OpenA2A is a security platform. We treat data the way we wish every tool we audit treated ours. This page is the canonical statement of what we collect and why; the technical detail and exact wire shapes live on the data transparency page.
Two buckets, two consent shapes.
We separate invocation telemetry (which CLI ran which command on which platform) from scan-result contribution (the names of packages you scanned and the verdicts that came back). They collect different data, ask for different consent, and are controlled by different switches.
Read the rest of this page if you want the policy. The data transparency page has the wire shapes, retention, and deletion procedure.
What it is. Anonymous usage data: which CLI tool ran (e.g. hackmyagent, opena2a, ai-trust), which subcommand was invoked, the tool version, success/failure, duration, and platform (OS family + Node major version). It carries an install ID for de-duplication. It does not carry your name, email, IP, file contents, package names, scan results, or any personally identifying information.
Default state. On. We use it to track which commands users actually run, so we can prioritize bugs and keep unused features from rotting.
How to disable. Set the environment variable OPENA2A_TELEMETRY=off in your shell profile, or run the per-tool subcommand: hackmyagent telemetry off or ai-trust telemetry off. Either path persists the choice across sessions.
What it is. When you scan an npm/PyPI package, a GitHub repo, or a skill/MCP artifact, the result of that scan (package name + version + check IDs that fired + verdict) can be submitted to the OpenA2A Registry. The Registry is the public community-trust signal that other users see when they query the same package. Contribution does not include file contents, source code, or anything from outside the scan target.
Default state. Off. We prompt once on your first local scan and persist your choice. There is no contribution without explicit opt-in.
How to disable per scan. Run any scan with the --no-contribute flag. The scan runs locally and nothing leaves your machine for that invocation.
How to disable globally. Run hackmyagent telemetry off (or the equivalent on ai-trust, or opena2a config contribute off). The disable applies to scan-result contribution only, separately from invocation telemetry.
Once you have opted in to scan-result contribution, our CLIs do not announce each contribution. There is no per-scan "sent to registry" line, no progress chatter, and no banner. Consent was given once; subsequent contributions are silent. To re-confirm or revoke, run the disable commands above. This rule was locked in our public telemetry policy on 2026-04-27.
Invocation telemetry is sent to a telemetry endpoint we operate. Scan-result contributions go to the OpenA2A Registry, which is also our infrastructure. We do not sell, rent, or share your data with third-party advertisers, brokers, or analytics resellers.
Some pages on this website embed standard infrastructure (e.g., font hosting, code-block syntax highlighting). Those are content-delivery dependencies, not analytics integrations. Our primary deployment platform is Vercel, which logs request metadata (timestamp, route, status code) for site reliability — that is standard hosting telemetry and outside the two-bucket scope above.
Invocation telemetry is retained in aggregate. Individual events roll up to weekly counters; raw event records are dropped after 30 days.
Scan-result contributions are retained as long as the package exists in the Registry. The Registry is a public community-trust dataset; the data you contribute is part of it.
To remove a specific scan you contributed, email us with your install ID (visible in any local hackmyagent telemetry status output). We can drop the records linked to that ID without affecting the rest of the Registry.
OpenA2A tools are developer tools and are not directed at children under 13. We do not knowingly collect data from children.
Material changes — anything that adds a new data category, expands retention, or changes a default — are announced on the OpenA2A blog and in the relevant CLI release notes before they take effect. Wording changes that do not alter what we collect or how long we keep it are made silently with the "Last updated" date below.
Questions about this policy or about your data?