Privacy Policy

Effective May 28, 2026

Kifly operates an agent-to-agent commerce platform: sellers list products through a web portal, and AI agents discover and purchase those products programmatically over standard protocols (UCP, MCP, OAuth 2.1). This Privacy Policy explains what data we collect, why we collect it, and the choices you have. We aim to collect the minimum we need to run the platform safely.

“Kifly,” “we,” “us,” and “our” refer to Kifly. “You” refers to anyone who uses Kifly — sellers, end shoppers buying through an agent, and the developers operating agents on either side.

1. What we collect

Seller accounts

Sellers sign in with Google. We store the name and email address returned by Google, plus business information you provide (store handle, display name, description, contact details, delivery coverage, product listings, images, and inventory).

Shopper data (routed through agents)

When an agent makes a purchase on a shopper's behalf, we receive the shipping address, the email address used for the order, and the line items being purchased. We do not store full payment-card details — payment information is collected by Stripe through the Stripe-hosted checkout link or Shared Payment Token flow.

Agent identity & usage

Agents authenticate against Kifly with API keys (kfa_live_…) or short-lived OAuth-issued tokens (kfa_oauth_…). We store a salted HMAC-SHA256 hash of the secret — never the secret itself. We log each agent action (search, add-to-cart, checkout, order status) to a per-row audit trail that includes the agent token ID, action verb, resource ID, and minimal metadata.

Diagnostic data

We collect error reports and performance traces from a third-party error-monitoring vendor to keep the platform reliable. The vendor receives stack traces, the URL of the failing request, browser/OS metadata, and an anonymous session identifier. Stack traces are reviewed to strip personal data before long-term storage.

Cookies

We use first-party session cookies (SameSite=Strict) to keep sellers signed in, and to remember agent-installation choices made during OAuth consent. We do not use third-party advertising or cross-site tracking cookies.

2. How we use data

  • Operate the marketplace — match agents to sellers, complete checkouts, track order status, send fulfillment updates.
  • Detect and prevent fraud, abuse, and policy violations (e.g. cross-seller fan-out attacks, repeated unauthorized requests).
  • Provide customer support and respond to your questions.
  • Improve the platform — diagnose errors using our error-monitoring vendor, analyze aggregate, de-identified metrics about agent behavior to improve tool descriptions and search relevance.
  • Comply with legal obligations.

We do not sell your personal data, and we do not share it with advertisers.

3. Sub-processors

Running Kifly requires a small set of trusted infrastructure providers. Each handles only the data needed for its specific role:

  • Stripe — payment processing. Stripe receives the buyer's payment details directly; Kifly receives only the order amount, currency, and a payment-intent reference.
  • Google — OAuth sign-in for seller and buyer accounts. Google returns your name and email address to Kifly so we can create your account.
  • Managed database, authentication, and file storage — hosts the canonical record of accounts, listings, carts, orders, and audit logs.
  • Application hosting — serverless execution for kifly.ai and the API surface.
  • Headless commerce engine — product catalog, cart, and order pipeline.
  • Error monitoring + performance traces — diagnostic data for the portal and the commerce engine.
  • AI / ML inference — embedding generation that powers semantic product search.

Per GDPR Article 28(3) and CCPA, we maintain a current named list of every sub-processor and the data category each one handles. Sellers, buyers, and enterprise procurement teams can request the full list and our Data Processing Addendum (DPA) at any time by emailing hello@kifly.ai. We notify customers in advance of changes to the list so that you can object to a new sub-processor before it begins processing your data.

4. Data retention

  • Seller account data is retained for the life of the account and for a reasonable period after closure to satisfy legal and tax obligations.
  • Order records (including shipping address and order totals) are retained for at least seven (7) years to meet financial-record retention requirements.
  • OAuth authorization codes are deleted ten (10) minutes after issue; OAuth refresh tokens are deleted thirty (30) days after rotation or revocation. The audit log is append-only and retained for the life of the account.
  • Diagnostic data with our error-monitoring vendor follows the vendor's default retention (up to 90 days for full traces, up to 30 days for session replays where enabled).

5. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, or restrict processing of your personal data, and to withdraw consent. To exercise any of these rights, email hello@kifly.ai from the address associated with your account. We'll respond within thirty (30) days. We won't discriminate against you for exercising a privacy right.

Sellers can revoke individual API keys at any time from the API Keys page in the seller portal. End shoppers can revoke OAuth grants from their AI client's connector settings, which calls Kifly's RFC 7009 revocation endpoint.

6. Security

We apply defense-in-depth controls across the platform: row-level access control on every database table that holds your data, HMAC-SHA256 hashing of API keys with a vault-managed pepper, per-request minted JWTs that bind agents to their seller scope, signature verification on every inbound webhook, and append-only audit logs. Our internal security architecture and Phase-2 queue are reviewed continuously and available to enterprise customers under NDA. No system can be guaranteed to be 100% secure; if you believe you've discovered a vulnerability, please email hello@kifly.ai before public disclosure.

7. International data transfers

Kifly operates infrastructure in the United States and the European Union. By using Kifly you understand that your information may be processed in countries other than the one where you reside. We rely on standard contractual clauses and equivalent safeguards where cross-border transfers occur.

8. Children

Kifly is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact hello@kifly.ai and we will delete it.

9. Changes to this policy

We may update this policy as the platform evolves. When we make a material change, we'll update the Effective Date at the top of the page and notify active sellers by email at the address on file. Continued use after the Effective Date constitutes acceptance of the updated policy.

10. Contact

Questions about this policy can be sent to hello@kifly.ai. For all other matters, see the contact options below.