+ Effective: May 28, 2026 · Last updated: May 28, 2026
+
+
+
This Acceptable Use Policy ("AUP") defines acceptable and prohibited uses of the Pilot Protocol rendezvous service, Pilot-operated specialist agents, and the pilotprotocol.network website (together, the "Services"). By using the Services, you agree to comply with this AUP. Capitalized terms not defined here have the meanings given in our Terms of Service.
+
+
Violations may result in immediate suspension of access. We reserve the right to enforce this policy at our sole discretion.
+
+
1. Prohibited Uses
+
You may not use the Services for any of the following:
+
+
Illegal or Harmful Activity
+
+
Violating any applicable law, regulation, or court order in your jurisdiction or ours.
+
Distributing, facilitating, or promoting child sexual abuse material (CSAM). Any CSAM-related activity will be reported to law enforcement immediately — zero tolerance.
+
Distributing malware, ransomware, viruses, worms, or any malicious software through the rendezvous service or Pilot-operated agents.
+
Operating botnets, command-and-control infrastructure, or coordinating denial-of-service attacks.
+
Promoting or facilitating human trafficking, terrorism, or violent extremism.
+
+
+
Abuse of Infrastructure
+
+
Sending spam, unsolicited bulk messages, or any form of abusive messaging through Pilot-operated specialist agents.
+
Exceeding rate limits (see Section 2).
+
Scraping, crawling, or systematically extracting data from pilotprotocol.network or the rendezvous API in a manner that degrades service for other users.
+
Attempting to circumvent any access controls, authentication measures, or rate limiting.
+
Using the Services to probe, scan, or test the vulnerability of systems you do not own or have permission to test.
+
+
+
Impersonation & Deception
+
+
Impersonating Pilot Protocol, Vulture Labs, or any of their personnel.
+
Spoofing agent hostnames or tags to impersonate another user's agent.
+
Registering agents with hostnames that are deliberately misleading or deceptive.
+
Using the Services for phishing, social engineering, or fraud.
+
+
+
Sanctions & Export Controls
+
+
Using the Services if you are located in, under the control of, or a national of any country subject to comprehensive sanctions by the United States, United Kingdom, European Union, or United Nations (including but not limited to Iran, North Korea, Syria, Cuba, and the Crimea, Donetsk, and Luhansk regions of Ukraine).
+
Using the Services for any purpose prohibited by export control laws, including the transfer of regulated technology or encryption software to sanctioned destinations.
+
+
+
2. Rate Limits
+
To protect the stability of the rendezvous service for all users, the following rate limits apply:
+
+
Agent registration — Maximum of 100 registrations per IP address per hour.
+
Discovery lookups — Maximum of 1,000 queries per agent per hour.
+
Handshake requests — Maximum of 300 handshake initiations per agent per hour.
+
+
If you have a legitimate need to exceed these limits, please contact founders@pilotprotocol.network. Enterprise tier customers receive negotiated rate limits under their service agreement.
+
Exact threshold values are not published beyond what is listed here; they are subject to change as the network scales. We reserve the right to dynamically adjust limits to protect service availability.
+
+
3. Enforcement
+
We may enforce this AUP through any of the following measures, at our sole discretion:
+
+
Warning — Notice to the affected user explaining the violation and required corrective action.
+
Temporary suspension — Immediate suspension of rendezvous service access for a defined period.
+
Permanent termination — Permanent removal of agent registration and blocking of the associated Ed25519 key and/or IP address.
+
Traffic throttling — Reduction in rate limits for the affected agent or IP range.
+
+
For severe violations — including CSAM, malware distribution, active attacks on infrastructure, or violations that create legal exposure for Pilot Protocol — we may suspend access without prior notice. For other violations, we will generally provide notice and an opportunity to remedy before taking action, but we are not obligated to do so.
+
+
4. Reporting Violations
+
If you become aware of any violation of this AUP, please report it immediately:
Please include as much detail as possible: the nature of the violation, the affected hostnames, tags, or IP addresses, timestamps, and any supporting evidence. We treat all reports confidentially and will acknowledge receipt within 2 business days.
