How does AI merchant verification work?

RegisteredBrands.AI verifies merchant identity through 7 automated checks: DNS domain ownership, USPTO trademark verification, GLEIF business entity validation, SSL/DMARC/SPF domain signals, SAM.gov/SEC EIN cross-referencing, document analysis, and community reputation. Results are packaged as Ed25519-signed Brand Capsules that AI agents can verify in milliseconds.

What is a Brand Capsule?

A Brand Capsule is a machine-readable, cryptographically signed identity credential for a brand. It contains verified information about the brand's domain, business registration, trademarks, and trust score. AI agents use Brand Capsules to verify merchant identity before committing to transactions.

Can AI agents verify brands offline?

Yes. Brand Capsules are signed with Ed25519 keys. The public key and signature travel with the credential, so agents can verify authenticity without calling the RegisteredBrands.AI API. This enables offline verification in air-gapped or latency-sensitive environments.

What is the difference between a directory-listed and an owner-verified brand?

Directory-listed brands are compiled from publicly available data and have not been claimed by their owners. Owner-verified brands have been claimed by the brand owner, who has proven domain ownership via DNS TXT record anchoring. Only owner-verified brands can achieve Verified or higher trust tiers.

Is RegisteredBrands.AI a government certification body?

No. RegisteredBrands.AI is a private trust registry operated by RootVaultAI LLC. Trust scores are informational indicators compiled from publicly available data sources. Similar to Dun & Bradstreet or the Better Business Bureau, our assessments represent independent analysis, not government endorsement or certification.

RegisteredBrands.AI: The Trust Layer for Bot-to-Bot Commerce

1. Introduction

RootVaultAI LLC, an Arizona limited liability company doing business as RegisteredBrands.AI ("Company," "we," "our," or "us"), operates the brand verification and trust infrastructure platform at registeredbrands.ai. This Privacy Policy explains how we collect, use, disclose, store, and safeguard your information when you use our platform, APIs, SDKs, and related services (collectively, the "Service"). This policy applies to all users — human operators, organizations, and autonomous AI agents acting on behalf of registered account holders.

2. Information We Collect

2.1 Account Information

When you create an account via Manus OAuth or other supported authentication methods, we collect your name, email address, and authentication identifiers (OpenID). For business accounts, we may also collect your company name, role, and business contact information. If you verify your email address, we store the verification status and the email address used for verification.

2.2 Brand Capsule Data

When you create a Brand Capsule, we collect: brand name, domain, description, capsule type, DUNS number, identity codes, trust profile URIs, and any documents you upload for verification. We also generate and store Ed25519 public keys, JSON-LD representations, and trust scores associated with your capsule. This data is intentionally made public as part of the trust verification service.

2.3 Cryptocurrency Wallet Data

When you connect a cryptocurrency wallet to make a USDC payment, we collect and store your public wallet address. We do not collect, access, or store your wallet private keys, seed phrases, or recovery phrases. Your public wallet address is associated with your account for payment tracking and entitlement activation. We also record: transaction hashes, payment amounts, network identifiers (Base, Ethereum, or Arbitrum), and confirmation timestamps. Note that blockchain transactions are inherently public — your wallet address and transaction history are visible on the respective blockchain to anyone.

2.4 Payment Information (Card)

Card payments are processed by Stripe, Inc. We do not receive or store your full card number, CVV, or card expiration date. Stripe provides us with a tokenized reference, the last four digits of your card, card brand, and transaction status. Stripe's handling of your payment data is governed by Stripe's Privacy Policy.

2.5 API Usage and Technical Data

We log API requests including: endpoints accessed, request timestamps, IP addresses, user agent strings, response codes, and rate limit status. For AI agent interactions, we additionally log: agent identifiers, verification request metadata, and protocol-specific context. This data is used for rate limiting, security monitoring, abuse prevention, and service improvement.

2.6 Onboarding and Analytics Data

We collect anonymized onboarding analytics including: session identifiers, persona selections (brand owner or developer), step progression, plan selections, and completion status. This data is used to improve the onboarding experience and is not linked to personally identifiable information unless you are logged in, in which case your user ID may be associated with the session.

2.7 Communication Data

When you contact us through our contact form, email, or other channels, we collect the content of your communication, your email address, and any attachments you provide.

3. How We Use Your Information

We use collected information to: (a) operate, maintain, and improve the Service; (b) generate, verify, and publish Brand Capsules and Agent Capsules; (c) calculate and update trust scores; (d) process payments via Stripe and USDC, activate entitlements, and manage subscriptions; (e) verify on-chain transactions and link them to payment intents; (f) respond to verification queries from AI agents and bots via our API endpoints; (g) enforce community flagging and trust penalties; (h) detect and prevent fraud, abuse, and unauthorized access; (i) communicate with you about your account, transactions, and service updates; (j) comply with legal obligations, including AML/KYC requirements; (k) generate aggregate analytics and improve our platform; and (l) send owner notifications for security events, payment confirmations, and system alerts.

