Legal
Effective Date: March 19, 2026
This Privacy Policy explains how MoltWall collects, uses, stores, and protects information when you use the MoltWall AI Agent Security Firewall platform at www.moltwall.xyz.
MoltWall (“we,” “us,” or “our”) is the operator of the MoltWall AI Agent Security Firewall platform, accessible at www.moltwall.xyz. We provide a production-grade security evaluation engine, TypeScript SDK, and security dashboard for teams building AI agents.
For privacy inquiries, you may contact our privacy team at privacy@moltwall.xyz.
This Privacy Policy applies to:
@moltwall/sdk) into applications.This Policy does not apply to third-party services linked from the Platform. Those services are governed by their own privacy policies. We encourage you to review them.
If you are using the Platform under a separate enterprise or data processing agreement with MoltWall, the terms of that agreement take precedence over this Policy where they conflict.
When you register for an Account via Privy, we receive the following information from the authentication flow:
We do not store passwords. Authentication credentials are managed exclusively by Privy.
When your AI agents interact with the MoltWall API, we process and store:
Data you enter when configuring your security policies in the dashboard, including:
Automatically collected when you use the Platform:
If you contact us by email, live chat, or through a support channel, we retain the content of that communication and any contact details you provide, solely for the purpose of responding to you.
We use the information we collect for the following purposes:
| Provide the Services | Process Tool Call evaluations, enforce Policies, render security decisions, and display Action Logs in the dashboard. |
| Account management | Create and maintain your Account, authenticate your sessions, and manage API Keys. |
| Security & fraud prevention | Detect and prevent abuse, rate-limit API access, identify suspicious usage patterns, and protect the integrity of the Platform. |
| Service improvement | Analyze usage patterns, debug errors, and improve accuracy of risk scoring and guardrail detection models. Model training uses only anonymized, aggregated signals — never raw Tool Call payloads. |
| Communications | Send transactional emails (account notices, API key alerts, policy violation warnings). We do not send unsolicited marketing without consent. |
| Legal compliance | Comply with applicable laws, respond to lawful legal process, and enforce our Terms of Service. |
| Billing | Process payments if you subscribe to a paid plan (via a third-party payment processor). |
If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal bases for processing your personal data are:
| Contract performance | Processing necessary to provide the Services you have requested — evaluating Tool Calls, maintaining your Account, and enforcing Policies. |
| Legitimate interests | Operating, securing, and improving the Platform; detecting fraud and abuse; analytics. We balance our interests against your rights and only rely on this basis where the impact on you is minimal. |
| Legal obligation | Complying with applicable law, court orders, or regulatory requirements. |
| Consent | Where you have specifically opted in (e.g., marketing communications). You may withdraw consent at any time. |
We do not sell, rent, or trade your personal data or User Data to third parties. We disclose information only in the following circumstances:
We share data with third-party sub-processors listed in Section 7 to the extent necessary for them to provide their services to us. All sub-processors are bound by data processing agreements.
We may disclose information if required to do so by law, subpoena, court order, or other governmental authority, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of our assets, your data may be transferred to the acquiring entity. We will notify you via email or a prominent notice on the Platform before data becomes subject to a different privacy policy.
We may share your information with third parties when you explicitly direct us to do so.
We may share aggregated, de-identified data about Platform usage and security trends that cannot reasonably be used to identify any individual or organization.
The following sub-processors handle personal data on our behalf. We maintain data processing agreements with each.
| Sub-processor | Purpose | Data | Location |
|---|---|---|---|
| Privy (privy.io) | Identity & authentication | Email, OAuth profile, wallet address | USA / EU |
| Supabase | Database — policies, tools, action logs | User Data, Action Logs, API Keys (hashed) | USA |
| Upstash / Redis | Policy caching & rate limiting | Policy configs, rate limit counters (temporary) | USA / EU |
| Vercel (if deployed) | Platform hosting & CDN | HTTP request metadata, IP address (ephemeral) | Global CDN |
To request our full sub-processor list or to object to a new sub-processor, contact legal@moltwall.xyz.
MoltWall operates primarily from the United States. If you are located in the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States and potentially other jurisdictions.
We rely on the following mechanisms to ensure adequate protection for international transfers:
To request copies of the safeguards we rely on for international transfers, contact legal@moltwall.xyz.
| Account information | Retained for the lifetime of your Account plus 30 days after deletion. |
| Action Logs | Retained per your plan tier (configurable). Deleted upon account closure after a 30-day grace period. |
| Policy configurations | Retained while your Account is active. Deleted with your Account. |
| API Keys (hashed) | Retained until you revoke them or delete your Account. |
| Technical logs (IP, request metadata) | Retained for up to 90 days for security and debugging purposes, then automatically purged. |
| Redis cache entries | Ephemeral — TTL-based expiry between 5 minutes and 24 hours depending on entry type. |
| Communications | Retained for up to 3 years to maintain a record of support interactions. |
You may request deletion of your data at any time (see Section 12). Certain data may be retained longer where required by applicable law or for legitimate fraud-prevention purposes, but only to the extent necessary.
