Skip to contentAgent? Read agent.txt
DocumentationChangelog

Privacy Policy

Effective May 10, 2026

Decoy operates decoy.run and the Decoy security service ("Service"). This policy describes what we collect, how we use it, and the choices you have.

Information we collect

Account information

You give us an email address to sign in, receive security alerts, and get product updates. We use magic links and passkeys (WebAuthn) in place of passwords.

Trigger data

When an agent invokes one of your tripwires, we log the tool name, the severity, the agent fingerprint, the timestamp, and the shape of the arguments (each value reduced to a type and length, e.g. <string:42>). We do not log the raw argument values. For confirmed-malicious decisions on critical or high-severity tools, we additionally store a SHA-256 fingerprint of the original arguments so we can correlate the same exploit payload appearing across different installs without storing the payload itself.

Retention follows your plan: Free 7 days, Team 90 days, Business unlimited.

CLI telemetry

Our open-source CLIs (decoy-scan, decoy-redteam, decoy-tripwire) phone home a redacted run summary by default. This is how we learn which patterns produce false positives in the wild, which attack categories matter, and how to prioritize what we ship next.

Identification is by a stable random UUID written to ~/.decoy/install_id on first run. We do not collect your email, hostname, IP, file paths, or working directory. If you later create an account, the install ID can be linked to your account so any history captured before signup is credited to you.

What each CLI sends:

  • decoy-scan — finding counts by severity, OWASP category counts, finding source counts (e.g. tool-description, env-config), per-server tool count and risk distribution, scan timestamp. We do not send tool descriptions, file paths, server commands, or arguments.
  • decoy-redteam — story counts by severity, attack category counts, OWASP category counts, coverage statistics, server count, run mode. We do not send story bodies, exploit text, server names, or tool arguments.
  • decoy-tripwire — decision events (allow / block / query) for each tool call, the tool name, the severity, the redacted argument shape (types and lengths only, never raw values), client name and version, and a session-scoped sequence number. For block decisions on critical or high-severity tools, an args fingerprint (SHA-256 prefix) is included for cross-install correlation.

To opt out, set DECOY_TELEMETRY=0 in your environment, or pass --no-telemetry per run. Both routes silently no-op the network call. The opt-out applies to authenticated and anonymous paths.

CLI telemetry is retained for 90 days. Aggregate counts derived from it (which patterns are common, which categories trend) are retained indefinitely as anonymized statistics; raw telemetry events are not.

Agent fingerprints

We generate SHA-256 hashes from the client name, version, and user-agent string presented by an agent. The fingerprint is a truncated hash. We do not store the raw identifying strings.

Payment information

We do not store credit card numbers, CVVs, or full card details. Stripe handles payments. We retain only the Stripe customer ID and subscription ID against your account.

Usage data

Cloudflare Analytics collects aggregated, anonymized traffic data. We do not use cookies for analytics and do not collect personal identifiers through analytics.

How we use your information

  • To provide and maintain the Service
  • To deliver security alerts over email, webhook, and Slack
  • To authenticate you in the dashboard and API
  • To process payments through Stripe
  • To send onboarding communications (unsubscribe available at any time)
  • To improve the product using anonymized patterns

Data storage and security

Data is stored in Cloudflare Workers KV with encryption at rest and in transit. Sessions use HttpOnly, Secure, SameSite cookies. WebAuthn uses public-key cryptography with no shared secrets.

Data retention

  • Trigger data: Free 7 days, Team 90 days, Business unlimited (matches the plan you're on)
  • Scan and red team history: Free 7 days, Team 90 days, Business unlimited
  • CLI telemetry events: 90 days; derived aggregate statistics retained indefinitely
  • Account data: retained until you delete your account
  • Session data: 30-day TTL
  • Threat intelligence: 30-day TTL (sourced from public signals)

Third-party services

  • Cloudflare — hosting, CDN, analytics, and storage
  • Stripe — payment processing
  • Resend — transactional email delivery

We do not sell, rent, or share your personal information with any other third parties.

Your rights

You can request a copy of your data, request deletion of your account, or update your email address by contacting us. We respond within 30 days.

International privacy rights

GDPR (EEA, UK, Switzerland)

Legal basis for processing:

  • Contract performance to deliver the Service
  • Legitimate interest in analytics and fingerprinting for threat detection
  • Consent for onboarding and marketing email

Your rights: access, rectification, erasure, data portability, objection, restriction of processing, and the right to lodge a complaint with your supervisory authority.

International transfers: Cloudflare operates globally with EU-U.S. Data Privacy Framework certification and Standard Contractual Clauses. Stripe is similarly certified.

CCPA (California)

California residents may request disclosure of what we collect, deletion of their data, and opt-out of "sales" of personal information. We do not sell personal information. We respond within 45 days.

Cookies

We set a single HttpOnly session cookie (__decoy_session) to keep you signed in. We do not use tracking, advertising, or third-party cookies.

Changes to this policy

We will notify you by email or a notice on the website for significant changes.

Contact

Questions about this policy? Email hello@decoy.run.