+
+
5. Appeals
+
If your access has been suspended or terminated under this AUP, you may appeal the decision:
Include your agent hostname, Ed25519 public key fingerprint, and a clear explanation of why you believe the enforcement action was in error.
+
Appeals are reviewed by the Pilot Protocol founders. We aim to respond within 5 business days.
+
The founders' decision on appeal is final. There is no further internal review.
+
+
+
6. Changes to This Policy
+
We will post changes to this page and update the "Last updated" date. Material changes will be communicated through the website or, where feasible, through daemon notification. Continued use after the effective date constitutes acceptance of the revised AUP.
+
+
7. Contact
+
Questions about this Acceptable Use Policy or to report a violation?
+ This policy is provided for transparency and operational clarity. It does not constitute legal advice. If you are a legal professional reviewing this document, please direct feedback to founders@pilotprotocol.network.
+
+
+
+
+
+
+
diff --git a/src/pages/cookies.astro b/src/pages/cookies.astro
new file mode 100644
index 00000000..57a90bc5
--- /dev/null
+++ b/src/pages/cookies.astro
@@ -0,0 +1,115 @@
+---
+import BaseHead from '../components/BaseHead.astro';
+import Nav from '../components/Nav.astro';
+import Footer from '../components/Footer.astro';
+import '../styles/system.css';
+
+const title = "Cookie Policy — Pilot Protocol";
+const description = "How Pilot Protocol uses cookies and similar technologies. Transparent inventory of all cookies, localStorage entries, and analytics tools.";
+const canonicalUrl = "https://pilotprotocol.network/cookies";
+---
+
+
+
+
+
+
+
+
+
+
+
+ Effective: May 28, 2026 · Last updated: May 28, 2026
+
+
+
This Cookie Policy explains what cookies and similar technologies Pilot Protocol ("we", "us") uses on pilotprotocol.network, why we use them, and how you can control them. It supplements our Privacy Policy.
+
+
What Are Cookies?
+
Cookies are small text files placed on your device by websites you visit. They are widely used to make websites work, improve efficiency, and provide information to the site owners. "Similar technologies" includes localStorage, session storage, and browser-level storage APIs that serve a similar purpose.
+
+
Cookie Inventory
+
Here is every cookie and browser-storage entry used on pilotprotocol.network, what it does, how long it lasts, and who sets it:
+
+
+
+
+
Name
+
Provider
+
Purpose
+
Duration
+
Category
+
+
+
+
+
__cf_bm
+
Cloudflare
+
Bot management. Distinguishes human visitors from automated bots to protect the site from malicious traffic. Does not track users across sites.
+
30 minutes
+
Strictly necessary
+
+
+
pilot_consent
+
Pilot Protocol (localStorage)
+
Stores your cookie consent preference (accepted or rejected). No personal data, no tracking.
+
Persistent (until cleared)
+
Strictly necessary
+
+
+
_ga
+
Google Analytics
+
Distinguishes unique users for analytics. Set only after you accept cookies. Contains a randomly generated client identifier.
+
2 years
+
Analytics
+
+
+
_ga_EEWEKT0GW5
+
Google Analytics
+
Session-level analytics for our GA4 property. Set only after cookie consent. Tracks page views and session state.
+
2 years
+
Analytics
+
+
+
+
+
Cookieless Analytics
+
In addition to the cookies above, we use Cloudflare Web Analytics, which is entirely cookieless. It does not use cookies, localStorage, fingerprinting, or any form of persistent tracking. It provides only aggregated page-view counts and performance metrics. No personal data is collected.
+
+
Consent Model
+
When you first visit pilotprotocol.network, a consent banner appears offering two options:
+
+
Accept — Enables Google Analytics 4 cookies (_ga, _ga_EEWEKT0GW5). Your preference is stored in the pilot_consent localStorage entry.
+
Reject — No analytics cookies are set. The strictly necessary __cf_bm cookie (Cloudflare bot management) still operates. Your preference is stored in pilot_consent.
+
+
The banner does not use a "nag wall" — you can browse the site without interacting with it. If you do not make a choice, no analytics cookies are set (implied rejection).
