← Back to Xache

Privacy Policy

Last updated: February 12, 2026

This Privacy Policy describes how Agentic Memory Systems ("AMS", "we", "us", "our"), operating as Xache, collects, uses, and shares information when you use our services, website (xache.xyz), APIs, SDKs, and related tools (collectively, the "Service").

1. Information We Collect

1.1 Account Information. When you create an account or access the Service, we may collect your blockchain wallet address (EVM and/or Solana), DID identifiers, and workspace configuration.

1.2 Usage Data. We collect operational metadata including API call timestamps, operation types, receipt IDs, session identifiers, and aggregate usage statistics. This data is used for billing, rate limiting, and service improvement.

1.3 Payment Information. Xache uses the x402 micropayment protocol. Payments are processed on-chain via USDC on Base (EVM) and Solana networks. We do not collect or store credit card numbers, bank account details, or other traditional payment information. We record transaction hashes and payment amounts for billing verification.

1.4 Memory Data. Memory content submitted to Xache is encrypted client-side using XSalsa20-Poly1305 (libsodium secretbox) before transmission. We never see, access, or store plaintext memory data. We store only the encrypted ciphertext. Decryption keys are held exclusively by you.

1.5 Knowledge Graph Data. Entity names and relationship labels in the Knowledge Graph are encrypted client-side. The server processes only HMAC-SHA512/256 derived keys — we have zero knowledge of the actual entity names or content within your graph.

1.6 Subject Keys. Subject identifiers are derived using HMAC-SHA512/256 with domain separation. We never see raw subject identifiers (such as user IDs, emails, or names). We store only the cryptographically derived subject IDs.

1.7 Ephemeral Context. Session-scoped data in ephemeral slots is encrypted client-side and stored temporarily. Ephemeral sessions auto-expire based on your configured TTL. Expired session data is permanently deleted.

1.8 LLM Extraction. When using BYO-LLM extraction, your LLM API key is used as a stateless proxy — we never store your API key. When using Xache-managed extraction, only PII-scrubbed traces are processed.

2. How We Use Information

• To provide, maintain, and improve the Service
• To process payments and generate cryptographic receipts
• To anchor Merkle tree proofs on Base and Solana blockchains
• To enforce budget guardrails and rate limits
• To generate aggregate, anonymized analytics
• To detect and prevent fraud, abuse, and security threats
• To communicate service updates, security notices, and billing information
• To comply with legal obligations

3. Data Storage and Security

3.1 Infrastructure. The Service runs on Cloudflare Workers (edge-deployed globally), Cloudflare R2 (object storage), and Cloudflare D1 (SQLite at the edge). Data is encrypted at rest and in transit.

3.2 Storage Tiers. Encrypted memory data is stored across three tiers: hot (0–14 days, sub-50ms access), warm (14–30 days), and cold (30+ days archival). Data migrates between tiers automatically based on access patterns.

3.3 Client-Side Encryption. All sensitive data (memory content, entity names, subject identifiers) is encrypted on your device before reaching our servers. We employ a zero-knowledge architecture — we cannot read your data even if compelled to do so.

3.4 Blockchain Anchoring. Cryptographic receipts are batched into Merkle trees and anchored on Base (EVM) and Solana blockchains. On-chain data consists only of Merkle roots — no plaintext or encrypted memory content is ever written on-chain.

4. Data Sharing

We do not sell, rent, or trade your personal information. We may share information in the following limited circumstances:

• Blockchain Networks: Merkle roots and receipt anchors are published on Base and Solana blockchains as part of the core service functionality
• Collective Intelligence Marketplace: If you opt-in to contribute patterns to the marketplace, contributed data is shared with other users under the terms you agree to. Contributions are quality-scored and earn royalties
• ERC-8004 Reputation Export: If you opt-in to export reputation scores, this data is published on-chain per the ERC-8004 standard
• Service Providers: We use Cloudflare for infrastructure and Coinbase CDP for payment facilitation. These providers process data only as necessary to provide their services
• Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request. Given our zero-knowledge architecture, any such disclosure would contain only encrypted ciphertext and operational metadata

5. Data Retention

5.1 Memory Data. Encrypted memory data is retained until you delete it or your account is terminated. You can delete individual memories or all memories at any time via the API.

5.2 Ephemeral Sessions. Ephemeral session data is automatically deleted upon session expiry (configurable TTL, default 1 hour). Promoted sessions are converted to persistent memory.

5.3 Receipts. Cryptographic receipts are retained indefinitely as they are part of the immutable audit trail. On-chain anchors are permanent by nature of blockchain technology.

5.4 Account Data. Account information is retained for the duration of your account plus 30 days after deletion to allow for account recovery.

6. GDPR and Data Subject Rights

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdiction with similar data protection laws, you have the following rights:

• Access: Request a copy of the data we hold about you
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten"). We support GDPR deletion lifecycle including cryptographic key destruction for encrypted data
• Portability: Request your data in a structured, machine-readable format
• Restriction: Request restriction of processing
• Objection: Object to processing based on legitimate interests

To exercise any of these rights, contact us at [email protected].

7. International Data Transfers

The Service operates globally via Cloudflare's edge network. Your encrypted data may be processed in multiple jurisdictions. Given our zero-knowledge architecture, data processed in any jurisdiction remains encrypted and inaccessible to us or any third party without your decryption keys.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

9. Cookies and Tracking

The xache.xyz website uses only essential, first-party storage (localStorage) for dark mode preference. We do not use third-party cookies, advertising trackers, or analytics cookies. The Service APIs do not use cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us at:

Agentic Memory Systems (AMS)
Operating as Xache
Email: [email protected]
Website: xache.xyz

Xache is operated by Agentic Memory Systems (AMS).