Privacy Policy

Last updated: March 18, 2026

This Privacy Policy describes how Wrapd ("we", "us", "our") collects, uses, and protects your information when you use the Wrapd platform, including the website at wrapd.sh, the API, the agent software, and all related services (the "Service").

By using the Service, you consent to the practices described in this policy.

1. Information We Collect

Account Information

When you create an account, we collect your email address. If you subscribe to a paid plan, Stripe (our payment processor) collects your payment information directly — we do not store credit card numbers or bank details.

Endpoint and Pipeline Configuration

We store the endpoint definitions you create, including slug names, command strings, descriptions, arguments, schedule expressions, webhook configurations, and pipeline graph definitions. This data is necessary to operate the Service.

Execution Metadata

For each endpoint execution, we log: endpoint slug, exit code, HTTP status code, duration, bytes streamed, source (API, webhook, pipeline, Slack, scheduled), timestamp, and the API key used (hashed). We do not store command output (stdout/stderr) beyond real-time streaming.

Agent Information

When an agent connects, we receive: agent version, operating system, hostname, shell type, Docker detection status, and a list of available system commands. This information is used to display agent status in the dashboard and to provide context for AI-assisted endpoint generation.

Managed Secrets

Secrets you store through the Service are end-to-end encrypted in your browser using the target agent's public key. We store only the encrypted ciphertext and cannot access the plaintext values. Secrets are decrypted only by the agent process and are transmitted over encrypted WebSocket connections.

Analytics and Usage Data

We use PostHog for product analytics. PostHog collects anonymized usage events (page views, feature usage, error events) and session data. For authenticated users (account holders), analytics are collected as part of the Service as described in our Terms of Service. Visitors who have not signed in may opt out of analytics by declining cookie consent. PostHog data is hosted in the United States.

Server Logs

Our servers automatically log IP addresses, request paths, HTTP methods, status codes, and response times. These logs are used for security monitoring, debugging, and abuse prevention, and are retained for 30 days.

2. How We Use Your Information

  • Service operation: Authenticating your account, routing commands to your agent, enforcing quotas and rate limits, processing billing.
  • Communication: Sending magic link login emails, transactional notifications (quota warnings, billing alerts), and team invitations. We do not send marketing emails unless you explicitly opt in.
  • Security: Detecting abuse, preventing unauthorized access, investigating incidents, and enforcing our Terms of Service.
  • Improvement: Analyzing aggregate usage patterns to improve features, performance, and reliability. We do not use your endpoint configurations or command content for this purpose.
  • AI features: When you use AI endpoint or pipeline generation, your prompt and conversation history are sent to Anthropic's API for processing. We do not use your prompts to train models. See Anthropic's privacy policy for their data handling practices.

3. Third-Party Services

We share data with the following third parties only as necessary to provide the Service:

  • Stripe — Payment processing. Stripe receives your payment details directly through their SDK. Stripe Privacy Policy.
  • Resend — Transactional email delivery (magic links, notifications). Resend receives your email address and message content. Resend Privacy Policy.
  • PostHog — Product analytics (if consent is granted). PostHog Privacy Policy.
  • Anthropic — AI generation features. Your prompts are processed by Anthropic's Claude models. Anthropic Privacy Policy.
  • Slack — If you connect a Slack workspace, we store an encrypted OAuth access token and exchange messages with Slack's API to execute slash commands.
  • SAML Identity Providers — If your team configures SSO, we exchange authentication assertions with your configured identity provider.

We do not sell, rent, or share your personal information with third parties for their marketing purposes.

4. Data Retention

  • Account data (email, username, settings) — retained until you delete your account.
  • Endpoint configurations — retained until you delete them or your account.
  • Execution logs — retained for 30 days, then automatically purged.
  • Audit logs (Team plan) — retained for 90 days.
  • Pipeline run history — retained for 30 days.
  • Health check events — pruned to the most recent 1,000 events per endpoint.
  • Server logs — retained for 30 days.
  • Managed secrets — deleted immediately when you remove them or upon account termination.

After account deletion, all personal data is permanently removed within 30 days. Anonymized, aggregate data (e.g., total execution counts) may be retained indefinitely.

5. Data Security

We implement the following security measures to protect your data:

  • All data in transit is encrypted using TLS 1.2+.
  • Agent connections use authenticated WebSocket connections over TLS.
  • Managed secrets are end-to-end encrypted in the browser — only the target agent can decrypt them.
  • Slack OAuth tokens are encrypted at rest with AES-256-GCM.
  • API keys and agent tokens are stored as SHA-256 hashes — plaintext tokens are shown once at creation and never stored.
  • Cloud Runner containers are isolated with no network egress, read-only filesystems, process limits, and cgroup restrictions.
  • Database access is restricted to application services within our private network.

Despite these measures, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to security@wrapd.sh.

6. Cookies

We use the following cookies:

  • Session cookie (token) — HttpOnly, SameSite=Lax JWT token for authentication. Essential for the Service to function. Expires after 7 days.
  • Analytics cookies — PostHog analytics cookies, set only if you consent via the cookie banner. You can withdraw consent at any time by clearing cookies or using your browser settings.

We do not use advertising cookies or tracking pixels.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate personal data.
  • Deletion: Request deletion of your account and associated data.
  • Portability: Request an export of your endpoint configurations and pipeline definitions in machine-readable format (YAML/JSON).
  • Objection: Object to processing of your data for specific purposes.
  • Withdrawal of consent: Withdraw consent for analytics at any time.

To exercise any of these rights, contact us at privacy@wrapd.sh. We will respond within 30 days.

8. International Data Transfers

Our servers are located in the United States. If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will delete that data promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

11. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us at privacy@wrapd.sh.