize personal data (e.g. IP anonymization, consent where required, no cross-site advertising profiles by default), and we honor a cookie/consent banner where the law requires one. The API, MCP, and tenant runtime do not set marketing cookies. See the website cookie/consent notice for specifics.

9. Security

We isolate tenant workloads in dedicated namespaces/nodes with enforced network policy, hash API-key material, and keep payment-treasury keys out of band. No system is perfectly secure; during beta especially, do not store anything in a tenant workload that you cannot afford to lose or expose, and keep your own backups.

10. Your choices

  • Stop using the service and delete your workloads at any time.
  • Rotate or revoke API keys.
  • Contact us at privacy@storkhost.cloud for questions, access, or deletion requests; we will honor reasonable requests subject to ledger-integrity, legal-retention, and the immutable/public nature of on-chain data.

11. Changes

This policy may change during beta. Material changes are announced via the status page and/or email. Continued use after a change constitutes acceptance.

12. Contact

Privacy questions and data requests: privacy@storkhost.cloud. For general support or abuse reports, use support@storkhost.cloud or abuse@storkhost.cloud respectively. StorkHost is operated by Storksoft, an independent operator. There is no phone line.