covenant

Privacy

Last updated · 2026-05-29

  1. 01

    Scope

    This policy covers opencovenant.org (this site), docs.opencovenant.org (the documentation), and sandbox.opencovenant.org (the public sandbox). The marketing and docs sites are static informational pages. The sandbox runs anonymous coding tasks inside ephemeral, single-use microVMs that are torn down when the run finishes. None of these sites ask you to sign up.

  2. 02

    What we collect

    Contact form (opencovenant.org). Your name, email address, and the message you write. We receive them in our inbox so we can reply.

    Sandbox (sandbox.opencovenant.org).

    • The text of the build request you submit (the “intent”).
    • Output of the run — files the agent wrote in the sandbox, terminal output, and the response — long enough to render it back in your browser.
    • Your IP address (or the right-most value of X-Forwarded-Forfrom a proxy we trust), held in memory to enforce a per-IP rate limit so a single client can't drain the daily budget. It is not written to disk.
    • Entries in the append-only audit chain the daemon writes for each run — agent name, tool invocations, run durations, the paths and byte counts of files the sandbox wrote. The intent text is included.

    Bot detection. The sandbox uses Cloudflare Turnstile in interaction-only mode to refuse automated traffic. Cloudflare receives the device and network signals it needs to score the request. We reference Cloudflare's Turnstile Privacy Addendum (published as part of Cloudflare's privacy policy at cloudflare.com/privacypolicy) for the specific signals Turnstile processes and how Cloudflare uses them. Loading the widget sets short-lived cookies on Cloudflare's challenge subdomain.

    Cookies, analytics, tracking. None on opencovenant.org or docs.opencovenant.org. None on sandbox.opencovenant.org other than the Cloudflare cookies described above.

  3. 03

    How we use it

    • Reply to your contact message.
    • Run your sandbox task and stream the result back to your browser.
    • Refuse bot traffic and rate-limit clients that try to exhaust the daily budget.
    • Keep a tamper-evident record of what each run did — the audit chain is one of Covenant's core security guarantees.
    • We don't sell what we collect. We don't share it with advertising networks. There are no advertising networks on these sites.
  4. 04

    Third parties

    • Cloudflare — bot detection on the sandbox via Turnstile, in interaction-only mode. See cloudflare.com/privacypolicy and the Turnstile Privacy Addendum referenced there.
    • Resend — delivers the contact form emails to our inbox. See resend.com/legal/privacy-policy.
    • Anthropic — runs the underlying coding model that powers sandbox runs. Your intent text and any context the model needs to do its job are sent to Anthropic. See anthropic.com/legal/privacy.
    • E2B — provisions the ephemeral microVM your sandbox run executes in. See e2b.dev/privacy.
  5. 05

    Retention

    • Contact emails. Until we delete them from our inbox. No automated deletion schedule.
    • Sandbox run output and audit chain.Kept as long as the daemon's store keeps it. The chain is designed for tamper-evident retention, not aggressive deletion.
    • Rate-limit state. In memory only. Cleared when the gateway restarts.
  6. 06

    Your choices

    • The sandbox needs no account. If you don't want a request recorded, don't submit it.
    • To ask us to delete a contact message or a specific sandbox run, write us via contact.
    • Blocking Cloudflare cookies will block the Turnstile check, which will prevent sandbox submissions.
  7. 07

    Security disclosures

    Report a security issue via contact. We aim to acknowledge within a few business days.

  8. 08

    Changes

    When we change this policy, the “last updated” date at the top moves and the change is committed to the public repository at github.com/open-covenant/covenant.

  9. 09

    Contact

    Questions about this policy: opencovenant.org/contact.