What we collect.
And what we don't.

What we collect

Email address — the one you give us at checkout. Stripe sends a payment receipt to it; we may also reach out to it for refund or support correspondence you start. Your report itself is not delivered by email — it opens at a permanent URL in your browser after payment.

Payment method — handled entirely by Stripe (PCI Level 1). We never see your card number; Stripe sends us a confirmation that the charge succeeded.

OAuth access token to your accounting platform — issued by Xero (or in future, QuickBooks). Used once to fetch invoices, then discarded. See "How long we keep things" below.

Invoice metadata pulled during the run — customer names, amounts, dates. Held only in memory while the report is being generated.

Receipt ID, run timestamps, run status — kept in our jobs table for refund and audit purposes.

Receipt PDF — a separate document we generate at delivery time that records the sale (Arnhem Labs Pty Ltd as vendor + ABN, your email or wallet address as the buyer, the receipt ID, the line item, the amount). It's stored encrypted alongside the report PDF and accessed via the same `&t=…`-gated /results URL. Distinct from your Stripe payment receipt (which Stripe emails directly).

IP address (briefly, for fraud and abuse mitigation), and standard request logs.

If you visit on prd, anonymised analytics (page views, no individual identifiers) via Plausible — a privacy-friendly analytics tool that doesn't use cookies and isn't shared with third parties.

What we collect from agent (x402) callers

If you call our agent endpoints (paying with USDC over x402 instead of using Stripe Checkout), we collect a few extra items that the human flow doesn't need.

Payer wallet address — the EIP-55 lower-cased 0x… address that signed the EIP-3009 authorization. We log it on the Job row and in CloudWatch logs. We need it to: (a) refund manually to the right wallet if a settled run is disputed, (b) prove on-chain provenance during accounting reconciliation, and (c) feed the rate-limit fingerprint below. The wallet address is already public the moment any transaction touches the chain — we don't treat it as a secret, but you should know we record it.

Caller fingerprint — sha256(wallet || user-agent), truncated to 8 bytes (16 hex chars). Used only to enforce the per-caller daily USDC spend cap (clause 04 of the Terms). Kept in a separate DynamoDB table with a ~36h TTL after the day it was created; we do not link it back to a wallet address in any other store.

User-agent header — the standard HTTP one your client sends. Used as one input to the fingerprint above and in request logs.

On-chain transaction hashes — when we settle a payment, we store the Base mainnet/Sepolia tx hash on the Job. If we manually refund USDC, we store the outbound tx hash too. Both are public on the chain regardless; we keep them so the audit trail is complete on our side.

x402 authorization payload — what you signed (nonce, amounts, validBefore window). We pass this to the Coinbase facilitator at verify and settle time, and we keep it on the Job row until settle so we can broadcast after delivery. See clause 04 of the Terms for the settle-on-success mechanic.

Per-job access token — a 122-bit random token returned to your agent in the /run response, required on subsequent /runs/{id} polls. It's a bearer credential for that one Job's status — treat it like an API key for that specific receipt. Stored on the Job row alongside everything else.

What we don't collect

We don't run third-party tracking pixels (no Facebook Pixel, no Google Analytics, no LinkedIn Insight Tag).

We don't fingerprint your browser, build a profile, or share you with ad networks.

We don't ask for a phone number or your company's structure beyond what you choose to put in your email address.

We don't store your card details. Stripe does — we never see them.

We don't keep marketing or newsletter lists. The emails you'll receive in connection with botx402 are: (a) your Stripe payment receipt, sent by Stripe, and (b) responses from us to support requests you start.

How long we keep things

Xero (or other accounting) data: deleted within 24 hours of the report being delivered. Often sooner — we don't persist invoices to disk in normal operation; the data is read, analysed, written into the PDF, and dropped.

OAuth access token (Stripe / human flow): stored encrypted in DynamoDB, automatic 30-minute time-to-live. Deleted at the latest 30 minutes after the OAuth callback regardless of run status.

OAuth connection (agent flow): stored encrypted in a separate DynamoDB table, 24-hour sliding TTL — every reuse pushes the expiry forward 24h, an idle connection evicts in 24h. Explicit DELETE via /api/v1/agent/connections/{id} burns it immediately.

