Privacy Policy

Effective: March 12, 2026

1. Introduction

watch.ly ("we," "us," or "our") provides an access control service for AI agents, allowing you to approve or deny network requests made by AI systems operating on your behalf. This Privacy Policy explains how we collect, use, and protect your information when you use our service.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and phone number (if you enable SMS notifications).

SMS & Phone Data

If you opt in to SMS notifications, we additionally collect and store:

  • Your phone number
  • SMS consent records (IP address, user agent, timestamp, and the consent text you agreed to)
  • Phone verification codes (temporary, auto-expire after 10 minutes)
  • Your opt-in/opt-out status and the method used (e.g. STOP keyword, dashboard toggle)

Network Traffic

By default, watch.ly does not store your network traffic. The agent filters requests locally and only communicates approval/denial decisions. If you explicitly enable logging on the agent, we may collect:

  • Network access requests (URLs, domains, ports)
  • Your approval or denial decisions
  • Timestamps and agent identifiers

Access Control Policies

We record the policies you configure, including allow/deny rules, so they can be synced to your agents.

Device & Usage Information

We collect standard technical information such as browser type, IP address, and device identifiers to maintain security and improve our service.

3. How We Use Your Information

  • Service delivery — processing access control requests and enforcing your configured policies
  • Notifications — sending approval requests and alerts via SMS, push notifications, email, or Slack based on your preferences
  • Audit logs — maintaining a tamper-evident record of all access control decisions for your review
  • Service improvement — analyzing aggregated, anonymized usage patterns to improve performance and reliability
  • Security — detecting and preventing unauthorized access or abuse

4. SMS Messaging Program

watch.ly sends automated SMS messages for agent access request alerts. Message frequency varies based on agent activity. Message and data rates may apply.

Opting Out

You can stop receiving SMS messages at any time by:

  • Replying STOP (or STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT) to any watch.ly message
  • Disabling SMS notifications in your web dashboard settings

Getting Help

Reply HELP to any watch.ly message, visit watch.ly/support, or email .

Phone Number Changes

If you change your phone number, re-verification is required before SMS notifications can be sent to the new number.

5. Data Retention

Access control logging is opt-in. If you choose to enable it:

  • Access control decision logs are retained for 30 days on the Personal plan
  • Enterprise plans have custom log retention periods
  • The Free / Local plan stores logs locally on your machine only — nothing is sent to our servers

SMS-related data:

  • Phone verification codes auto-expire after 10 minutes and are deleted from our systems within 24 hours
  • SMS consent records are retained for the life of your account plus 5 years, as required for compliance
  • Opt-in/opt-out audit logs are retained for the life of your account plus 5 years

For all plans:

  • Account information is retained for as long as your account is active
  • After account deletion, we remove your personal data within 30 days, except where retention is required by law

6. Sharing & Disclosure

We do not sell your personal information. We may share data in the following limited circumstances:

  • Twilio — your phone number is shared with Twilio, our SMS delivery provider, to send you agent access request alerts
  • Other service providers — cloud hosting and infrastructure partners who process data on our behalf under strict confidentiality agreements
  • Legal obligations — when required by law, regulation, or valid legal process
  • Safety — to protect the rights, safety, or property of watch.ly, our users, or the public
  • Business transfers — in connection with a merger, acquisition, or sale of assets, with notice to affected users

7. Security

We implement industry-standard security measures to protect your data, including:

  • Encryption in transit (TLS) and at rest
  • Role-based access controls for internal systems
  • Regular security audits and vulnerability assessments
  • Isolated processing environments for agent access control decisions

8. Your Rights

You have the right to:

  • Access your personal data and activity logs
  • Export your data in a machine-readable format
  • Delete your account and associated data
  • Correct inaccurate personal information
  • Opt out of non-essential communications

To exercise these rights, contact us at .

9. Cookies

We use minimal, functional cookies necessary for authentication and session management. We do not use tracking cookies or third-party advertising cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a notice on our service at least 30 days before the changes take effect.

11. Contact

If you have questions about this Privacy Policy or our data practices, contact us at: