three.wsPrivacy Policy
This Privacy Policy explains how three.ws ("we", "us", "our") collects, uses, and shares information about you when you use three.ws (the "Service"). We take your privacy seriously and collect only what we need to operate.
1. Information We Collect
| Category | Examples | Why |
|---|---|---|
| Account identifiers | Wallet address, email (optional), display name | Authentication & account management |
| Content you upload | 3D models (GLB/glTF), thumbnails, agent metadata | Service delivery, CDN delivery to viewers |
| On-chain data | ERC-8004 agent registrations, Metaplex NFT mints, USDC payment tx hashes | Identity verification, subscription status |
| Usage data | API calls, widget load events (no IPs, no fingerprints) | Quota enforcement, abuse prevention, aggregate analytics |
| Session data | Hashed session token, IP address (hashed), user agent | Authentication, security |
| Email (if provided) | Email address for transactional messages | Account notices, subscription receipts |
We do not collect advertising identifiers, third-party tracking pixels, or sell personal data to any third party.
2. How We Use Your Information
- To authenticate you and maintain your session.
- To store and serve your 3D content via Cloudflare R2.
- To send transactional emails (welcome, subscription receipts, security alerts) via Resend.
- To enforce plan quotas and rate limits.
- To detect and prevent abuse, fraud, and security incidents.
- To improve the Service using aggregate, anonymized analytics.
3. On-Chain Data
Wallet addresses and on-chain registrations are public by nature of blockchain technology. We index publicly available on-chain data (ERC-8004 events, Metaplex metadata) to power the agent directory. We do not create profiles that link on-chain identity to off-chain personal information beyond what you explicitly provide.
4. Sharing & Disclosure
We do not sell your personal data. We share information only with:
- Infrastructure providers: Vercel (hosting), Neon (database), Upstash (rate limiting), Cloudflare R2 (storage), Resend (email). Each is bound by their own privacy policy and data processing agreements.
- Legal obligations: If required by law, court order, or to protect the rights and safety of three.ws or others.
- Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users.
5. Data Retention
We retain your account data for as long as your account is active. Deleted accounts are soft-deleted for 30 days (for recovery), then permanently purged. Session tokens expire after 30 days. Nonces expire after 5 minutes and are purged within 24 hours.
Usage events are retained for 90 days for quota and abuse analysis, then deleted. Widget view events (no personal data) are retained for 12 months.
6. Your Rights
Depending on your jurisdiction you may have rights to access, correct, delete, or export your personal data. To exercise any of these rights, email privacy@three.ws from the email address associated with your account, or sign a message with your wallet address confirming the request.
We will respond within 30 days. Requests to delete your account will remove all content stored on our servers; on-chain data cannot be deleted by us.
7. GDPR (EEA & UK Users)
For users in the European Economic Area or United Kingdom, our legal bases for processing are: contract performance (account operation, content delivery), legitimate interests (security, abuse prevention, aggregate analytics), and consent (optional email marketing, if you opt in).
You have the right to lodge a complaint with your local supervisory authority.
8. Cookies & Local Storage
We use the following browser storage:
- Session cookie (
__Host-session): HttpOnly, Secure, SameSite=Strict. Required for authentication. - CSRF cookies (
__Host-csrf-siwe,__Host-csrf-siws): Short-lived, for SIWE/SIWS replay protection. - localStorage (
3dagent:auth-hint): Stores a non-sensitive login hint for faster page loads. Cleared on sign-out.
We do not use third-party advertising cookies.
9. Children's Privacy
The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will delete it promptly.
10. MCP Connectors, AI Processing & Payments
three.ws exposes Model Context Protocol (MCP) connectors (e.g. https://three.ws/api/mcp and https://three.ws/api/mcp-3d) that AI clients such as Claude and ChatGPT can call on your behalf. This section explains how data flows through those connectors.
- Tool inputs we receive: the arguments you (or your AI client) send to a tool — text prompts, reference image URLs, GLB/glTF model URLs, wallet or agent addresses, token mints, and search terms. We process these to fulfill the request and log them only as needed for quota, abuse prevention, and debugging.
- Third-party AI model providers: generation and editing tools forward your prompts and asset URLs to upstream model APIs to produce results. Depending on the tool, these may include NVIDIA NIM (Microsoft TRELLIS), Meshy, Replicate, Stability, Hugging Face, OpenAI, Anthropic, and IBM (Granite). Each provider processes the input under its own privacy policy. Do not submit confidential or personal data in tool prompts.
- Payment data (x402): paid tools settle in USDC via the x402 payment protocol. When you pay per call we receive your public wallet address and the payment/settlement transaction signature, verified through a payment facilitator (Coinbase CDP and/or the public x402.org facilitator). We never receive, request, or store your private keys or seed phrase. The only token three.ws itself references is
$THREE; USDC is used purely for settlement. - OAuth-scoped access: when you connect via OAuth, the connector can read and write only the three.ws account data covered by the scopes you grant (avatars, agents, memory, profile). It cannot access your AI client's chat history, memory, or local files.
- Retention of tool inputs: tool-call inputs and outputs follow the usage-data retention in Section 5 (90 days), except content you explicitly save (e.g. a saved avatar), which is retained as account content until you delete it.
11. Changes to This Policy
We may update this Privacy Policy. We will notify you of material changes by email or a prominent notice on the Service. The "Effective" date at the top reflects the most recent revision.
12. Contact
Privacy questions: privacy@three.ws
three.ws · Terms of Service · Home