Skip to main content

Privacy Policy

Effective date: March 25, 2026  ·  Contact: [email protected]

1. Overview

UAPK Gateway ("we", "us", or "our") is a policy enforcement and audit platform for AI agents. This Privacy Policy explains what data we collect, how we use it, and what rights you have, whether you access UAPK Gateway directly through our API, via our hosted service at api.uapk.info, or through a third-party integration platform (Zapier, Make.com, n8n, or Langflow).

By using UAPK Gateway or any of its integration connectors, you agree to the practices described in this policy. If you are using UAPK Gateway on behalf of an organization, you represent that you have authority to bind that organization to this policy.

2. Data We Collect

2.1 Account & Authentication Data

  • Email address and password hash (bcrypt) for user accounts
  • Organization name and UUID
  • API keys (stored as bcrypt hashes — the plaintext is shown once at creation)
  • JWT session tokens (short-lived, not persisted)

2.2 Agent Interaction Data

Every request to /evaluate or /execute generates an interaction record containing:

  • UAPK ID and agent ID
  • Action type, tool name, and parameters
  • Policy decision (allow / deny / escalate) and reason codes
  • Counterparty metadata (if supplied)
  • Timestamps, request/result hashes, and an Ed25519 gateway signature
  • The SHA-256 hash of the previous record (hash chain for tamper evidence)

These records are append-only and cannot be deleted. This is by design: the hash chain guarantees audit log integrity. Records exported to S3 are locked under AWS Object Lock COMPLIANCE mode with a 7-year retention period.

2.3 Approval Workflow Data

  • Approval requests including action metadata and escalation reason
  • Reviewer identity, decision, notes, and timestamp
  • Override token lifecycle (issued, consumed, expired)

2.4 Usage & Technical Data

  • API request logs (endpoint, status code, latency)
  • Rate limit counters and daily action budgets (per organization)
  • Billing events via Stripe (we do not store card numbers)

3. How We Use Your Data

  • Policy enforcement: evaluating agent action requests against your configured rules in real time
  • Audit logging: building a tamper-evident, cryptographically signed record of every agent action for compliance and forensics
  • Human approval workflows: routing escalated actions to reviewers and managing the override token lifecycle
  • Service operation: authentication, rate limiting, billing, and system health monitoring
  • Security: detecting abuse, investigating incidents, and enforcing SSRF/injection protections

We do not sell, rent, or share your data with third parties for marketing purposes.

4. Data Retention

Interaction records are retained indefinitely as part of the tamper-evident audit chain. Exported evidence bundles stored in S3 are subject to 7-year Object Lock retention. Account data and approval records are retained for the duration of your subscription plus 90 days after cancellation. You may request deletion of account data by contacting us at [email protected] — audit records will remain as required by the immutability guarantee.

5. Third-Party Integration Platforms

UAPK Gateway provides connectors for the following automation and AI pipeline platforms. When you use these connectors, data flows between that platform and the UAPK Gateway API. The platform's own privacy policy applies to data stored or processed within that platform.

Zapier

The UAPK Gateway Zapier integration (App ID: 238403) allows you to call Evaluate Action, Execute Action, Approve Action, and Deny Action from Zapier Zaps, and to search approvals and audit records.

Data sent to UAPK Gateway by this integration:

  • Your UAPK API key and Organization ID (stored as Zapier connection credentials — encrypted at rest by Zapier)
  • Agent action payloads you pass into the Zap (UAPK ID, agent ID, action type, tool, parameters)
  • Approval IDs and reviewer decisions when using Approve/Deny actions

Data returned to Zapier from UAPK Gateway:

  • Policy decisions, interaction IDs, reason codes
  • Override tokens (single-use, short-lived)
  • Approval records and audit record summaries

Zapier's privacy policy applies to credential storage and Zap execution logs: zapier.com/privacy

Make.com (formerly Integromat)

The UAPK Gateway Make.com app allows you to incorporate policy enforcement and human approval steps into Make scenarios using modules for evaluate, execute, approve, deny, and audit chain verification.

Data sent to UAPK Gateway by this integration:

  • Your API key and Organization ID (stored as a Make connection — encrypted by Make)
  • Action payloads defined in your scenario modules
  • Approval decisions including reviewer notes

Data returned to Make from UAPK Gateway:

  • Policy decisions and audit metadata
  • Approval status and override tokens
  • Audit chain verification results

Make.com's privacy policy: make.com/en/privacy-notice

n8n

The UAPK Gateway n8n community node (n8n-nodes-uapk-gateway) can be installed in self-hosted or cloud n8n instances. It provides node resources for Gateway (evaluate/execute) and Approvals (list, get, approve, deny).

Data sent to UAPK Gateway by this integration:

  • Your API key and Management Token (stored in n8n credentials — encrypted by n8n)
  • Action payloads you configure in the node

Self-hosted note: If you run n8n on your own infrastructure, the n8n credential store is under your control. UAPK Gateway only receives the data you explicitly send via node executions.

n8n's privacy policy: n8n.io/legal/privacy

Langflow

The uapk-langflow Python package adds two visual components to Langflow — UAPK Evaluate and UAPK Execute — that can be dropped into AI pipeline flows. The package is installed via pip and registers automatically via the langflow.components entry point.

Data sent to UAPK Gateway by this integration:

  • Your API key and Gateway URL (configured in the component — stored in your Langflow instance)
  • Agent action data flowing through the pipeline at runtime

Self-hosted note: Langflow is typically self-hosted; all credential storage is local to your deployment. UAPK Gateway receives only the action data passed to the component during flow execution.

Langflow's privacy policy: langflow.org/privacy-policy

6. Security

We implement the following technical measures to protect your data:

  • Encryption in transit: TLS 1.2+ on all API endpoints
  • Credential encryption: Fernet (AES-128-CBC + HMAC-SHA256) for connector secrets; bcrypt for API keys and passwords
  • Signature integrity: Ed25519 signatures on every interaction record
  • SSRF protection: all connector webhook URLs are validated against an allowlist
  • Token security: capability and override tokens include a token_type field to prevent substitution attacks

To report a security vulnerability, email [email protected] or see our Security Policy.

7. Your Rights

Depending on your jurisdiction, you may have rights to:

  • Access the personal data we hold about you
  • Correct inaccurate account data
  • Delete your account and non-audit personal data
  • Port your data in machine-readable format
  • Object to certain processing activities

Note: interaction records in the audit chain cannot be deleted due to the immutability guarantee. This is a contractual and technical requirement of the service.

To exercise any right, contact us at [email protected].

8. GDPR / EU Data Subjects

UAPK Gateway is operated from the European Union. If you are an EU data subject, the legal basis for processing your data is:

  • Contract performance — processing necessary to deliver the Gateway service
  • Legitimate interests — security, fraud prevention, and audit integrity
  • Legal obligation — compliance with applicable laws

You have the right to lodge a complaint with a supervisory authority. Our primary supervisory authority is the relevant data protection authority in Germany.

9. Cookies & Analytics

The uapk.info documentation website uses Google Analytics 4 with IP anonymization enabled. No personally identifiable information is collected through analytics. The UAPK Gateway API itself does not use cookies.

10. Changes to This Policy

We may update this policy from time to time. Material changes will be announced via email to registered users and noted on this page with a revised effective date. Continued use of the service after changes constitutes acceptance.

11. Contact

UAPK Project
c/o Hucke & Sanker
Email: [email protected]
Security: [email protected]

Quick links: Zapier · Make.com · n8n · Langflow · Security · GDPR · Your Rights