Privacy Policy

Effective May 28, 2026

Kifly operates an agent-to-agent commerce platform: sellers list products through a web portal, and AI agents discover and purchase those products programmatically over standard protocols (UCP, MCP, OAuth 2.1). This Privacy Policy explains what data we collect, why we collect it, and the choices you have. We aim to collect the minimum we need to run the platform safely.

“Kifly,” “we,” “us,” and “our” refer to Kifly. “You” refers to anyone who uses Kifly — sellers, end shoppers buying through an agent, and the developers operating agents on either side.

1. What we collect

Seller accounts

Sellers sign in with Google via Supabase Auth. We store the name and email address returned by Google, plus business information you provide (store handle, display name, description, contact details, delivery coverage, product listings, images, and inventory).

Shopper data (routed through agents)

When an agent makes a purchase on a shopper's behalf, we receive the shipping address, the email address used for the order, and the line items being purchased. We do not store full payment-card details — payment information is collected by Stripe through the Stripe-hosted checkout link or Shared Payment Token flow.

Agent identity & usage

Agents authenticate against Kifly with API keys (kfa_live_…) or short-lived OAuth-issued tokens (kfa_oauth_…). We store a salted HMAC-SHA256 hash of the secret — never the secret itself. We log each agent action (search, add-to-cart, checkout, order status) to a per-row audit trail that includes the agent token ID, action verb, resource ID, and minimal metadata.

Diagnostic data

We collect error reports and performance traces via Sentry to keep the platform reliable. Sentry receives stack traces, the URL of the failing request, browser/OS metadata, and an anonymous session identifier. Stack traces are reviewed to strip personal data before long-term storage.

Cookies

We use first-party cookies to keep sellers signed in (Supabase Auth session cookies, SameSite=Strict) and to remember agent-installation choices made during OAuth consent. We do not use third-party advertising or cross-site tracking cookies.

2. How we use data

  • Operate the marketplace — match agents to sellers, complete checkouts, track order status, send fulfillment updates.
  • Detect and prevent fraud, abuse, and policy violations (e.g. cross-seller fan-out attacks, repeated unauthorized requests).
  • Provide customer support and respond to your questions.
  • Improve the platform — diagnose errors via Sentry, analyze aggregate, de-identified metrics about agent behavior to improve tool descriptions and search relevance.
  • Comply with legal obligations.

We do not sell your personal data, and we do not share it with advertisers.

3. Sub-processors

Running Kifly requires a small set of trusted infrastructure providers. Each handles only the data needed for its specific role:

  • Supabase — Postgres database, Auth, file storage. Hosts the canonical record of accounts, listings, carts, orders, and audit logs.
  • Vercel — application hosting and serverless execution for kifly.io and the API.
  • Stripe — payment processing. Stripe receives the buyer's payment details directly; Kifly receives only the order amount, currency, and a payment-intent reference.
  • Medusa / Railway — commerce engine (product catalog, cart, order pipeline) hosted on Railway.
  • Sentry — error monitoring and performance traces for both the portal and the commerce engine.
  • DeepInfra — open-source embedding model (BGE-M3) used to power semantic product search. Queries and product titles are sent for embedding; embeddings are stored on our infrastructure.
  • Google — sign-in via OAuth for seller accounts.

We choose providers with strong security postures and review changes to this list when sub-processors are added or replaced.

4. Data retention

  • Seller account data is retained for the life of the account and for a reasonable period after closure to satisfy legal and tax obligations.
  • Order records (including shipping address and order totals) are retained for at least seven (7) years to meet financial-record retention requirements.
  • OAuth authorization codes are deleted ten (10) minutes after issue; OAuth refresh tokens are deleted thirty (30) days after rotation or revocation. The audit log is append-only and retained for the life of the account.
  • Diagnostic data in Sentry follows Sentry's default retention (90 days for full traces, 30 days for replays where enabled).

5. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, or restrict processing of your personal data, and to withdraw consent. To exercise any of these rights, email hello@kifly.ai from the address associated with your account. We'll respond within thirty (30) days. We won't discriminate against you for exercising a privacy right.

Sellers can revoke individual API keys at any time from the API Keys page in the seller portal. End shoppers can revoke OAuth grants from their AI client's connector settings, which calls Kifly's RFC 7009 revocation endpoint.

6. Security

We apply defense-in-depth controls across the platform: Postgres Row-Level Security on every Kifly table, HMAC-SHA256 hashing of API keys with a Vault-managed pepper, per-request minted JWTs that bind agents to their seller scope, webhook signature verification on Stripe and Supabase callbacks, and append-only audit logs. We publish our security posture and the current Phase-2 queue in our public repository. No system can be guaranteed to be 100% secure; if you believe you've discovered a vulnerability, please email hello@kifly.ai before public disclosure.

7. International data transfers

Kifly operates infrastructure in the United States and the European Union. By using Kifly you understand that your information may be processed in countries other than the one where you reside. We rely on standard contractual clauses and equivalent safeguards where cross-border transfers occur.

8. Children

Kifly is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact hello@kifly.ai and we will delete it.

9. Changes to this policy

We may update this policy as the platform evolves. When we make a material change, we'll update the Effective Date at the top of the page and notify active sellers by email at the address on file. Continued use after the Effective Date constitutes acceptance of the updated policy.

10. Contact

Questions about this policy can be sent to hello@kifly.ai. For all other matters, see the contact options below.