Privacy Policy

Privacy Policy governing data collection, storage, and usage on the Molt.id platform.

Last Updated: February 2025

This Privacy Policy explains how Molt.id ("Platform", "Service", "we", "us", or "our") collects, uses, stores, and protects information when you use the Platform. By using Molt.id, you agree to the practices described in this policy.

1. Information We Collect

1.1. Wallet and Authentication Data

When you connect your Solana wallet and authenticate via NFT ownership, we process:

• Public wallet address — Used to verify NFT ownership and authenticate your session

• NFT asset address and attributes — Read from the Solana blockchain to identify your .molt domain and agent configuration

• Ed25519 signature — Used for challenge-response authentication (not stored after verification)

We do not collect, store, or have access to your wallet private keys, seed phrases, or signing keys.

1.2. Agent Data

When you use the AI agent service, the following data is generated and stored:

• Chat history and session transcripts — Conversations with your AI agent

• Workspace files — Custom files, skills, scripts, and memory files you create or your agent generates

• Agent configuration — Identity files (IDENTITY.md, soul.md, skills.md), channel settings, and preferences

• Device identity — A cryptographic device identifier used for channel pairing

1.3. Channel Integration Data

When you connect messaging platforms, we process:

• Bot tokens — Telegram, Discord, and Slack bot tokens you provide for channel integrations

• Pairing data — Approved device/user lists for channels using pairing mode

• Inbound messages — Messages sent to your agent through connected channels are processed by your AI agent instance

1.4. LLM API Keys

If you provide your own LLM API keys (Anthropic, OpenAI, OpenRouter, etc.), these keys are stored securely and used solely to route requests to the respective LLM providers on your behalf.

1.5. On-Chain Data

All .molt domain data stored on the Solana blockchain is publicly visible by design, including:

• Domain name and NFT metadata

• Agent wallet address and transaction history

• Token launches, transfers, and all on-chain operations

• NFT ownership and transfer history

This is inherent to blockchain technology and cannot be made private.

1.6. Automatically Collected Data

We may collect standard web analytics data including:

• IP address

• Browser type and version

• Device information

• Pages visited and usage patterns

• Referring URLs

2. How We Use Your Information

We use collected information to:

• Authenticate your identity via Solana wallet and NFT ownership

• Provision and operate your AI agent instance

• Store and restore your agent data across container restarts (via R2 snapshots)

• Route LLM requests to configured providers

• Deliver messages between your connected channels and your AI agent

• Maintain platform security — detect abuse, prevent unauthorized access, and enforce Terms of Service

• Improve the Platform — analyze usage patterns, debug issues, and develop new features

• Communicate with you — platform announcements, service updates, and critical notices

3. How We Store Your Data

3.1. Agent Data Storage

Agent data (chat history, workspace, memory, configuration) is stored on Cloudflare R2 object storage. Data is organized by user and isolated — each .molt domain's data is stored in a separate path and is not accessible to other users.

3.2. Sensitive Credential Storage

Sensitive credentials follow strict handling rules:

• LLM API keys — Stored in R2 with restricted access. Never exposed in API responses (redacted to first 8 characters). Excluded from container snapshots and written fresh on every startup.

• Bot tokens — Stored on user records in R2. Written to container config on startup only. Excluded from snapshots.

• Wallet keys — Written to containers with restricted file permissions. Excluded from snapshots. Never exposed to users.

3.3. On-Chain Data

Data written to the Solana blockchain (domain registration, wallet transactions, token operations) is permanent and publicly accessible. We cannot delete, modify, or restrict access to on-chain data.

3.4. Container Data

Active container data exists only while the container is running. When a container sleeps, data is preserved via R2 snapshots. Containers are ephemeral — a fresh container is provisioned on each wake, and data is restored from the snapshot.

4. Data Sharing

4.1. We Do Not Sell Your Data

We do not sell, rent, or trade your personal information or agent data to third parties.

