Sphyr

Privacy Policy

Sphyr Agent Guard  ·  Effective May 22, 2026  ·  Last updated June 10, 2026

1 - Information We Collect

We collect only the minimum information required to operate the Sphyr Agent Guard security gateway. Specifically:

  • Request metadata. Target URLs are stored as one-way salted SHA-256 hashes — never in plaintext. We record request method, timestamp, outcome classification, and Shannon entropy score.
  • Session identifiers. Each session is assigned a UUID v4 token. Session tokens are IP-bound and expire after 30 minutes.
  • API key identifiers. We store your Sphyr API key identifier (the key_id, not the signing secret) to associate requests with your account for billing and forensics. The signing secret itself is held only in AES-256-GCM-encrypted form.
  • Billing information. Payment processing is handled exclusively by Stripe. We store your Stripe customer ID and credit balance. We do not store payment card numbers or bank account details.
  • GitHub account information. When you sign in using GitHub OAuth, GitHub provides us with your numeric GitHub user ID, login (username), display name, and primary verified email address. We store this information to create and manage your Sphyr account, issue billing receipts, and contact you about service-critical issues. The legal basis for this processing is performance of the contract (Article 6(1)(b) GDPR).

We do not collect, store, or process plaintext IP addresses, full URLs, request bodies, or any personally identifiable information in forensic logs. Note: plaintext IP addresses of administrative API callers are retained in the admin audit log (see §3) for operator security accountability; this data is not accessible to customers and is not included in forensic log exports.

2 - How We Use Your Information

  • Security policy enforcement. Request metadata is used in real-time to enforce HMAC verification, SSRF protection, entropy scanning, rate limiting, and honeytoken detection.
  • Billing. Credit balances are tracked and decremented on each successful sphyr_net call. Credit transaction records support billing dispute resolution.
  • Forensic logging. Hashed request records are retained for post-incident analysis, compliance audit trails, and law enforcement cooperation under valid legal orders.
  • Service improvement. Aggregated, anonymized outcome statistics may be used to improve detection accuracy and reduce false positive rates.
  • No AI model training. We do not use your request data, agent traffic, or any other data processed through the Service to train, fine-tune, or improve any AI or machine learning model.

We do not sell your data, share it with advertisers, or use it for any purpose unrelated to operating and improving the Service.

2a - Lawful Basis for Processing (GDPR)

For users in the EEA, UK, and Switzerland, we process personal data under the following lawful bases (GDPR Article 6):

  • Security enforcement and billing (operating the gateway, deducting credits, enforcing rate limits): performance of a contract (Art. 6(1)(b))
  • GitHub OAuth account data (user ID, login, display name, email): performance of a contract (Art. 6(1)(b))
  • Forensic logging (hashed request records, entropy signals, honeytoken triggers): legitimate interest in fraud prevention and security incident response (Art. 6(1)(f))
  • Admin audit log: legal obligation and legitimate interest in security accountability (Art. 6(1)(c) and (f))
  • Service improvement using anonymized/aggregated statistics: legitimate interest (Art. 6(1)(f))

3 - Data Retention

  • Raw diagnostic rationale (e.g., why a specific request was blocked) is purged automatically within 36 days (typically 30 days; up to 6 days of scheduled-job lag).
  • Hashed forensic log rows (URL hash, outcome, timestamp, session ID) are retained for 180 days to support post-incident analysis and billing disputes.
  • Credit transaction records (purchase date, amount, expiry) are retained for as long as required by applicable financial record-keeping law and to support refund and dispute resolution. Following an erasure request, these records are pseudonymized and contain no directly identifying information.
  • Internal administrative audit records (a log of operator actions, kept for security accountability) contain no customer plaintext URLs or IP addresses and are subject to an internal retention schedule with automatic deletion.
  • Account identity data (GitHub user ID, login, display name, email address) is retained for the life of your account and deleted within 30 days of a verified erasure request (see Your Rights, §5). Credit transaction records linked to your account are pseudonymized upon erasure and retained as required for financial recordkeeping.

4 - Data Security

We implement the following security controls to protect stored data:

  • V8 isolate model. Each request runs in its own Cloudflare Workers V8 isolate with no shared memory between requests or tenants. Data from one request cannot leak to another.
  • One-way hashing. All identifiers that could be linked to real-world entities (URLs, session origins) are stored as one-way salted SHA-256 hashes. These cannot be reversed to recover the original value.
  • Secrets management. All cryptographic keys, API credentials, and service tokens are stored via Cloudflare Workers Secrets. They are never present in source code, configuration files, or logs.
  • Admin access controls. The admin API is protected by a cryptographically generated admin key managed via Cloudflare Workers Secrets, an IP allowlist, and a brute-force limiter. All admin actions are logged to an append-only audit table.

4.1 Data Breach Notification

In the event of a confirmed data breach that affects personal data we hold, we will: (a) notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by applicable law; and (b) notify affected Customers without undue delay where the breach is likely to result in a high risk to their rights and freedoms. Notification will be sent to the email address associated with the Customer's account. Because we store only hashed identifiers rather than plaintext personal data, the scope of any breach affecting our forensic logs is inherently limited.

