Privacy Policy

Effective date: 2026-05-08

1. Who we are

Sunrays.dev operates an agent-callable booking API for local services. We act as a booking intermediary between AI agents (and the humans who use them) and local service providers (tradespeople).

2. What we collect

We collect the minimum data needed to execute and confirm bookings:

  • caller_id — your email address or OAuth identity, used as a Stripe customer key.
  • agent_id — DID or identifier of the AI agent acting on your behalf (e.g. did:web:claude.ai). Logged for trust and debugging.
  • Booking details — service category, zip code, requested datetime, issue description. Used to dispatch a tradesperson and generate a receipt.
  • Spending cap — the maximum charge you authorized (JWS assertion). Verified and discarded after booking; not stored in plaintext.
  • Payment method — stored securely by Stripe as a SetupIntent. Sunrays stores only the Stripe PaymentMethod ID and Customer ID reference, not card numbers.
  • Setup-card page analytics — time on page, completion vs abandonment, agent attribution. Used to improve the card-setup flow and as aggregate (anonymized) data for partner outreach. No individual-level sharing.
  • Web server logs — standard HTTP access logs (IP, user agent, path, response code). Retained 30 days.

3. How we use it

  • Execute and confirm your booking (dispatch a tradesperson, send a receipt).
  • Process payment via Stripe Connect (auth on booking, capture on dispatch confirmation, refund if needed).
  • Contact you about your booking (dispatch confirmation, refund notices). No marketing emails.
  • Improve the product using aggregate, anonymized telemetry (tool-selection patterns, abandonment rates, geographic demand).
  • Meet legal and insurance obligations.

4. Who we share it with

  • Stripe — payment processing (Stripe's Privacy Policy).
  • Assigned tradesperson — your first name (or initials), zip, service type, and issue summary. Not your email or full name.
  • Law enforcement / legal process — if required by applicable law.

We do not sell personal data. We do not share individual-level booking data with ecosystem partners (Anthropic, OpenAI, Stripe BD, Google) — only aggregate, anonymized conversion metrics.

5. Data retention

  • Booking records: retained for 7 years (tax and insurance compliance).
  • Stripe payment methods: retained until you request deletion or we are required to delete.
  • Out-of-region and out-of-tool waitlist entries: retained indefinitely as aggregate demand signal; anonymized after 12 months.
  • Web server logs: 30 days.

6. Your rights

Email help@sunrays.dev to:

  • Access the data we hold about you.
  • Delete your account and booking history (subject to legal retention requirements).
  • Request deletion of your Stripe payment method.
  • Correct inaccurate data.

7. Security

All data in transit uses TLS 1.2+. Booking data at rest uses Postgres with Railway's encryption-at-rest. Stripe handles all card data — we never see raw card numbers. Spending cap JWS assertions are verified and not stored in plaintext. We have a $1M liability insurance policy in place.

8. Cookies

We do not use tracking cookies. The /setup-card page sets a session cookie only to complete the Stripe Checkout flow; it expires when you close the browser tab.

9. Changes to this policy

Material changes will be announced via the effective date above. The authoritative version is always at https://sunrays.dev/privacy.

10. Contact

Sunrays.dev — help@sunrays.dev