d: logo
Join Waitlist

Privacy Policy

Last updated: March 2026

d:spatch is built with privacy as a foundational principle, not an afterthought. This Privacy Policy explains what information we collect, how we use it, and — equally important — what we are architecturally incapable of accessing due to end-to-end encryption. Please read it carefully.

1. Controller

The controller within the meaning of Article 4(7) of the EU General Data Protection Regulation (GDPR / DSGVO) is:

d:spatch
E-Mail: [email protected]

2. What We Collect & Legal Basis

2.1 Free tier (open-source, self-hosted)

Nothing. The open-source free tier runs entirely on your local machine. There is no telemetry, no analytics, no crash reporting, and no data collection of any kind. All agent activity, workspace configurations, API keys, and output remain on your device.

2.2 Hosted relay service (Pro tier)

When you use the optional hosted relay service to synchronize your workspace across devices, we process the following:

DataPurposeLegal basis (GDPR)Retention
Email addressAccount management, service communicationsArt. 6(1)(b) — contract performanceDuration of account + 30 days
Device public keysRoute encrypted messages, verify device identityArt. 6(1)(b) — contract performanceDuration of device registration
Encrypted relay dataForward E2E-encrypted messages between your devicesArt. 6(1)(b) — contract performanceUntil delivered, max. 30 days
Connection metadata (IP, timestamps, request sizes)Security, abuse prevention, debuggingArt. 6(1)(f) — legitimate interest30 days

2.3 Waitlist

If you sign up for the waitlist, we collect your email address solely to notify you when early access opens (Art. 6(1)(a) — consent). You may withdraw consent and be removed from the waitlist at any time by emailing [email protected].

2.4 Website analytics

We may collect basic, anonymized analytics on website visits (page views, referral sources, browser type) based on our legitimate interest in understanding how people discover d:spatch (Art. 6(1)(f)). We do not use advertising trackers, third-party retargeting, or fingerprinting.

2.5 Website hosting

This website is hosted by Vercel Inc. (USA). When you visit this site, Vercel processes your IP address and request metadata to serve the pages. This transfer to the USA is covered by Vercel's Data Processing Addendum and the EU-U.S. Data Privacy Framework. Legal basis: Art. 6(1)(f) — legitimate interest in providing a performant website.

3. What We Can Never See

Due to the end-to-end encryption architecture of d:spatch, the following data is technically inaccessible to us — not merely a policy choice, but an architectural guarantee:

  • Your prompts, instructions, or agent configurations
  • Agent outputs, responses, or conversation content
  • Your source code, files, or workspace data
  • Your API keys (stored in your device's encrypted local store)
  • Any plaintext message exchanged between your devices

The relay server operates on ciphertext exclusively. We cannot fulfill requests to read, share, or produce your encrypted content — even under legal compulsion — because we do not possess the keys to decrypt it.

4. How We Use Information

We use the information we collect to:

  • Operate and maintain the relay service.
  • Authenticate and route encrypted messages to your registered devices.
  • Send transactional emails (account confirmation, waitlist notifications).
  • Investigate security incidents and abuse reports.
  • Improve the Service based on anonymized usage patterns.

We do not sell your personal information. We do not use your data for advertising. We do not build profiles about you.

5. Recipients & Data Sharing

We do not sell, rent, or share your personal information with third parties except in the following limited circumstances:

  • Service providers (processors): Infrastructure providers (hosting, email delivery) who process data strictly on our behalf under data processing agreements pursuant to Art. 28 GDPR.
  • Legal obligations: If we are required by law, court order, or governmental authority to disclose information (Art. 6(1)(c)). However, because of our encryption architecture, the only information we could disclose is account metadata and encrypted ciphertext — never your plaintext content.
  • Business transfers: In the event of a merger, acquisition, or asset sale, your information may transfer to the acquiring entity, subject to the same privacy commitments.

6. Transfers to Third Countries

Some of our service providers (e.g., Vercel for hosting) are based in the USA. These transfers are safeguarded by the EU-U.S. Data Privacy Framework, