AI Discvery Files v1.0.0

Open standards powering the Agentic Web

GitHub

Privacy

This page describes how the AI Discovery Files website currently handles data, browser storage, and the file generator.

What We Store (Currently)

Generated files and validation results are handled in your browser session by default. We do not automatically store generator form content or WebMCP token data on our servers.

If you choose to submit an implementation record from the generator review step, we store a minimal metadata record for adoption tracking. This includes the site domain, company name, industry (if provided in the generator fields), implementation status, selected/generated filenames, submission date, and generator metadata (for example validation summary counts and UI mode). We do not store generated file contents or WebMCP tokens as part of this submission.

Implementation Record Submissions (Optional)

Submitting an implementation record is optional. It is used to help us understand adoption of the AI Discovery Files standard and, if you separately consent, to optionally contact you about the submitted implementation record.

Data collected in an implementation record

  • site_domain (derived from the Website URL field)
  • company_name (derived from Brand Name / Registered Business Name / Legal Entity Name)
  • industry (derived from the Primary Industry field, if available)
  • status (trying, testing, implemented)
  • files_implemented (filenames only)
  • date_submitted (server-generated UTC timestamp)
  • privacy_notice_version (the privacy notice version shown when submitted)
  • generator_metadata (for example selected/generated files, validation summary counts, UI mode, and generator version)
  • Optional contact_email only if you check the consent checkbox

Purposes and legal bases

  • Adoption tracking / implementation analytics (implementation record metadata listed above, excluding optional contact email): processed under our legitimate interests in understanding and improving adoption of the standard.
  • Optional contact about your implementation record (contact email only): processed under your consent, which you provide by checking the contact consent checkbox.

Retention

  • Implementation record metadata is retained for up to 24 months from submission.
  • Optional contact email is retained for up to 12 months from submission, or earlier if you withdraw consent.

Processors and hosting

Implementation record submissions are processed and stored using Cloudflare infrastructure (Cloudflare Pages Functions and D1 database) as our hosting and infrastructure provider.

Depending on your location and Cloudflare configuration, data may be processed outside your country (including outside the EU/EEA). Where required, this is handled using the provider’s contractual and organizational safeguards.

Anti-abuse protection (rate limiting)

To protect the implementation record submission endpoint from spam and abuse, we apply server-side rate limiting. This may temporarily process request metadata such as IP address information and store a short-lived pseudonymous (hashed) rate-limit key for technical protection purposes. This processing is based on our legitimate interests in securing the service and preventing abuse.

We also use Cloudflare Turnstile on the implementation record submission action to verify that submissions are made by a real user and to reduce automated abuse.

Rate-limit bucket data is retained for up to 7 days and is not used for marketing or profiling.

Your rights and consent withdrawal

If applicable to you (for example under GDPR), you may request access, correction, or deletion of your implementation record, and you may object to processing based on legitimate interests. If you provided a contact email, you can withdraw consent for contact at any time.

For deletion requests related to implementation records, contact [email protected].

To request deletion or withdraw contact consent, email [email protected] (or [email protected], an alias for the same inbox) and include the submitted site domain so we can identify the record.

We do not use implementation records for automated decision-making or profiling.

Cookies

The file generator does not require cookies and does not use cookies for generation or validation.

The site currently uses browser storage for a small amount of local UI state only:

  • sessionStorage for a temporary WebMCP help highlight state

Optional Contact Email

The implementation record form includes an optional contact email field. We only store a contact email if you explicitly provide it and check the consent checkbox allowing contact about the implementation record.

WebMCP Widget

This site loads the WebMCP widget script from a third-party source: @jason.today/webmcp via unpkg.

Our site code does not set cookies for the generator flow, but third-party scripts may have their own behavior. Review the provider documentation if you need a stricter privacy assessment before using WebMCP in production.

Future Changes

If we add server-side project storage, analytics, or account features, this page will be updated before those features are enabled.