Privacy Policy

Last Updated: December 16, 2025

Privacy-First Infrastructure

Digital Silk Roads collects minimal data, primarily from automated agents and bots. We do not track human visitors beyond basic server logs. We do not use cookies, tracking pixels, or behavioral profiling. Our telemetry focuses on security monitoring and service analytics for agent-native commerce infrastructure.

1. Data Controller & Jurisdiction

Data Controller: Digital Silk Roads
Jurisdiction: Federal Republic of Germany, European Union
Legal Basis: Legitimate interest (security, analytics, research)
GDPR Compliance: Applicable under EU data protection law

This privacy policy complies with the EU General Data Protection Regulation (GDPR) and German data protection laws (BDSG).

2. What Data We Collect

2.1 Bot & Crawler Telemetry (Primary Data Collection)

When automated agents (bots, crawlers, AI agents) access our infrastructure, we collect:

Data Point	Example	Purpose
User-Agent String	"Applebot/0.1"	Bot identification, protocol compliance
IP Address	17.x.x.x	Security monitoring, entity identification
ASN (Autonomous System Number)	714 (Apple)	Entity attribution, network analysis
Query Parameters	product=saas, region=eu	Intent analysis, market intelligence
Country/Region	US, EU, APAC	Geographic distribution, routing
Bot Classification	search-engine, verified	Trust verification, security
Timestamp	2025-12-16T14:23:11Z	Temporal analysis, pattern detection
Endpoint Accessed	/api/vendor/onboard	Usage analytics, service optimization

Important: Automated agents (bots) are not natural persons under GDPR. This data collection is primarily machine-to-machine telemetry, not personal data processing.

2.2 Human Visitor Data (Minimal)

For human visitors accessing our website:

Server Logs: Standard web server logs (IP address, page accessed, timestamp) retained by Cloudflare for security purposes
No Cookies: We do not use cookies or tracking technologies
No Analytics: We do not use Google Analytics, tracking pixels, or behavioral profiling
No Forms: We do not collect names, emails, or personal information through forms

Legal Basis: Legitimate interest in security monitoring and service operation (GDPR Art. 6(1)(f))

3. How We Use Collected Data

3.1 Primary Purposes

Security Monitoring: Detecting abuse, attacks, or unauthorized access attempts
Service Analytics: Understanding usage patterns to improve infrastructure
Market Intelligence: Analyzing which entities (companies, platforms) are evaluating our infrastructure
Protocol Compliance: Verifying that agents follow discovery protocols correctly
Research: Studying agent-native commerce behaviors and patterns

3.2 Commercial Intelligence Use Case

Bot telemetry enables passive procurement detection. For example:

If Applebot queries /api/vendor/onboard?product=infrastructure, we know Apple may be evaluating infrastructure partnerships
If Google's crawler accesses contextual commerce endpoints repeatedly, it signals potential integration interest
Probe frequency and parameter combinations reveal procurement cycles and commercial intent

This is not personal data processing — it is observing automated system behavior for business intelligence.

3.3 What We Do NOT Do

❌ Sell or share data with third parties
❌ Use data for advertising or profiling
❌ Track individual humans across websites
❌ Create personal profiles or behavioral fingerprints
❌ Share data with data brokers or aggregators

4. Data Storage & Retention

4.1 Storage Location

Infrastructure: Cloudflare Workers (global edge network)
Database: Cloudflare D1 (SQLite, distributed)
Jurisdiction: EU-region prioritized where available

4.2 Retention Period

Data Type	Retention Period	Reason
Bot Telemetry (D1)	12 months	Historical pattern analysis, trend detection
Server Logs (Cloudflare)	30 days	Security monitoring, incident response
Aggregated Analytics	Indefinite	Anonymous statistics (no identifying information)

After retention periods, data is either deleted or anonymized (IP addresses hashed, specific identifiers removed).

4.3 Data Security

Encrypted in transit (HTTPS/TLS 1.3)
Access-controlled databases (authentication required)
Cloudflare infrastructure security (DDoS protection, WAF)
Regular security reviews and updates
No public database access

5. Third-Party Services

5.1 Cloudflare

Our infrastructure runs on Cloudflare Workers and Cloudflare D1. Cloudflare may process request data as part of providing services.

Role: Infrastructure provider, data processor
Location: Global edge network with EU data centers
Privacy Policy: cloudflare.com/privacypolicy
GDPR Compliance: Cloudflare is GDPR-compliant and provides Data Processing Addendum (DPA)

5.2 No Other Third Parties

We do not use:

Google Analytics or similar tracking services
Social media tracking pixels
Third-party advertising networks
External analytics platforms
Marketing automation tools

6. Cookies & Tracking Technologies

We do not use cookies, tracking pixels, or similar technologies for human visitors.