+
+
How to Change Your Preference
+
You can change your consent at any time:
+
+
Cookie preferences link — At the bottom of every page in the footer, click "Cookie Preferences" to reopen the consent banner.
+
Clear localStorage — Removing pilot_consent from your browser's localStorage will reset your preference, and the banner will reappear on your next visit.
+
Browser settings — Most browsers allow you to block or delete cookies globally. See your browser's help documentation for instructions.
+
+
+
Third-Party Tools We've Disabled
+
For transparency: our site includes a PostHog integration in the codebase, but it is currently disabled. No PostHog cookies, events, or analytics are active. If we enable PostHog in the future, we will update this policy, add it to the cookie inventory, and require fresh consent.
+
+
Changes to This Policy
+
We will post changes to this page and update the "Last updated" date. If we add new cookies or substantially change how we use existing ones, we will re-prompt for consent where required by law.
+ This policy was drafted for transparency. If you are a legal professional reviewing this document, please direct feedback to founders@pilotprotocol.network.
+
+
+
+
+
+
+
diff --git a/src/pages/privacy.astro b/src/pages/privacy.astro
new file mode 100644
index 00000000..13b891ca
--- /dev/null
+++ b/src/pages/privacy.astro
@@ -0,0 +1,140 @@
+---
+import BaseHead from '../components/BaseHead.astro';
+import Nav from '../components/Nav.astro';
+import Footer from '../components/Footer.astro';
+import '../styles/system.css';
+
+const title = "Privacy Policy — Pilot Protocol";
+const description = "How Pilot Protocol collects, uses, and protects your data. GDPR-compliant privacy policy covering the daemon, website, and rendezvous service.";
+const canonicalUrl = "https://pilotprotocol.network/privacy";
+---
+
+
+
+
+
+
+
+
+
+
+
+ Effective: May 28, 2026 · Last updated: May 28, 2026
+
+
+
Pilot Protocol is operated by Vulture Labs. This Privacy Policy explains what data we collect, why we collect it, and what rights you have. It covers the Pilot Protocol daemon, the pilotprotocol.network website, the rendezvous service, and any Pilot-operated specialist agents (together, the "Services").
When you run the Pilot daemon (pilotctl daemon start), the following data is transmitted to our rendezvous service for network discovery and operation:
+
+
IP address — Your public IP address, used for NAT traversal and peer discovery.
+
Daemon version — The version string of your running daemon binary (e.g., v0.3.1).
+
Synthetic email — A SHA-256 hash derived from your Ed25519 public key, used as an opaque identifier for the rendezvous registry.
+
Hostname — The hostname you assign to your agent (e.g., agent-a).
+
Tags — Any tags you attach to your agent for group discovery (e.g., production, us-east).
+
Ed25519 public key — Your agent's cryptographic identity, used for authentication and establishing encrypted tunnels.
+
LAN IP address (optional) — If you enable local-network discovery, your private LAN IP is exchanged with peers on the same subnet.
+
+
None of this data includes personal names, email addresses, or the content of agent-to-agent messages. The daemon does not log or transmit the payload of any peer-to-peer communication.
+
+
Important: Peer-to-peer traffic (data sent directly between agents after tunnel establishment) never touches our infrastructure. We cannot see it, log it, or access it.
+
+
2. Website Data
+
When you visit pilotprotocol.network, we collect:
+
+
Server access logs — Standard Cloudflare-provided logs including IP address, timestamp, requested URL, user-agent string, and HTTP status code. These are retained for a limited period for operational purposes and security monitoring.
+
Google Analytics 4 (GA4) — Measurement ID G-EEWEKT0GW5. GA4 loads only after you accept cookies via our consent banner. No analytics data is collected before consent. See our Cookie Policy for details.
+
Cloudflare Web Analytics — Cookieless, privacy-first analytics provided by Cloudflare. No personal data, no cookies, no fingerprinting. Aggregated page-view counts only.
+
+
+
3. Legal Basis for Processing (GDPR)
+
We process data under Article 6 of the UK and EU GDPR:
+
+
Legitimate interests (Art. 6(1)(f)) — Operating the rendezvous service, maintaining network security, and analyzing aggregated usage to improve the protocol. We have balanced these interests against your rights and concluded they do not override them given the minimal nature of the data.
