Privacy policy

astrasync.shop is operated by AstraSync AI Pty Ltd (ABN 15 690 186 291) — the same legal entity that operates astrasync.ai. We comply with the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth).

This policy describes how astrasync.shop handles personal information specifically. The parent privacy policy at astrasync.ai/privacy covers the same legal entity and applies in full — read it for the comprehensive framework (rights, complaints, overseas disclosure, automated decisions, etc.). This page documents the data flows specific to operating astrasync.shop as a demonstration merchant.

1. What we collect

When you (a human or an agent acting on your behalf) interact with astrasync.shop, we may collect:

• Identifiers from agents — `X-Astra-Id` headers, purpose declarations, and PDLSS metadata passed by AstraSync-registered agents. Used to gate access tiers and audit transactions.
• Purchase information — the buyer's email address (provided in the checkout request), purchased SKUs, payment confirmation references, transaction timestamps. Email is required for digital fulfilment.
• Payment data — handled by Stripe; astrasync.shop never stores card numbers or full payment instruments. We retain Stripe transaction IDs to link orders to settlement records.
• Request metadata — IP address, user-agent string, request timestamps. Used for security forensics, rate-limit decisions, and audit-log correlation.
• Server logs — structured logs of API requests, errors, and verification decisions. Retained on Railway infrastructure for ~30 days for operational purposes.

2. How we use it

• To process and fulfil your purchase (deliver the digital download link by email).
• To gate catalog tiers (anonymous vs verified) based on the agent identity verified by AstraSync.
• To detect and prevent fraud, abuse, and runaway transactions.
• To audit and improve the demonstration platform — including the agentic-commerce protocols and the AstraSync verification gateway itself.
• To respond to support requests and refund inquiries.

3. Who we share it with

• Stripe — payment processing. Your card data goes directly to Stripe; we never see it. Stripe's privacy policy governs their handling.
• AstraSync verification gateway — `/api/agents/verify-access` requests. Agent identifiers, purpose, action, resource paths, and counterparty references flow to the gateway for verification decisions. AstraSync's parent privacy policy applies.
• Resend — email delivery (download links, receipts, support replies). Resend's privacy policy applies.
• Railway — infrastructure hosting. Server logs and operational metadata are stored on Railway's platform.
• No advertising / no analytics resale — we do not share personal information with advertising networks, do not sell data, and run no third-party analytics on astrasync.shop.

4. Overseas disclosure

Stripe, Resend, Railway, and AstraSync's verification API may store and process data outside Australia (typically in the United States and the European Union, depending on the provider's regional infrastructure). Each provider operates under their own data-protection commitments; we contract with them on standard terms that include appropriate safeguards.

5. Cookies + anonymity

astrasync.shop does not set tracking cookies. Browser sessions are stateless — we don't retain a session cookie or any client-side identifier beyond what your browser/agent sends with each request. You can interact with the catalogue anonymously; only purchases require an email address for fulfilment.

6. Your rights

You have the right to access, correct, and request deletion of personal information we hold about you under the Australian Privacy Principles. To exercise any of these rights, or to raise a privacy concern, contact us at hello@astrasync.shop. We will respond within a reasonable timeframe — typically within 30 days. For complaints we cannot resolve, you may also contact the Office of the Australian Information Commissioner (OAIC).

7. Security

We use HTTPS for all transport, never store payment card data, hash and salt any sensitive material that must be persisted, and follow security best practices for the server-side infrastructure. AstraSync's verification gateway itself enforces identity and trust gates on incoming agent traffic. We do not — and cannot — guarantee absolute security, but we treat security incidents seriously and disclose breaches per APP 11.

8. Automated decisions

AstraSync's verification gateway makes automated decisions about whether agent requests are granted, denied, or require step-up authorisation. These decisions are based on the agent's declared PDLSS scope, trust score, runtime challenge results, and the endpoint policy — not on any opaque profiling of the human behind the agent. If an automated decision affects you (a denied purchase, for instance) and you'd like a human review, contact us and we'll look at it.

9. Changes to this policy

We may update this policy as the demonstration evolves. Material changes will be flagged at the top of the page with an effective date. If you've made a purchase recently, the policy in effect at the time of purchase governs that transaction.

10. Contact

Privacy questions, complaints, or data requests: hello@astrasync.shop.

Operated by AstraSync AI Pty Ltd (ABN 15 690 186 291), Australia. See also: astrasync.ai/privacy for the parent entity's full policy.