4. Public Data and the Trust Verification Model

The core function of RegisteredBrands.AI is to make brand identity verifiable by AI agents and other parties. By creating a Brand Capsule, you explicitly consent to the following data being made publicly available:

Brand name, domain, and capsule type
Trust score and verification status
Ed25519 public keys and key fingerprints
JSON-LD capsule representations
Capsule creation and update timestamps

This data is accessible through our Explorer dashboard, Registry, /.well-known/ endpoints, and verification APIs. This public availability is not optional while maintaining an active capsule — it is the mechanism by which trust verification functions. We do not expose your personal email address, account credentials, payment details, or private keys through any public endpoint.

5. On-Chain Data

When you make a USDC payment, the transaction is recorded on a public blockchain (Base, Ethereum, or Arbitrum One). Blockchain data is immutable and publicly accessible — we cannot delete, modify, or restrict access to on-chain transaction records. Your public wallet address and transaction details (amount, timestamp, recipient) are permanently visible on the blockchain. We store a reference to on-chain transactions (transaction hash, network, amount) in our database for payment tracking. We do not publish or expose the association between your wallet address and your account identity through our APIs, but this association may be inferable by third parties analyzing on-chain data.

6. Data Sharing and Disclosure

We do not sell your personal information. We may share data with:

Service Providers: Stripe (payment processing), cloud infrastructure providers (hosting, storage), and analytics tools, each bound by data processing agreements.
AI Agents and Verification Consumers: Public capsule data is accessible to any party querying our verification endpoints. This is the intended function of the Service.
Law Enforcement: When required by law, subpoena, court order, or government request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
Business Transfers: In connection with a merger, acquisition, bankruptcy, or sale of assets, your data may be transferred to the acquiring entity.
With Your Consent: When you explicitly authorize sharing with a specific third party.

Distributor Badge Key data is shared only with parties you explicitly authorize through the badge key issuance process.

7. Data Security

We implement industry-standard security measures including: encryption in transit (TLS 1.2+); secure credential storage with cryptographic hashing; Ed25519 digital signatures for data integrity; Helmet.js security headers (HSTS, X-Frame-Options, X-Content-Type-Options, CSP); rate limiting (tiered: global, authentication, and verification endpoints); session management with secure, HttpOnly, SameSite cookies; and access controls with role-based permissions. API authentication uses cryptographic tokens, and our verification endpoints support Ed25519 signature validation. Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Data Retention

We retain data according to the following schedule: (a) Account data is retained for the duration of your account plus 90 days after deletion; (b) Brand Capsule data is retained for the duration of your active capsule plus 90 days after deactivation; (c) API access logs are retained for 12 months; (d) Payment records (Stripe references and USDC transaction hashes) are retained for 7 years for tax and regulatory compliance; (e) Audit logs are retained for 3 years; (f) Onboarding analytics are retained for 2 years in aggregate form; (g) Email verification records are retained for the duration of your account. On-chain transaction data is permanently stored on the blockchain and is outside our control.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your personal data, subject to legal retention requirements. Note: we cannot delete on-chain transaction data or previously published capsule data that has been cached by third parties.
Restriction: Request restriction of processing in certain circumstances.
Portability: Request your data in a structured, machine-readable format.
Objection: Object to processing based on legitimate interests.
Withdrawal of Consent: Withdraw consent where processing is based on consent.

To exercise these rights, contact us at [email protected]. We will respond within 30 days. For California residents (CCPA/CPRA): we do not sell personal information. For EU/EEA residents (GDPR): our legal bases for processing are contract performance, legitimate interests, and consent.

10. International Data Transfers

Our services are operated globally. Your data may be transferred to and processed in the United States and other countries where our service providers operate. These countries may have different data protection laws than your country of residence. For transfers from the EU/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. By using the Service, you consent to the transfer of your information as described in this policy.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

12. Cookies and Tracking

We use essential cookies for session management and authentication. We use analytics tools to understand how the Service is used. We do not use third-party advertising cookies or cross-site tracking. You can control cookie settings through your browser preferences, but disabling essential cookies may prevent you from using the Service.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or prominent notice on the Service at least 30 days before taking effect. The "Effective Date" at the top of this policy indicates when it was last revised. Your continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy, our data practices, or wish to exercise your data rights, please contact us at [email protected] or through our Contact page. Related legal documents: Terms of Service | Cookie Policy | Acceptable Use Policy | Data Processing Agreement