+
Consent (Art. 6(1)(a)) — For Google Analytics cookies and any optional telemetry. You may withdraw consent at any time by clearing your browser's pilot_consent localStorage entry.
+
+
+
4. Data Retention
+
+
Daemon registration data (IP, hostname, public key, tags, version) — Retained while your agent is registered. Automatically removed if the agent is offline for 30 consecutive days.
+
Server access logs — Retained for 30 days, then automatically deleted.
+
GA4 analytics data — Retention governed by Google's default settings (currently 14 months for event-level data, reset on each new visit).
+
Cloudflare Web Analytics — Aggregated data retained for 30 days.
+
+
+
5. Sub-Processors
+
We use the following third-party service providers to operate the Services:
+
+
Google Cloud Platform (GCP) — Hosts the rendezvous registry and any Pilot-operated specialist agents. Data at rest in us-central1.
+
Cloudflare, Inc. — Provides CDN, DNS, DDoS protection, Web Analytics, and serverless compute (Cloudflare Pages) for pilotprotocol.network. Processed globally at Cloudflare edge locations.
+
Google LLC — Google Analytics 4 (GA4) for website analytics, consent-gated. Data processed in the United States.
+
+
All sub-processors are bound by data processing agreements (DPAs) compliant with GDPR Article 28.
+
+
6. International Data Transfers
+
Data may be transferred to and processed in the United States (GCP us-central1, Cloudflare global edge, Google Analytics). For transfers from the EEA, UK, or Switzerland, we rely on:
+
+
Standard Contractual Clauses (SCCs) — EU Commission Implementing Decision 2021/914, plus the UK International Data Transfer Addendum.
+
EU-US Data Privacy Framework (DPF) — Google LLC and Cloudflare, Inc. are certified under the DPF.
+
+
For jurisdictions without an adequacy decision, we implement supplementary measures including encryption at rest (AES-256) and in transit (TLS 1.3).
+
+
7. Your Rights
+
Depending on your jurisdiction, you may have the following rights:
+
+
GDPR (EEA, UK, Switzerland)
+
+
Right of access (Art. 15) — Request a copy of the personal data we hold about you.
+
Right to rectification (Art. 16) — Correct inaccurate data.
+
Right to erasure (Art. 17) — Request deletion of your data.
+
Right to restrict processing (Art. 18) — Limit how we use your data.
+
Right to data portability (Art. 20) — Receive your data in a structured, machine-readable format.
+
Right to object (Art. 21) — Object to processing based on legitimate interests.
+
Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time.
+
Right to lodge a complaint (Art. 77) — Contact your local supervisory authority.
+
+
+
CCPA / CPRA (California)
+
+
Right to know — Request disclosure of the categories and specific pieces of personal information collected.
+
Right to delete — Request deletion of personal information.
+
Right to opt-out — We do not sell personal information. No opt-out is required.
+
Right to non-discrimination — Exercising your rights will not result in degraded service.
+
+
+
To exercise any of these rights, email founders@pilotprotocol.network. We will respond within 30 days (GDPR) or 45 days (CCPA). Verification of identity may be required for certain requests.
+
+
8. Data Protection Officer & EU Representative
+
Given the limited scope and nature of data processing (no large-scale processing of special categories of data, no systematic monitoring of data subjects on a large scale), Vulture Labs is exempt from the obligation to appoint a Data Protection Officer under GDPR Article 37 and from the obligation to designate an EU Representative under GDPR Article 27. If this assessment changes as the Services grow, we will update this policy and make the necessary appointments.
+
+
9. Children's Privacy
+
The Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
+
+
10. Automated Decision-Making
+
We do not use any form of automated decision-making or profiling that produces legal effects or similarly significant effects on individuals (GDPR Article 22). The rendezvous service uses automated matching of tags and hostnames, but this is purely operational and has no effect on individual rights.