We implement a layered set of technical and organizational security controls to protect your data:
No system is completely immune to security threats. We encourage you to protect your API Keys, use strong authentication methods, and report any suspected security issues to security@moltwall.xyz.
We use strictly necessary cookies and session tokens to maintain your authenticated session in the dashboard. These cannot be disabled without breaking core functionality.
We may use privacy-respecting analytics (collecting only anonymized, aggregated data) to understand how the dashboard is used and where to focus improvement efforts. No cross-site tracking identifiers or third-party advertising cookies are used.
The dashboard uses browser local storage to persist your session state, recent activity, and UI preferences (e.g., selected filters, playback settings). This data stays in your browser and is not transmitted to our servers except as part of normal API interactions.
You may manage cookies through your browser settings. Blocking essential cookies may prevent the dashboard from functioning correctly. For EU users, we will request consent for non-essential cookies if we introduce them.
Depending on your location, you may have the following rights regarding your personal data:
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Request correction of inaccurate or incomplete personal data. |
| Erasure (Right to be Forgotten) | Request deletion of your personal data, subject to our legal retention obligations. |
| Restriction | Request that we restrict processing of your data in certain circumstances. |
| Portability | Request your data in a structured, machine-readable format (JSON) to transfer to another service. |
| Objection | Object to processing based on legitimate interests or for direct marketing purposes. |
| Withdraw consent | Withdraw consent at any time where processing is based on consent (e.g., marketing). |
| Lodge a complaint | File a complaint with your local data protection authority (e.g., ICO in the UK, your national DPA in the EEA). |
To exercise any of these rights, submit a request to privacy@moltwall.xyz. We will respond within 30 days (or the period required by applicable law). We may need to verify your identity before processing your request.
You may delete your Account at any time through the dashboard settings. Deletion triggers a 30-day grace period during which you may export your data, after which all associated data is permanently purged from our systems (except where retention is legally required).
You may unsubscribe from non-essential communications using the unsubscribe link in any email, or by contacting privacy@moltwall.xyz. Transactional communications (security alerts, account notices) cannot be opted out of while your Account is active.
The Platform is not directed to individuals under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will promptly delete it. If you believe a child has provided us with personal data, please contact privacy@moltwall.xyz.
Because MoltWall is a security platform for AI agents, we have specific practices around how AI-related data is handled:
Tool Call argument payloads are processed by our security evaluation engine in real-time. Payloads are stored as part of Action Logs for audit purposes. We do not use raw Tool Call argument content to train external AI models without your explicit consent.
When our guardrail engine detects threats (e.g., prompt injection patterns, PII indicators), the finding type and severity are recorded in the Action Log. Detected PII is flagged but not extracted or stored in isolation — only the presence and category of the detection is logged.
Risk scores are computed by deterministic, rule-based scorers and do not involve training on your personal data. We may use aggregated, anonymized statistical signals to calibrate scorer weights over time.
Agent IDs you assign are treated as operational data associated with your Account. They are not shared with third parties and are used solely for log attribution and policy scoping.
MoltWall does not use your Tool Call payloads, Action Logs, or Policy configurations to train, fine-tune, or improve AI models operated by third parties without your explicit, opt-in consent.
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you specific rights:
You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, our business purposes for collecting it, and the categories of third parties with whom we have shared it.
You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., information necessary to complete a transaction or comply with a legal obligation).
You have the right to request correction of inaccurate personal information.
MoltWall does not sell personal information and does not share personal information for cross-context behavioral advertising. No opt-out action is required, but you may contact us to confirm.
We will not discriminate against you for exercising any of your CCPA/CPRA rights.
To submit a verifiable consumer request, contact privacy@moltwall.xyz. We will respond within 45 days, with a possible 45-day extension with notice.
We may update this Privacy Policy from time to time. Material changes — those that affect your rights or how we process your personal data — will be communicated via:
Non-material changes (e.g., clarifications, corrections) take effect upon posting. We encourage you to review this Policy periodically. Continued use of the Platform after the effective date of changes constitutes acceptance of the updated Policy.
For any privacy-related questions, requests, or complaints, please contact our privacy team:
Company: MoltWall
Website: www.moltwall.xyz
Privacy inquiries: privacy@moltwall.xyz
DPA / legal requests: legal@moltwall.xyz
Security vulnerabilities: security@moltwall.xyz
If you are located in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.
Last updated: March 19, 2026
Read our Terms of Service →