5 - Your Rights (EEA / UK / Switzerland — GDPR)

Users outside the EEA, UK, and Switzerland may also contact legal@sphyr.io to request access to or deletion of data associated with their account.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under applicable data protection law:

  • Right to erasure. You may request deletion of all data associated with your account. We provide a GDPR data scrub endpoint at /v1/users/:user_id (admin-gated). To request erasure, contact legal@sphyr.io.
  • Right to access. You may request a summary of the data we hold associated with your account identifier. Contact legal@sphyr.io with your API key identifier.
  • Right to rectification. If your account email or billing information is incorrect, contact legal@sphyr.io to request correction.
  • Right to data portability. Forensic log exports are available in CSV format via the admin dashboard. Contact us if you need a structured export of your account data.
  • Right to object. You may object to processing of your personal data where we rely on legitimate interest as the legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Right to lodge a complaint. If you believe your data protection rights have been violated, you have the right to lodge a complaint with the supervisory authority in your country of residence or establishment. A list of EU/EEA supervisory authorities is available at edpb.europa.eu.

Note: Because we store only hashed identifiers (not plaintext URLs or IP addresses), some data cannot be meaningfully exported — this is by design and consistent with our privacy-by-design architecture.

International data transfers. The Service operates on Cloudflare infrastructure located in the United States and globally distributed edge locations. Data transfers from the EEA, UK, or Switzerland to the United States are made under the EU-US Data Privacy Framework or Standard Contractual Clauses where applicable. By using the Service, you acknowledge that your data may be processed outside your country of residence.

6 - California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know. You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom we share it.
  • Right to Delete. You may request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to Correct. You may request correction of inaccurate personal information we maintain about you.
  • Right to Opt-Out of Sale or Sharing. We do not sell or share your personal information with third parties for cross-context behavioral advertising. No opt-out action is required.
  • Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights.

To exercise your California privacy rights, contact legal@sphyr.io. We will respond within 45 days of a verifiable request.

California Shine the Light (Cal. Civ. Code §1798.83). We do not share your personal information with third parties for their direct marketing purposes. California residents may contact legal@sphyr.io to confirm this.

CPRA Retention by Category:

  • Identifiers (GitHub user ID, email, API key ID): retained for the life of the account; deleted within 30 days of a verified deletion request (pseudonymized credit transaction records retained separately as required for financial recordkeeping)
  • Commercial information (credit purchase records): retained as required by financial record-keeping law; pseudonymized after a deletion request
  • Internet or other electronic network activity (hashed forensic log records): 180 days
  • Sensitive personal information: we do not collect sensitive personal information as defined by the CPRA

7 - Third-Party Services

We use the following third-party services to operate the gateway. Each has its own privacy policy:

  • Cloudflare (infrastructure — D1 database, KV, Workers runtime): All request metadata, hashed forensic log records, and session data are stored on Cloudflare infrastructure. No personal data is shared with Cloudflare beyond what is required to operate the service. cloudflare.com/privacy
  • Stripe (payment processing and billing): Your Stripe customer ID, purchase amounts, and credit transaction records are processed by Stripe. We do not share personal data beyond what Stripe requires to complete billing. stripe.com/privacy
  • GitHub (OAuth authentication): When you sign in with GitHub, your GitHub user ID, login, display name, and primary email address are transmitted from GitHub to Sphyr as part of the OAuth flow. GitHub Privacy Statement

We do not use analytics platforms, advertising networks, or tracking pixels on any page of the Service.

8 - Changes to This Policy

We will provide at least 14 days advance notice of any material changes to this Privacy Policy. Notice will be posted on the Service website at sphyr.io/legal/privacy. For significant changes affecting your rights, we will also send notice to the email address associated with your account.

Continued use of the Service after the effective date of a policy change constitutes acceptance of the revised policy.

9 - Contact

For privacy inquiries, data access requests, or erasure requests, contact:

Privacy & Legal
legal@sphyr.io
Larson Tech Solutions, LLC, doing business as Sphyr  ·  sphyr.io

Data Controller (GDPR). For purposes of the EU General Data Protection Regulation, the data controller is: Larson Tech Solutions, LLC d/b/a Sphyr, United States. Contact: legal@sphyr.io. We do not currently have an EU/EEA representative designated under GDPR Article 27. If required by our supervisory authority or volume of EEA user data, we will designate one and update this policy.

Data Protection Officer (GDPR). We have determined that appointment of a Data Protection Officer under GDPR Article 37 is not required because we do not conduct large-scale systematic monitoring or processing of special category data as defined in GDPR Articles 9–10. Privacy inquiries may be directed to legal@sphyr.io. Data transfer mechanisms by processor: Cloudflare operates under Standard Contractual Clauses (cloudflare.com/gdpr); Stripe participates in the EU-US Data Privacy Framework (stripe.com/legal/dpa).

10 - Cookies

We set two strictly necessary cookies:

  1. console_session — functional cookie; maintains your authenticated console session; duration: 7 days (Max-Age=604800); HttpOnly, Secure, SameSite=Lax; not accessible to third parties.
  2. sphyr_oauth_csrf — security cookie; prevents CSRF attacks during GitHub OAuth login; duration: 10 minutes (Max-Age=600); expires on login completion.

We do not set tracking, analytics, or advertising cookies. Because both cookies above are strictly necessary for the service to function, no consent banner is required under the ePrivacy Directive — but we are required to disclose them.

You may block or delete cookies at any time through your browser settings. Blocking the session cookie (console_session) will prevent access to the authenticated console. We will obtain consent and update this policy before setting any cookies that are not strictly necessary for the Service to function.

11 - Children and Minimum Age

The Service is available only to individuals aged 18 or older and to registered legal entities, in all jurisdictions. We do not offer the Service to anyone under 18, regardless of parental consent. We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and believe a minor has provided us with personal information, please contact legal@sphyr.io and we will delete it promptly.