Privacy Policy

1. Overview

TameFlare ("we", "us") is a source-available control plane for AI agent governance, licensed under the Elastic License v2 (ELv2). This policy describes how we handle data when you self-host TameFlare.

2. Self-Hosted Instances

When you self-host TameFlare, all data stays on your infrastructure. We do not collect, transmit, or have access to any data processed by your self-hosted instance. This includes action requests, policy evaluations, audit logs, agent API keys, and all configuration.

3. Data We Process

If you interact with our website or purchase a license, we may collect:

• Account information — email address, name, and hashed password when you create an account.
• Usage data — action counts, agent counts, and feature usage for billing and analytics. We do not inspect the content of your action specs or parameters.
• Website analytics — anonymous page views and referrer data to improve the product.

4. Data Security

Sensitive credentials (Slack tokens, GitHub PATs) stored in TameFlare are encrypted at rest using AES-256-GCM when a SETTINGS_ENCRYPTION_KEY is configured. API keys are stored as bcrypt hashes. Decision tokens use ES256 (ECDSA P-256) cryptographic signatures.

5. Third-Party Services

TameFlare integrates with third-party services (GitHub, Slack) only when you explicitly configure those integrations. Credentials are stored in your database, not transmitted to us. Webhook callbacks are sent directly from your instance to your specified URLs.

6. Data Retention

Audit log retention is configurable via the AUDIT_RETENTION_DAYS environment variable. Session data and expired nonces are purged automatically via the maintenance cleanup endpoint. You control all data retention policies on self-hosted instances.

7. Contact

For privacy-related questions, contact us at info@tameflare.com.