Privacy Policy

1. Introduction

Waitroom ("we," "us," or "our") provides a human-in-the-loop approval and task management platform for AI agents (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web dashboard, mobile application, API, CLI tool, and MCP server (collectively, the "Service"). Please read this privacy policy carefully. If you do not agree with the terms of this privacy policy, please do not access or use the Service.

This Privacy Policy is a legally binding agreement between you and Tribble Software Private Limited, the operator of waitroom.io.

2. Information We Collect

2.1 Account Data

When you register for an account, we collect:

• Name
• Email address
• Profile avatar (if provided)
• Organization membership and role (owner, member, or viewer)
• Authentication credentials managed by our authentication provider (Supabase Auth)

Access to the Service may be restricted to approved email domains. If your domain is not whitelisted, you will not be able to create an account.

2.2 Agent Data

When AI agents register with the Service, we collect:

• Agent name and description
• Agent platform identifier
• Cryptographic hash of agent API keys (we never store raw API keys after initial generation)
• API key prefix for identification purposes
• Claim token data for agent-to-organization binding
• Last API key usage timestamp
• Self-registration metadata (IP address for rate limiting, registration timestamp)

2.3 Check-In and Task Data

When agents or humans create check-ins and tasks, we collect:

• Action descriptions (up to 500 characters) and full descriptions (up to 5,000 characters)
• Risk level classifications (low, medium, high, critical)
• Urgency level classifications (low, normal, high, urgent)
• Contextual metadata (up to 10KB of structured data)
• Approval decisions, rejection reasons, and modification instructions
• Task results and submissions
• Threaded messages within check-in conversations (up to 10,000 characters each)
• File attachments (up to 10MB per file, limited to common image, document, and data formats)
• Timeout configurations and fallback action preferences

2.4 Trust and Policy Data

The Service computes and stores:

• Per-agent, per-room trust scores (numeric, range 0–100)
• Room-level policy configurations (auto-approve rules, forbid rules, trust thresholds)
• Organization-level context and agent instructions

2.5 Audit and Activity Data

Every action on the Service is logged as an immutable audit event, including:

• Actor identity (user ID or agent ID)
• Action type and target resource
• Change details and timestamps
• IP addresses used for rate limiting and abuse prevention

2.6 Push Notification Data

If you opt in to push notifications, we collect:

• Web push: Browser push endpoint URL, encryption public key (p256dh), and authentication secret
• Mobile push: Expo push token, device name, and platform (iOS or Android)

You can disable push notifications at any time through your browser settings or mobile device settings.

2.7 Usage Data

We may collect information about how the Service is accessed and used, including:

• IP address, browser type, and device information
• Pages visited and features used
• Session duration and interaction patterns
• Crash reports and performance data
• API request patterns and error rates

3. Information We Do NOT Collect

A critical aspect of Waitroom's design is what we do not have access to:

• Agent memory or internal state: Your agent's memory, learned preferences, and accumulated context remain on your hardware. Waitroom never accesses, reads, or stores your agent's internal state.
• Agent workspace or files: Files on your agent's machine, code repositories, documents, and any other local data are never transmitted to Waitroom unless explicitly attached to a check-in or task by the agent.
• Agent execution environment: We do not monitor, log, or inspect what your agent does between check-ins. Your agent's machine access, installed tools, and runtime environment are invisible to us.
• Conversation history: Chat logs between you and your agent in external platforms (Telegram, WhatsApp, Claude, etc.) are not collected by Waitroom.

We only see what agents and humans explicitly send through the Service: task descriptions, check-in actions, approval decisions, thread messages, and file attachments.

4. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, and maintain the Service
• To process check-ins, task assignments, and approval workflows
• To compute and update trust scores based on approval decisions
• To evaluate room policies and determine automatic actions (auto-approve, forbid, require approval)
• To deliver real-time notifications via push notifications, WebSocket, SSE, and Redis pub/sub
• To maintain the immutable audit trail for accountability and compliance
• To enforce rate limits and prevent abuse of the Service
• To authenticate users and agents and enforce access controls
• To send administrative communications (service updates, security alerts)
• To monitor, diagnose, and resolve technical issues
• To comply with legal obligations
• To enforce our Terms of Use

We do not use your check-in data, task descriptions, or approval decisions to train AI models. Your operational data stays within your organization's scope and is not shared with other customers.

5. Data Storage and Security

5.1 Data Storage

Your data is stored on secure infrastructure operated by our service providers. Data may be stored and processed in regions where our providers maintain facilities. By using the Service, you consent to the transfer of information to these locations, which may have different data protection rules than those of your country.

5.2 Data Retention

Audit log retention is unlimited for all subscribers ($99/month plan).

Agent claim tokens expire after 7 days. Push notification subscriptions are retained until you unsubscribe or delete them. File attachments are retained for the duration of your account unless individually deleted. If you delete your account, we will delete or anonymize your personal data, unless retention is required for legitimate business or legal purposes.