+
+
11. Security
+
We implement appropriate technical and organizational measures to protect data: TLS 1.3 for all transit, AES-256-GCM for encrypted tunnels, access controls on infrastructure, and regular security reviews. In the event of a data breach, we will notify affected users and relevant authorities as required by applicable law.
+
+
12. Changes to This Policy
+
We will post changes to this page and update the "Last updated" date. For material changes, we will provide additional notice (website banner, daemon notification, or email where available). Continued use after changes constitutes acceptance.
+
+
13. Contact
+
For privacy-related inquiries or to exercise your rights:
We aim to acknowledge all privacy requests within 5 business days.
+
+
+ This policy is provided for transparency and does not constitute legal advice to users. If you are a legal professional reviewing this document, please direct feedback to founders@pilotprotocol.network.
+
+
+
+
+
+
+
diff --git a/src/pages/sitemap.xml.ts b/src/pages/sitemap.xml.ts
index 3a372d05..a42e0a2c 100644
--- a/src/pages/sitemap.xml.ts
+++ b/src/pages/sitemap.xml.ts
@@ -24,6 +24,12 @@ export async function GET() {
urls.push(url('/blog/', today, 0.9, 'weekly'));
urls.push(url('/llms.txt', '2026-02-28', 0.5));
+ // Legal pages
+ urls.push(url('/privacy', today, 0.7));
+ urls.push(url('/cookies', today, 0.7));
+ urls.push(url('/terms', today, 0.7));
+ urls.push(url('/aup', today, 0.7));
+
// Solution / "for" pages
urls.push(url('/for/mcp', today, 0.8));
urls.push(url('/for/p2p', today, 0.8));
diff --git a/src/pages/terms.astro b/src/pages/terms.astro
new file mode 100644
index 00000000..e7dada5c
--- /dev/null
+++ b/src/pages/terms.astro
@@ -0,0 +1,119 @@
+---
+import BaseHead from '../components/BaseHead.astro';
+import Nav from '../components/Nav.astro';
+import Footer from '../components/Footer.astro';
+import '../styles/system.css';
+
+const title = "Terms of Service — Pilot Protocol";
+const description = "Terms governing use of the Pilot Protocol website, rendezvous service, and Pilot-operated specialist agents. Peer-to-peer traffic is explicitly excluded.";
+const canonicalUrl = "https://pilotprotocol.network/terms";
+---
+
+
+
+
+
+
+
+
+
+
+
+ Effective: May 28, 2026 · Last updated: May 28, 2026
+
+
+
These Terms of Service ("Terms") are a binding agreement between Vulture Labs ("Pilot Protocol," "we," "us," "our") and you ("you," "User") governing your use of pilotprotocol.network, the Pilot rendezvous service, any Pilot-operated specialist agents, and related documentation and APIs (together, the "Services").
+
+
By using the Services, you agree to these Terms. If you do not agree, do not use the Services.
+
+
1. Scope of These Terms
+
These Terms apply to:
+
+
pilotprotocol.network — The website, documentation, blog, and any APIs exposed through the domain.
+
Rendezvous service — The registry that enables agents to discover each other for direct peer-to-peer communication.
+
Pilot-operated specialist agents — Agents run by Pilot Protocol for network services (e.g., DNS resolution, time synchronization, skill indexing).
+
+
+
What is NOT covered: Peer-to-peer traffic between agents is explicitly excluded from these Terms. Once two agents establish a direct encrypted tunnel, the content, quality, and legality of that traffic is solely between the communicating parties. Pilot Protocol does not intermediate, inspect, or control peer-to-peer data flows.
+
+
2. Service Tiers
+
The Services are offered under the following tiers:
+
+
A. Open / Free Tier
+
The Pilot daemon is open-source software licensed under the GNU Affero General Public License v3.0 (AGPL-3.0). You may use, modify, and redistribute it under the terms of that license. The public rendezvous service is provided free of charge, without warranty, on a best-effort basis.
+
+
B. Private Network (Early Access)
+
Private network features — including dedicated rendezvous instances, custom tag namespaces, and access controls — are in Early Access. Availability, pricing, and SLAs are subject to change. Early Access features are provided "as-is" and may be modified or discontinued without notice.
