Legal Document

Privacy Policy

Last updated: March 19, 2026 · Effective immediately · Controller: DistriAI

TL;DR: Your chat data never leaves your device. DistriAI runs AI inference locally via WebGPU. We only store anonymous token balances, hashed task results, and OAuth identity data. You can delete everything at any time.

1. Who We Are

DistriAI ("we", "us", "our") operates the platform at ai.distriai.tech — a decentralized AI inference network where users contribute browser-based GPU compute in exchange for tokens usable to access AI models.

For GDPR purposes, DistriAI acts as the Data Controller for identity data collected via OAuth login, and as a Data Processor for any task hashes processed through the network.

2. Legal Basis for Processing (GDPR Art. 6)

We process your data under the following legal bases:

Contract performance (Art. 6.1.b) — to provide the DistriAI service, manage your token wallet, and route AI tasks.
Legitimate interests (Art. 6.1.f) — to prevent fraud, maintain network security, and ensure fair token distribution.
Consent (Art. 6.1.a) — for optional analytics and communications, which you can withdraw at any time.

3. What Data We Collect

Identity data (via Google or GitHub OAuth):

Name, email address, profile avatar URL
OAuth provider and provider user ID

Mining and network data:

Token balance and earning history
GPU activity duration (in seconds) — no content, no prompts
SHA-256 hashes of task results — not reversible to original content
Country-level geolocation (capital city coordinates only) for network map display
Node reputation score and validation statistics

What we do NOT collect:

Chat message content — inference runs locally on your device
Your exact IP address (only used transiently for country-level geo, never stored)
Browsing history or cross-site tracking data

4. How We Use Your Data

Authenticate you via OAuth and issue JWT session tokens
Manage your token wallet (credits earned from mining, debited for AI model access)
Display your node on the global network map (country-level only)
Calculate and enforce reputation scores to prevent fraud
Generate anonymized network statistics (total nodes, tasks completed, tokens mined)

5. Data Sharing and Third Parties

We share data with the following processors:

Railway.app — backend hosting and PostgreSQL database (US/EU servers)
Groq Inc. — AI inference for server-side models (Llama, Gemini, GPT-4o). Only your messages and model selection are sent — never your identity.
Google OAuth / GitHub OAuth — authentication only. We receive only the profile data you authorize.
ip-api.com — country-level geolocation at first node activation. No data is retained by ip-api.

We do not sell your data. We do not share data with advertisers.

6. Your Rights (GDPR Art. 15–22)

As a data subject in the EU/EEA, you have the right to:

Access — request a copy of all data we hold about you
Rectification — correct inaccurate personal data
Erasure ("right to be forgotten") — delete your account and all associated data
Restriction — limit how we process your data
Portability — receive your data in a machine-readable format
Objection — object to processing based on legitimate interests
Withdraw consent — at any time, without affecting prior lawful processing

To exercise any right, contact us at privacy@distriai.tech. We will respond within 30 days.

7. Data Retention

Account data: retained while your account is active, deleted within 30 days of account deletion request
Mining logs: retained for 12 months for fraud prevention, then anonymized
JWT tokens: valid for 7 days, not stored server-side
Geolocation data: retained while node is active, deleted on account deletion

8. Security

We implement the following security measures:

All API communication over HTTPS/TLS 1.3
WebSocket communication over WSS
Task results validated via SHA-256 commit-reveal scheme
JWT tokens signed with 256-bit secret, 7-day expiry
Rate limiting on all API endpoints
Automatic fraud detection and node reputation scoring
Chat content encrypted end-to-end via AES-256-GCM when using distributed inference

9. Cookies and Local Storage

DistriAI uses sessionStorage to store your JWT authentication token for the duration of your browser session. No persistent cookies are set. No third-party tracking cookies are used.

10. Children's Privacy

DistriAI is not intended for users under 16 years of age. We do not knowingly collect data from minors. If you believe a minor has registered, contact us immediately.

11. Changes to This Policy

We may update this policy as the platform evolves. Material changes will be communicated via the platform dashboard. Continued use after notification constitutes acceptance.

12. Contact

For privacy-related requests or complaints: privacy@distriai.tech

You also have the right to lodge a complaint with your local Data Protection Authority (DPA). In Italy: Garante per la Protezione dei Dati Personali.