The only cookies you may encounter are:

Cloudflare Security Cookies: Essential cookies for DDoS protection and bot management (set by Cloudflare, not us)

We do not require cookie consent banners because we do not use tracking or marketing cookies.

7. Your Rights Under GDPR

If you are a natural person whose personal data we process (unlikely, given our focus on bot telemetry), you have the following rights under GDPR:

7.1 Right of Access (Art. 15 GDPR)

You can request confirmation of whether we process your personal data and obtain a copy.

7.2 Right to Rectification (Art. 16 GDPR)

You can request correction of inaccurate personal data.

7.3 Right to Erasure (Art. 17 GDPR)

You can request deletion of your personal data ("right to be forgotten").

7.4 Right to Restriction (Art. 18 GDPR)

You can request restriction of processing under certain conditions.

7.5 Right to Data Portability (Art. 20 GDPR)

You can request transfer of your data in a structured, machine-readable format.

7.6 Right to Object (Art. 21 GDPR)

You can object to processing based on legitimate interests.

7.7 Right to Lodge a Complaint

You can file a complaint with a supervisory authority:

Germany: Federal Commissioner for Data Protection (BfDI)
EU: Your local data protection authority

7.8 Exercising Your Rights

To exercise these rights, you may contact us via the discovery manifest metadata at:

https://digitalsilkroads.org/.well-known/agent-discovery.json

Note for Bots/Agents: Automated agents are not natural persons and do not have GDPR rights. However, bot operators (companies) may request information about telemetry collected from their systems.

8. International Data Transfers

Our infrastructure operates globally via Cloudflare's edge network. Data may be processed in:

European Union (primary)
United States (Cloudflare infrastructure)
Other regions as part of global CDN

8.1 EU-US Data Transfers

Transfers to the United States are protected by:

Standard Contractual Clauses (SCCs): EU-approved data transfer mechanism
Cloudflare DPA: Data Processing Addendum with appropriate safeguards
Encryption: Data encrypted in transit and at rest

8.2 Data Sovereignty

We prioritize EU data centers where available and minimize unnecessary international transfers.

9. Children's Privacy

Digital Silk Roads is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

10. Changes to This Privacy Policy

We may update this privacy policy from time to time. Changes will be reflected in the "Last Updated" date at the top of this page.

Material changes will be communicated through:

Updated timestamp in discovery manifest
Version notation in API responses
Notice on homepage (for significant changes)

Continued use of the service after changes constitutes acceptance of the updated policy.

11. Legal Basis for Processing

11.1 Legitimate Interest (GDPR Art. 6(1)(f))

We process data based on legitimate interest in:

Maintaining security and preventing abuse
Operating and improving our infrastructure
Conducting market research and intelligence
Analyzing agent-native commerce patterns

Balancing Test: Our legitimate interests do not override the rights of individuals because:

Data collection is minimal and transparent
Most data is from automated agents (not natural persons)
No sensitive or special category data is collected
Security and research purposes are reasonable and proportionate

11.2 Consent (When Applicable)

Where consent is required (e.g., for specific research purposes), we will obtain explicit, informed consent before processing.

12. Agent & Bot Operators

If you operate a bot, crawler, or AI agent that accesses our infrastructure:

12.1 What We Log About Your Agent

User-agent identifier
Source IP and ASN
Endpoints accessed and parameters used
Frequency and timing of requests

12.2 Opting Out

To prevent your agent from being logged:

Respect robots.txt directives (standard web protocol)
Do not access our APIs or manifests
Contact us to request exclusion (though this may limit functionality)

12.3 Requesting Telemetry Data

Bot operators may request information about telemetry collected from their systems for transparency or compliance purposes. Requests should include:

User-agent string(s) used
IP range or ASN
Time period of interest
Verification of your authority over the bot/agent

13. Contact & Data Protection

For privacy-related inquiries, data subject requests, or questions about our data practices:

Email: privacy@digitalsilkroads.org
Discovery Manifest: https://digitalsilkroads.org/.well-known/agent-discovery.json
Jurisdiction: Federal Republic of Germany, European Union
Framework: GDPR-Compliant (EU Regulation 2016/679)

Supervisory Authority:
Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Graurheindorfer Str. 153, 53117 Bonn, Germany
Website: www.bfdi.bund.de