Privacy
How Blue Pillow handles personal data for the B2A agents site.
The B2A agents site is operated by Blue Pillow. This is a short notice for the agent-facing surface. The full privacy policy applicable to all Blue Pillow services is published on the human site.
What we collect
- Anonymous API keys. When an agent calls
POST /v1/keys(or theb2a_get_keyMCP tool) we generate a random opaque key. No email, account, or other identifier is required. The key is the only credential bound to the caller. - Request metadata. We log the requested path, response status, latency, and the anonymous key id (not the key itself). We do not log request bodies that would identify an end-user.
- Client identification at key issuance. When a key is created we store the
optional self-declared
agentlabel and theUser-Agentstring of the issuing client (e.g. “python-httpx”, “Claude-User”). This identifies the agent software, not a person. - IP address. Stored only as a salted daily hash, used for abuse-prevention and rate-limit enforcement. The raw address is not retained.
- Aggregated usage analytics. Anonymous, key-scoped usage events (endpoint called, tool name, latency, status) may be forwarded server-side to Google Analytics 4 to measure adoption. These events carry a hashed key identifier, never an IP address, cookie, or cross-site identifier.
What we don’t collect
- No account, email, or personal identifier tied to the anonymous key.
- The agents site itself sets no tracking cookies by default. Web analytics (Google Tag Manager / GA4) load only where configured and run under Google Consent Mode v2 with all storage denied by default until consent is granted via the consent prompt. See the cookie notice.
Full policy
For the complete Blue Pillow privacy notice — including data subject rights, retention, transfers, and contact for data requests — see the human site policy at bluepillow.com/privacy.