A
A2M

Legal

Privacy Policy

Effective date: 2 June 2026

1. Who we are

A2M (AI App Marketplace) is operated by Stephen Phillips ("we", "us", "our"). The service is accessible at a2m.one and via the a2m-submit CLI tool.

2. What data we collect

Account data

When you authenticate via GitHub or Google OAuth, we receive and store your email address to associate with your API key. We do not store your OAuth access token after authentication is complete.

Listing data

When you submit a project manifest, we store the manifest content including project name, description, repository URL, and any metadata you provide. This is the core purpose of the service.

Technical logs

Our hosting infrastructure may retain standard server logs (IP address, request path, timestamp, HTTP status code) for up to 30 days for security and operational purposes.

Cookies & local storage

We use a single localStorage entry (a2m_cookie_consent) to remember your cookie preferences. The CLI tool stores your API key locally in ~/.a2m/config.json on your own machine. We do not set advertising or tracking cookies.

3. How we use your data

  • To authenticate you and associate submissions with your account
  • To display your project listings in the public marketplace catalog
  • To run automated trust scoring (link checks, secrets scanning) on submitted manifests
  • To respond to support requests if you contact us
  • To detect and prevent abuse of the service

We do not sell your data, use it for advertising, share it with third parties for their own marketing, or use it to train AI models.

4. Legal basis (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, our legal bases for processing are:

  • Contract performance — processing your email and listing data is necessary to provide the service you signed up for.
  • Legitimate interests — server logs and security monitoring are necessary to operate the service safely.
  • Consent — for any non-essential cookies or analytics, where we obtain explicit consent via the cookie banner.

5. Data retention

  • Account and listing data is retained until you delete your listings or request account deletion.
  • Server logs are retained for up to 30 days.
  • If you delete all your listings and request account deletion, we will remove your email and API key within 30 days.

6. Third-party services

  • GitHub / Google OAuth — used for authentication only. Their privacy policies apply to the authentication step.
  • Hosting infrastructure — our servers are hosted on infrastructure that may process data in accordance with their own data processing agreements.

7. Your rights

Under GDPR and UK GDPR you have the right to:

  • Access — request a copy of the data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — ask us to delete your personal data
  • Restriction — ask us to limit how we use your data
  • Portability — receive your data in a machine-readable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent — withdraw cookie consent at any time by clearing localStorage

To exercise any of these rights, email us at privacy@a2m.one. We will respond within 30 days.

8. Security

API keys are stored as bcrypt hashes — we cannot recover your raw key. All data in transit is encrypted via TLS. We follow security best practices and conduct periodic audits of our codebase.

9. Changes to this policy

We may update this policy from time to time. We will update the effective date at the top and, for material changes, notify registered users by email.

10. Contact

Questions or requests: privacy@a2m.one