+
+
C. Enterprise (Early Access)
+
Enterprise features including on-premise rendezvous, SLA-backed uptime, dedicated support, and custom integrations are in Early Access. Terms are negotiated per-enterprise agreement. Contact founders@pilotprotocol.network for details.
+
+
3. Intellectual Property
+
+
Pilot daemon — Licensed under AGPL-3.0. Source code at github.com/TeoSlayer/pilotprotocol. The license text is included with the software.
+
pilotprotocol.network — The website, branding, documentation (except code samples), and the "Pilot Protocol" name and logo are proprietary. They are not open-source licensed.
+
Your content — You retain ownership of any data, messages, or content transmitted through peer-to-peer tunnels. We claim no license or rights over your agent-to-agent traffic.
+
+
+
4. Acceptable Use
+
You agree not to use the Services in violation of our Acceptable Use Policy, which is incorporated into these Terms by reference. Violations may result in immediate suspension of access to the rendezvous service and any Pilot-operated agents.
+
+
5. User Obligations
+
You are responsible for:
+
+
Maintaining the confidentiality of your Ed25519 private key. Loss of the key means loss of your agent identity.
+
Complying with all applicable laws in your jurisdiction when using the Services.
+
Ensuring that the content of your agent-to-agent communication does not violate the rights of third parties.
+
Using the latest stable version of the daemon. We may deprecate and stop supporting older protocol versions.
+
+
+
6. Disclaimers
+
THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE," WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. To the fullest extent permitted by law, Pilot Protocol disclaims all warranties, including but not limited to:
+
+
Implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
+
Warranties that the Services will be uninterrupted, error-free, secure, or available at any particular time.
+
Warranties regarding the accuracy, reliability, or completeness of documentation or any content on pilotprotocol.network.
+
+
The open-source daemon carries the warranty disclaimer in the AGPL-3.0 license. The website and rendezvous service carry this additional disclaimer.
+
+
7. Limitation of Liability
+
TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, PILOT PROTOCOL AND VULTURE LABS SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, including but not limited to loss of profits, data, goodwill, or business interruption, arising out of or related to these Terms or the use of the Services, whether based on warranty, contract, tort (including negligence), or any other legal theory, even if advised of the possibility of such damages.
+
+
Our total liability for any claim arising under these Terms shall not exceed:
+
+
For paid Services: the fees you paid to Pilot Protocol in the twelve (12) months preceding the claim.
+
For free/open Services: one United States Dollar (USD $1.00). The free tier is provided without charge; this nominal amount reflects the fundamentally cost-free nature of the service and is not a penalty.
+
+
+
Some jurisdictions do not allow the exclusion or limitation of certain warranties or liabilities. In such jurisdictions, our liability is limited to the maximum extent permitted by law.
+
+
8. Indemnification
+
You agree to indemnify and hold harmless Pilot Protocol, Vulture Labs, and their officers, directors, employees, and agents from any claims, damages, liabilities, and expenses (including reasonable legal fees) arising from your use of the Services, your violation of these Terms, or your violation of any third-party rights.
+
+
9. Termination
+
We may suspend or terminate your access to the Services at any time for violation of these Terms or the Acceptable Use Policy. For the free tier, we may also discontinue or modify the Service at our discretion. Upon termination, your agent's registration data will be removed from the rendezvous service within 30 days.
+
+
10. Governing Law & Dispute Resolution
+
These Terms are governed by the laws of the State of Delaware, United States, without regard to its conflict of laws principles. Any dispute arising under these Terms shall be resolved exclusively in the state or federal courts located in Delaware.
+
+
Before initiating formal proceedings, you agree to contact us at founders@pilotprotocol.network and attempt to resolve the dispute informally for a period of at least thirty (30) days.
+
+
11. Changes to These Terms
+
We will post changes to this page and update the "Last updated" date. For material changes, we will provide additional notice (website banner, email where available, or daemon notification). Continued use after the effective date of changes constitutes acceptance of the revised Terms.
+ These Terms were drafted for transparency and operational clarity. They do not constitute legal advice. If you are a legal professional reviewing this document, please direct feedback to founders@pilotprotocol.network.
+