PDF report: kept encrypted at rest for 7 days, accessed via a permanent URL gated by a per-Job access token (the `&t=…` in your /results URL — see section 02). After 7 days the file is removed and the URL stops working; download a local copy if you need it longer.

Receipt PDF (sale record from Arnhem Labs Pty Ltd): same lifecycle as the report PDF — encrypted at rest, accessed via a presigned URL valid for 7 days. Download a local copy if you need it for tax or accounting records longer than the 7-day window.

Job record (receipt ID, status, timestamps, customer email, payer wallet for agent runs, settlement and refund tx hashes, references to the report and receipt PDFs): kept for 3 years. Required for refund support, on-chain reconciliation, and basic accounting.

Email address: deleted along with the job record (3 years).

Per-Job access token: kept on the Job row for the same 3 years (it's gated by us — leaking the row to a third party would expose it, so it lives with the rest).

Caller fingerprint (rate-limit table): ~36 hours after the UTC day it counts against. DDB sweeps yesterday's rows automatically; we never read them again.

Logs: 7 days in dev, 30 days in prd. Wallet addresses appear in agent-flow log lines and roll off on the same schedule.

If you ask us to delete you sooner, we will — write to hello@botx402.io.

Who we share with

Stripe — to take card payments.

Coinbase x402 facilitator (facilitator.x402.org) — for agent runs only. We POST your signed authorization payload + the route's payment requirements to them at verify time, and again at settle time after delivery. They broadcast the USDC transfer to Base on our behalf. We never hold private keys; the agent signs, the facilitator broadcasts.

Base mainnet / Sepolia public RPC — for agent runs only. The facilitator submits transactions to the chain; the resulting tx hashes are public on Basescan. We don't operate our own RPC node.

AWS — to host the service. Anything we store is encrypted at rest.

Cloudflare — DNS for botx402.io.

Xero — when you click "Connect Xero" (or your agent provisions a connection), you're authorising Xero to give us read access to your accounting data. Xero's privacy policy applies to that side of the connection.

We don't share your data with anyone else. We don't sell, rent, or syndicate.

Where the data lives

All run data, encrypted tokens, and PDFs are stored in the United States.

We're an Australian-based business. By using the service you're agreeing to your data being processed and stored in the US.

We rely on standard contractual clauses where applicable.

On-chain data (USDC settlement and refund transactions) is, by definition, public and replicated worldwide once written to Base. We have no control over it after broadcast.

Your rights

You can request a copy of any data we hold about you, request deletion of all of it, or correct anything that's wrong. Email hello@botx402.io.

We aim to respond within 30 days. Australian residents have rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles; UK and EU residents have rights under UK GDPR / GDPR; California residents have rights under CCPA. We'll honour them either way.

You can withdraw your Xero connection at any time from inside Xero (Settings → Connected apps). That immediately revokes our access; we can't fetch any new data after that. Agent connections can also be deleted via DELETE /api/v1/agent/connections/{id}.

On-chain transactions (settlements, refunds) cannot be erased — they're public records of the chain. Deletion requests cover only what we hold off-chain.

Security

All traffic to and from the site is HTTPS (TLS 1.2+). The DynamoDB tables holding your OAuth tokens (both 30-minute one-shots and 24-hour agent connections) are encrypted at rest with a per-environment AWS KMS key whose use is scoped to the fulfillment Lambda's IAM role.

Card data is handled by Stripe (PCI Level 1) — we never see it.

For blockchain payments: agents sign the authorization client-side, the Coinbase facilitator broadcasts it on-chain. We don't sign on behalf of any customer wallet and never custody customer funds. We do operate one recipient wallet on Base mainnet — its private key is held by Arnhem Labs Pty Ltd directly, under standard hot-wallet hygiene (separate device, offline seed backup, no shared access), and is used solely to send manual outbound USDC for disputed-run refunds.

If we ever discover a breach affecting your data, we'll email everyone affected within 72 hours of confirmation.

Cookies

We don't use cookies for tracking. The site works without them.

On checkout, Stripe sets cookies necessary for the payment flow — these are first-party to checkout.stripe.com and are out of our control.

Children

The service is not directed at anyone under 18. If we learn we've collected data from a child, we'll delete it.

Changes

If we materially change this notice we'll update the "effective" date at the top.

Contact

Privacy questions, deletion requests, anything else: hello@botx402.io. We read every email.