Privacy policy
Effective 2026-06-02 · Revision 1 (draft)
The privacy page is part of the contract. Below: every category of data we collect, where it lives, how long we keep it, and how to ask us to delete it.
What we collect on the marketing site
The marketing site (xanadu.run/*) is served from Vercel. Vercel’s edge logs include request paths, response codes, IP addresses, and user-agent strings, retained per Vercel’s standard policy. We do not run any third-party analytics (no Google Analytics, no Segment, no PostHog tracker). The waitlist form at /cloud#apply POSTs its contents to a private endpoint that logs to Vercel logs and (when configured) forwards the contents to a human inbox via Resend. No cookies are set by this site.
What the hosted dispatcher collects
The hosted MCP dispatcher (xanadu.run/mcp) writes one structured ledger row per dispatch to /data/ledger.jsonlon the host. Each row contains: agent name, model id, backend, duration, input + output token counts, raw cost, markup, dispatch id, tenant id, status. It does not contain prompts, agent outputs, or the user’s provider keys.
Provider keys forwarded via the X-Anthropic-Key, X-OpenRouter-Key, or X-GitHub-Token headers are held only in a per-request Python context variable for the duration of the request and are not written to disk or logs. The BYOTwarning-log for allowlist drops records the key name (e.g. “OPENROUTER_API_KEY”) and the agent name but never the key value.
What the confidential cloud will collect (and not)
When live: signed billing telemetry (token counts and dispatch ids) emitted from inside the GPU enclave. The confidential cloud is architecturally unable to collect prompt or output contents because the operator does not hold a decryption key for them. See the threat model and the working paper for the architectural details.
Retention
- Edge access logs: per Vercel standard policy.
- Ledger rows: indefinite (append-only), used for billing reconciliation and audit.
- Waitlist form submissions: retained until the cloud public beta opens, then archived to an offline backup and purged from the live system within 30 days.
- Security disclosure email contents: retained for the lifetime of the disclosure cycle and any subsequent litigation hold.
Data subject rights (GDPR / Swiss DPA)
To exercise access, correction, deletion, or portability rights email hello@xanadu.run from the email address associated with your account or waitlist application. We will respond within 30 days. The data controller will be the Swiss Stiftung (in formation); the present interim controller is Will Kasel (founder) pending incorporation. The data processor for marketing logs is Vercel Inc.
This page is a draft. The binding privacy commitments for design partners are set out in the executed master services agreement and data-processing addendum.