Overview
Greyline is a product of The Meridian Lab LLC. This policy explains what data we collect when you use the Greyline service, how we use it, and what rights you have over it.
Greyline operates as a reverse proxy. By design, we process HTTP requests on your behalf. This means we see request metadata — headers, IP addresses, user-agent strings — for every request routed through Greyline. We use this data to do one thing: detect autonomous AI agents.
Data we collect from your API traffic
For every request proxied through Greyline, we process and may retain:
- IP address (hashed). We store a one-way SHA-256 hash of the originating IP, never the raw IP. The hash is used to correlate sessions within a 24-hour window and contributes to cross-customer fingerprint intelligence.
- User-agent string. Stored per session. Used to identify agent frameworks and classify request patterns.
- Request headers (non-sensitive). We inspect headers for signal detection (e.g.
sec-fetch-site, accept-encoding, x-agent-id). We do not store authentication headers, API keys, or credential values.
- Request body (Bouncer sessions only). If a request scores above the interception threshold, the request body is passed to the Bouncer and stored in the session transcript for up to 90 days. Request bodies for passed-through traffic are never stored.
- Timestamps and session metadata. First seen, last seen, turn count, strategy used, detected framework, and score.
Data we collect from you (as a customer)
When you sign up for Greyline, we collect:
- Email address — used for account communication and billing receipts.
- Hostname/subdomain — the CNAME you've pointed at Greyline. Stored to route your traffic correctly.
- Origin URL — your real API endpoint. Stored server-side and never exposed in API responses or logs.
- Payment information — processed by Stripe. We never see or store raw card details.
Cross-customer fingerprinting
Greyline's global fingerprint intelligence aggregates anonymized signal patterns across all customers to improve agent detection. Specifically:
- When a session is confirmed as an agent (score ≥ 61), a normalized fingerprint pattern is derived from the session's headers and stored in a shared fingerprint table.
- Fingerprints contain only structural patterns — hashed IP, normalized UA, and header presence/absence flags. They never contain request body content or customer-identifiable information.
- Fingerprint confidence decays linearly to zero over 30 days. Old patterns are deleted on a rolling basis.
- You can opt out of contributing to cross-customer fingerprint intelligence at any time in your account settings. Opting out does not affect your own detection quality — it only stops your sessions from contributing to the shared intelligence pool.
Data retention
- Active sessions: Retained indefinitely while your account is active.
- Bouncer transcripts: Retained for 90 days, then automatically purged.
- Fingerprint patterns: Retained for 30 days with linear confidence decay.
- Account data: Retained until account deletion is requested.
To request deletion of your account and all associated data, email greyline@themeridianlab.com. We will complete deletion within 30 days.
Data sharing
We do not sell your data. We share data only with:
- Cloudflare. All infrastructure runs on Cloudflare Workers, D1, KV, and R2. Cloudflare's privacy policy applies to data at rest and in transit on their network.
- Anthropic. Request content passed to the Bouncer is sent to Anthropic's Claude API for response generation. Anthropic's API privacy policy applies. We do not use Anthropic's training data opt-in features — data sent to Claude is not used for model training.
- Stripe. Payment processing. Stripe handles all card data.
- Legal requirements. We may disclose data if required by law, court order, or valid legal process.
Security
Greyline is built on Cloudflare's global edge network. All traffic is encrypted in transit via TLS. Sensitive values (API keys, origin URLs) are stored hashed or as Cloudflare Worker secrets and are never returned in API responses. We conduct regular reviews of our data handling practices.
Your rights
Depending on your location, you may have rights under GDPR, CCPA, or other privacy laws, including the right to access, correct, or delete your personal data. To exercise any of these rights, contact us at greyline@themeridianlab.com.
Changes to this policy
We may update this policy as the product evolves. Material changes will be communicated to customers via email at least 14 days before they take effect. The latest version is always at greyline.themeridianlab.com/privacy.