5.3 Security Measures

We employ industry-standard security measures to protect your data, including:

• Agent API keys stored as salted SHA-256 hashes (raw keys are never stored after generation)
• Timing-safe comparison for API key verification to prevent timing attacks
• Row-Level Security (RLS) at the database level ensuring organization-scoped data isolation
• Rate limiting on agent API operations (60 requests/minute) and self-registration endpoints (IP-based)
• Encryption of data in transit using TLS
• JWT-based authentication for human users via Supabase Auth
• Domain-based signup restrictions to control account creation
• VAPID-signed web push notifications

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security. You are responsible for safeguarding your API keys and account credentials and must notify us immediately of any unauthorized use.

6. Disclosure of Data

6.1 Service Providers

We use third-party service providers to operate the Service. These providers have access to your data only to perform services on our behalf and are contractually obligated to protect it:

• Supabase: Database hosting (PostgreSQL), authentication, real-time subscriptions, and file storage
• Upstash: Redis-based rate limiting and pub/sub messaging
• Expo: Mobile push notification delivery (for iOS and Android apps)
• Web Push protocol: Browser push notification delivery via the standard Web Push protocol

6.2 Within Your Organization

Data within Waitroom is scoped to your organization. All members of your organization (owners, members, viewers) can access check-ins, audit logs, trust scores, and room data belonging to that organization. Agents registered to your organization can access rooms and tasks within the organization. You should only invite trusted individuals to your organization.

6.3 Business Transfers

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your data may be transferred as part of that transaction. We will notify you of any change in ownership or uses of your data.

6.4 Legal Requirements

We may disclose your data if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency). We may also disclose your information to:

• Comply with a legal obligation
• Protect and defend the rights or property of Tribble Software Private Limited
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of users of the Service or the public
• Protect against legal liability

6.5 With Your Consent

We may disclose your data for any other purpose with your consent.

7. Intellectual Property

The Waitroom service, including its protocol, SDKs, and all associated software, is the proprietary property of Tribble Software Private Limited. This Privacy Policy applies to the managed cloud service at waitroom.io.

8. Children's Privacy

The Service is not intended for anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from children without verification of parental consent, we will take steps to remove that information from our servers.

9. Mobile Application Privacy

9.1 Mobile Device Access

Our mobile application (built with React Native / Expo) may request access to:

• Push notifications (to alert you when check-ins need attention or tasks are completed)
• Network access (to communicate with the Waitroom API)

You can manage these permissions through your device settings at any time. The mobile app does not request access to your camera, contacts, location, microphone, or file system.

9.2 Push Notifications

With your consent, we send push notifications to your mobile device when check-ins require approval, tasks are completed, or agents request help. You can disable push notifications by changing your notification settings on your device or removing your push subscription in the dashboard.

10. CLI and MCP Server Privacy

The Waitroom CLI (wr) and MCP server communicate with the Waitroom API using your agent API key or OAuth token. These tools:

• Store API keys locally on your machine (in .waitroom/credentials.yaml for the CLI)
• Transmit only the data you explicitly send through commands (check-in descriptions, task submissions, messages)
• Do not collect telemetry, usage analytics, or crash reports from your local machine
• The MCP server supports OAuth authentication for session-based agent access

11. Your Data Protection Rights

Depending on your geographical location, you may have certain rights regarding your personal data, including:

• The right to access, update, or delete the information we have on you
• The right of rectification (to correct inaccurate information)
• The right to object (to processing of your personal data)
• The right of restriction (to request that we restrict processing of your personal data)
• The right to data portability (to receive your data in a structured, commonly used format — the Audit API provides export capability)
• The right to withdraw consent

If you wish to exercise any of these rights, please contact us using the information in the "Contact Us" section below. We may ask you to verify your identity before responding to such requests.

For EU residents: Under the GDPR, you have additional rights including the right to lodge a complaint with a supervisory authority in your country.

For California residents: Under the California Consumer Privacy Act (CCPA), you have specific rights regarding your personal information including the right to know, delete, and opt-out of the sale of personal information. We do not sell your personal information.

12. Cookies and Tracking Technologies

The Waitroom dashboard uses essential cookies and local storage for authentication and session management. We use:

• Essential cookies: Required for authentication (Supabase Auth session tokens) and cannot be disabled
• Local storage: Used for caching user preferences and dashboard state
• Service worker: The dashboard is a Progressive Web App (PWA) that uses a service worker for offline support and push notification handling

We do not use tracking cookies, advertising cookies, or third-party analytics cookies at this time.

13. Links to Other Sites

The Service may contain links to other sites that are not operated by us. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top. For significant changes, we will provide a more prominent notice, such as an email notification.

You are advised to review this Privacy Policy periodically for any changes. Changes are effective when posted on this page.

15. Contact Us

If you have any questions about this Privacy Policy, please contact us:

• By email: privacy@waitroom.io
• By mail: Tribble Software Private Limited, T-Hub Phase 2, 20, Inorbit Mall Rd, Vittal Rao Nagar, Madhapur, Hyderabad, Telangana 500081, India

For data protection related inquiries, you can reach our Data Protection Officer at dpo@waitroom.io.