Privacy Policy

We built AgentPostmortem to be as privacy-respecting as a public registry can be. This policy explains what information we collect, how we use it, and what we do not do.

What We Collect

When you browse the registry we collect standard server logs: your hashed IP address (see below), the page requested, timestamp, and user-agent string. We do not require an account to browse or to submit a case. If you choose to provide an email address during submission, we collect that too, for the sole purpose described below.

How We Use It

Log data is used only to operate the site: diagnosing errors, understanding traffic patterns, and detecting abuse. Email addresses provided at submission time are used only to send the submitter a private edit link for their case. We do not use any collected information for advertising, profiling, or sale to third parties.

Anonymous Submissions

Providing an email address when submitting a case is entirely optional. If you do not provide one, your submission is fully anonymous from our side. If you do provide one, it is used to deliver a single transactional email containing your private edit link and is not retained in our database after that email is sent.

We also run basic automated redaction on submitted text before it reaches our database: email addresses, phone numbers, and common PII patterns are stripped. Screenshot and file uploads are stored as provided. Please remove sensitive information from evidence before uploading.

IP Hashing

We never store IP addresses in plaintext. Incoming IPs are immediately hashed with a secret server-side pepper using a one-way function. The hash is used for rate-limiting and abuse detection only. The pepper is rotated periodically, which permanently destroys the ability to link old hashes to their source IPs. No IP address can be recovered from the hashes we store.

Cookies

We set a minimal session cookie when you visit the site. It contains no personally identifying information and exists only to maintain basic site functionality (e.g. CSRF protection). We do not use tracking cookies, analytics cookies, or any third-party advertising cookies.

Third-Party Services

Running this registry requires a small number of third-party infrastructure providers. Each sees a limited slice of data:

• Supabase: our database and storage provider. Case data and hashed IPs are stored here. Supabase infrastructure is hosted on AWS.
• Vercel: hosts the Next.js application. Vercel sees request logs in the normal course of serving the site.
• Cloudflare: provides DNS, DDoS protection, and CDN. Cloudflare sees raw IP addresses as part of proxying requests before they reach our application.
• Resend: transactional email provider. Used only to send edit-link emails to submitters who provide an address. Resend receives the recipient address and the email body for that single send.

We do not use Google Analytics, Mixpanel, Segment, or any behavioural analytics platform.

Data Retention

Published case records are retained indefinitely, as that is the point of a public ledger. Server logs are retained for up to 90 days and then deleted. Hashed IPs in rate-limit records are purged after 30 days. Submitter emails, as noted above, are not retained after the edit-link email is delivered.

Contact

If you have questions about this policy, believe your personal information has been mishandled, or want to request deletion of something, contact us at hello@agentpostmortem.com. We will respond within 10 business days.