Privacy Policy

Version 2.4 · Last updated 2026-05-30 · supersedes v2.3 (2026-05-02)
Effective: upon any use of the System.

Operator: TUARA KURI LIMITED
Trading as: AgenticRail
Address: 431 Omanaia Road, RD 3, Kaikohe 0473, New Zealand
Email: hello@agenticrail.nz

1. Overview

This Privacy Policy explains how AgenticRail collects, uses, and handles data when you use the System.

AgenticRail is designed as a deterministic execution gate, not a data processing or storage platform. We minimise data collection and avoid reliance on user content wherever possible.

2. What We Collect

2.1 Metadata (Primary)

We collect operational metadata required to run the System, including:

Sequence identifiers (IDs you provide or we generate)
Nonce values (unique random values per request)
Timestamps (milliseconds since epoch)
Step names and action types
System outcomes (ALLOW / HALT / DENY)
Request counts (for billing and usage)

2.2 Technical Data (Limited)

We may also collect:

IP addresses (processed transiently for security and debugging purposes and not retained beyond what is necessary for those functions)
Request headers (standard HTTP)
Error logs
Latency and performance metrics

2.3 What We Do NOT Intentionally Collect

AgenticRail is designed to avoid collecting personal data except where necessary (e.g., account email). We do not rely on personal data for core system operation.

We do not intentionally collect prompt content, agent messages or responses, or user-generated data payloads.

Important: Clients control what they send to the System. If you submit personal or sensitive data, it may pass through system infrastructure. You are responsible for avoiding this.

2.4 Sensitive Data Guidance

The System is not designed for processing sensitive personal data, including health data, financial account data, or biometric or identity data.

Clients must not submit such data unless they have implemented appropriate safeguards and legal basis.

3. How We Use Data

We use collected data to:

enforce sequence and policy rules
operate the execution gate
prevent replay attacks (nonce validation)
maintain system integrity
debug errors and improve performance
measure usage for billing

We do not:

train AI models on your data
profile users
sell or share personal data for marketing

Legal basis (GDPR): Legitimate interest (operating and securing the Service) and contract performance (where account data such as email is provided).

4. Data Minimisation Principle

If the System does not need the data to enforce a rule, it should not store it.

The System is designed to operate on structure (step, function, action_type) rather than content.

5. Data Retention

AgenticRail retains two distinct categories of data on different schedules.

Enforcement receipts (HMAC-signed decision records stored in R2): retained per plan tier.

Plan	Receipt retention
Free	7 days
Growth	30 days
Scale	1 year
Enterprise	Multi-year (contractual)

These receipts are the core compliance artifact and are retained to enable compliance reporting and cryptographic chain verification.

Server and operational logs (HTTP access logs, error logs, latency metrics): retained for 90 days, then automatically deleted.

Account information (email address, optional name): retained while the account is active, plus a reasonable period for legal or security purposes.

You may request deletion of your account data at any time (see Section 11). Enforcement receipts are retained for the duration of the plan's retention period and cannot be individually deleted during that period, as deletion would break the verifiable receipt chain.

6. Data Security

We implement reasonable technical and organisational measures, including:

Encryption in transit (TLS 1.3)
Access controls on logs and systems
Regular security reviews

No system is completely secure. Clients should not rely on AgenticRail for storage of sensitive data.

7. Data Breach Notification

In the event of a data breach affecting personal data, AgenticRail will notify affected users and relevant authorities where required by law.

8. Client Responsibility

Clients are solely responsible for:

ensuring they do not submit unnecessary personal data
complying with applicable privacy laws (e.g., NZ Privacy Act 2020, GDPR)
implementing safeguards for sensitive data

AgenticRail acts as a processor of structure, not a controller of user data.

9. International Use & Data Transfers

AgenticRail is operated from New Zealand but uses Cloudflare's global network, which may process data in multiple countries.

By using the Service, you consent to this transfer.

For EU users, we rely on Cloudflare's compliance mechanisms, including Standard Contractual Clauses. New Zealand has been recognised by the European Commission as providing an adequate level of data protection (Adequacy Decision, 2012, reaffirmed 2024).

10. EU AI Act & Privacy Context

AgenticRail does not determine the purpose of AI systems.

The Client is responsible for classification of their AI system, handling of personal data, and compliance with privacy and AI regulations (including the EU AI Act).

AgenticRail provides enforcement logic, not data governance.

11. Your Rights (Including GDPR)

Depending on your jurisdiction, you may have the right to:

access your personal data
correct inaccurate data
request deletion ("right to be forgotten")
restrict or object to processing
data portability

Because AgenticRail stores minimal personal data, these rights may be limited in practice.

To exercise your rights, contact hello@agenticrail.nz. We aim to respond within 30 days.

New Zealand users may contact the Office of the Privacy Commissioner: privacy.org.nz.

12. Third-Party Services & Subprocessors

AgenticRail uses the following infrastructure providers:

Provider	Purpose	Privacy Policy
Cloudflare	API hosting, Durable Objects, R2 storage, KV, D1, networking	cloudflare.com/privacy
AI Provider — current: Google (Gemini)	AI compliance narrative generation (report worker only; processes enforcement summary statistics, not payload data, not receipt content). Previous providers used by AgenticRail have included DeepSeek and Anthropic (Claude). The AI Provider may change with at least 14 days' notice.	Current: policies.google.com/privacy
Stripe	Payment processing for subscription plans	stripe.com/privacy
Resend	Transactional email delivery (welcome emails, API key delivery)	resend.com/privacy

These providers process data only under contractual obligations and appropriate safeguards. We do not sell or share user data for marketing.

A Data Processing Agreement (DPA) incorporating Standard Contractual Clauses is available at agenticrail.nz/dpa. The DPA takes effect automatically upon your first paid API call — no separate signature required.

13. Changes to This Privacy Policy

We may update this Privacy Policy at any time. Material changes will be communicated via email (if provided) or through the Service. Continued use of the System constitutes acceptance of updates.

14. Contact

AgenticRail — TUARA KURI LIMITED
431 Omanaia Road, RD 3, Kaikohe 0473, New Zealand
Email: hello@agenticrail.nz

By using AgenticRail, you acknowledge that you have read and understood this Privacy Policy.

Document Fingerprint — SHA-256 — v2.4

97cc1510367d4656cea92ea15408cc1592536df0933e7808256c0eb4ff850b6a

Reproducible independently using any SHA-256 implementation over the pipe-delimited canonical string below.

Canonical string (UTF-8, no trailing newline):

Privacy Policy|2.4|2026-05-30|TUARA KURI LIMITED|GDPR + NZ Privacy Act 2020|Cloudflare,Google Gemini,Stripe,Resend|metadata-only; no payload retention|7days/30days/1year/multiyear|no model training; no marketing sale|New Zealand|NZBN 9429052428098|supersedes v2.3 2026-05-02

Version: 2.4 · Effective date: 2026-05-30 · Operator: TUARA KURI LIMITED · NZBN 9429052428098 · Supersedes v2.3 (2026-05-02)