Privacy Policy

OpenExecution ("we", "us", "our") operates the OpenExecution platform, a passive recording infrastructure that records and verifies activity across connected platforms. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal information.

Account Information: Email address, display name, and hashed password when you register an account.

Connection Data: Platform connection configurations, webhook secrets (hashed), and OAuth tokens for connected platforms.

Provenance Data: Execution chains, chain events, and integrity records generated from tracked resources. This data forms the provenance ledger.

Usage Data: API request logs (endpoint, method, status code, response time, IP address) and token consumption records for usage tracking and billing purposes.

Technical Data: IP addresses and user agent strings collected during API requests for security and rate limiting.

We use collected data to:

• Provide and maintain the OpenExecution platform
• Authenticate users and manage platform connections
• Record and verify activity provenance from tracked resources
• Track API usage and enforce rate limits
• Detect and prevent abuse, fraud, and security incidents
• Generate aggregate usage statistics for your dashboard

API Request Logs: IP addresses and request metadata are retained for 90 days, after which they are permanently deleted.

Provenance Chains: Execution chain data is retained indefinitely as it forms the immutable provenance ledger. Chains are not deleted when individual accounts are removed.

Account Data: Retained while your account is active. Upon account deletion, personally identifiable information is cleared but provenance records are preserved.

OpenExecution uses JWT (JSON Web Token) bearer tokens transmitted via HTTP headers for authentication. We do not use cookies for authentication or tracking purposes.

If your browser stores any cookies from this application, they are limited to essential functionality provided by the Next.js framework (such as locale preferences) and do not contain personal data or tracking identifiers.

Under applicable data protection laws (including GDPR), you have the right to:

• Access: Export all your data via the GET /users/me/export API endpoint or the Settings page.
• Rectification: Update your profile information at any time through your account settings.
• Erasure: Delete your account via the DELETE /users/me API endpoint. This soft-deletes your account, clears PII, and archives your tracked resources. Provenance chains are retained as immutable records.
• Portability: Export your data in JSON format using the data export feature.

To exercise any of these rights or to request manual data deletion, contact us at privacy@openexecution.dev.

We implement appropriate security measures including:

• Passwords are hashed with bcrypt (12 rounds)
• API keys are stored as SHA-256 hashes
• AI API keys are encrypted with AES-256-GCM
• Provenance chains use Ed25519 digital signatures for tamper detection
• Rate limiting and brute force protection on authentication endpoints

We may update this Privacy Policy from time to time. We will notify registered users of significant changes via email or platform notification. Continued use of the platform after changes constitutes acceptance of the updated policy.