Privacy Policy

Nomos is a community-maintained open-source authorization broker for AI agents. There is no incorporated legal entity. The hosted service is operated by the project maintainers and is reachable at auto-nomos.com. Source code is on GitHub. For privacy questions, data-subject requests, or security reports, contact [email protected].

We collect only what we need to operate the service:

• Account data. Email address, name, hashed password (or OAuth identifier), organization membership, role, and authentication factors (passkey credential IDs).
• OAuth tokens for third-party connectors. When you connect a SaaS provider (GitHub, Google, Slack, Notion, Linear, Stripe, Discord, Dropbox, Telegram, Twilio, Salesforce, Jira, Perplexity, Granola, Postgres, filesystem, SSH), we store the access token and (where available) refresh token issued by that provider, encrypted at rest with XChaCha20-Poly1305.
• Policy + audit data. The Cedar policies you author, the authorization requests your agents make, the PDP decisions, and a hash-chained audit trail of every minted UCAN and every upstream proxied call.
• Operational telemetry. Request logs, latency, error traces (via Sentry), and aggregated metrics (via OpenTelemetry). IP addresses are recorded for abuse prevention and rate limiting.
• Billing data. If you are on a paid plan, we store invoice metadata. Payment instruments are handled by our payment processor; we never see full card numbers.

When you connect a Google account (Drive, Gmail, Calendar, Sheets, Docs, Slides, Forms, or any sub-service exposed by Nomos), we receive an OAuth access token and refresh token from Google scoped to the OAuth scopes you explicitly granted in the Google consent screen.

How we use Google user data. Solely to execute the specific authorized action your agent is requesting at runtime — for example, listing files, reading a specific document, or posting a Calendar event — and only when an unexpired UCAN issued by the PDP permits that action against that resource. We do not read Google user data for any other purpose.

How we store Google user data. Refresh tokens are encrypted with XChaCha20-Poly1305 before being written to our database. Access tokens are held in memory or short-lived cache only. Response bodies fetched from Google are returned to your agent and are not retained on our servers after the request completes; only the audit record (timestamp, decision, hash of the request) is persisted.

How we share Google user data. We do not sell, rent, or share Google user data with third parties. The data is transmitted only between Google, our PDP, and the authenticated agent or human acting on your behalf.

AI/ML. We do not use Google user data to develop, improve, or train generalized AI/ML models.

Limited Use compliance. Nomos’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Revocation. You can disconnect a Google account at any time from the dashboard’s Connections page, or revoke Nomos’s access directly at myaccount.google.com/permissions. On disconnect we delete the stored tokens within 7 days.

• Provide the authorization service: evaluate policies, mint UCANs, proxy upstream calls.
• Maintain the audit trail and let you (and auditors) verify it.
• Secure the service: detect abuse, rate limit, debug errors.
• Communicate with you about service changes, security advisories, and (if you opted in) product updates.
• Comply with legal obligations.

We do not use your data to train AI models. We do not sell your data. We do not run ad networks.

Limited and only with parties we need to operate the service:

• Infrastructure providers. Cloud hosting (Microsoft Azure), managed Postgres, Cloudflare R2 (audit archive), Cloudflare (CDN/edge), Sentry (error tracking), Knock (transactional notifications).
• Third-party APIs you authorize. When your agent calls GitHub, Google, Slack, etc. through Nomos, we transmit data to that provider on your behalf using the OAuth token you issued.
• Legal. We disclose data when required by valid legal process or to protect rights, property, or safety.

• Account data — retained for the life of your account, deleted within 30 days of account closure.
• OAuth tokens — deleted within 7 days of disconnect or account closure.
• Audit events — retained 7 years in Cloudflare R2 (industry default for audit logs); you can request earlier deletion subject to legal-hold exceptions.
• Operational logs — 30 days rolling.
• Billing records — retained as required by tax law (typically 7 years).

See our Security page for the full posture. Highlights: UCAN delegation (no shared secrets), Cedar policy enforcement, hash-chained audit log with Ed25519-signed daily roots, XChaCha20 encryption for stored OAuth tokens, multi-tenant isolation tested on every CI, TLS 1.3 in transit.

Depending on jurisdiction (GDPR, CCPA, India DPDP Act, etc.) you may have rights to access, correct, export, or delete your personal data. Email [email protected] and we will respond within 30 days.

Our primary deployment region is Central India (Microsoft Azure). Some sub-processors (Sentry, Cloudflare) may process data in other regions. We rely on Standard Contractual Clauses where required.

Nomos is not directed at children under 16 and we do not knowingly collect their data.

We will post any material change here and update the effective date. For significant changes we will also email account owners at least 14 days before the change takes effect.

Privacy questions, data-subject requests, security disclosures: [email protected].