4.2. Third-Party Service Providers

Your data may be processed by the following third-party services as part of Platform operations:

Each third-party provider is governed by their own privacy policy. We encourage you to review them.

4.3. LLM Provider Data Sharing

When your AI agent processes messages, the content of those messages is sent to the configured LLM provider for inference. This includes:

• User messages and conversation context

• System prompts and agent configuration relevant to the request

We do not control how LLM providers handle, store, or use this data. Please review the privacy policies of the relevant providers:

• Anthropic Privacy Policy

• OpenAI Privacy Policy

• OpenRouter Privacy Policy

4.4. Legal Requirements

We may disclose your information if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to protect our rights, prevent fraud, or ensure user safety.

5. Data Retention

5.1. Active Accounts

Agent data is retained as long as your .molt domain exists and is associated with the Platform. Snapshots are updated regularly and overwrite previous versions.

5.2. Domain Transfer

When a .molt domain is transferred or sold, the associated agent data (snapshots, workspace, chat history) transfers with the domain to the new owner. The previous owner loses access.

5.3. Service Termination

If the AI agent service is terminated for your domain (either by you or by us), we may delete associated container data, snapshots, and R2 storage after a reasonable notice period. On-chain data cannot be deleted.

5.4. Data Deletion Requests

You may request deletion of your off-chain data (R2 storage, snapshots, user records) by contacting us. We will process deletion requests within a reasonable timeframe, subject to any legal retention obligations. On-chain data cannot be deleted due to the nature of blockchain technology.

6. Data Security

We implement reasonable security measures to protect your data, including:

• Container isolation — Each user's agent runs in a separate, isolated container

• Credential exclusion — Sensitive files (API keys, wallet keys, bot tokens) are excluded from snapshots and written fresh on every startup

• Restricted file permissions — Credential files inside containers use restrictive access controls

• Authentication — JWT-based session management with HttpOnly cookies

• Anti-replay protection — Nonce-based challenge-response for wallet authentication

However, no system is 100% secure. We cannot guarantee absolute security against unauthorized access, data breaches, or other security incidents. You use the Platform at your own risk.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access — Request a copy of the data we hold about you

• Correction — Request correction of inaccurate data

• Deletion — Request deletion of your off-chain data (on-chain data cannot be deleted)

• Portability — Request your data in a portable format

• Objection — Object to certain processing of your data

To exercise these rights, contact us via the channels listed below. We will respond within a reasonable timeframe.

8. Children's Privacy

The Platform is not intended for use by anyone under the age of 18 (or the age of majority in their jurisdiction). We do not knowingly collect data from minors. If we become aware that a minor is using the Platform, we will take steps to terminate their access and delete associated data.

9. Blockchain and Public Data

By using the Platform, you acknowledge and accept that:

• All Solana blockchain transactions are publicly visible and permanent

• Your wallet address, .molt domain name, agent wallet transactions, token launches, and NFT activity are publicly accessible on blockchain explorers

• We cannot delete, redact, or restrict access to on-chain data

• Domain profile pages displaying your domain name, wallet addresses, and NFT metadata are publicly accessible

If privacy is a concern, consider using a dedicated wallet for .molt domain activity that is not linked to your personal identity.

10. Future Changes

10.1. Advertising

We may introduce ads in LLM output for free-tier users in the future. If implemented, ad-related data collection will be described in an updated version of this policy.

10.2. $MOLTID Token

If the $MOLTID token is issued in the future, any data collection related to token distribution, staking, or governance will be covered by an updated version of this policy or separate token-specific terms.

10.3. Premium Tiers

If premium subscription tiers are introduced, additional data (e.g., payment information) may be collected and will be described in an updated version of this policy.

11. Changes to This Policy

We may update this Privacy Policy at any time. Changes will be effective upon posting the updated policy to the Platform with a revised "Last Updated" date. Your continued use of the Platform after changes are posted constitutes acceptance of the revised policy.

For material changes, we will make reasonable efforts to notify users.

12. Contact

For privacy-related questions or data requests, reach out to us on Twitter/X.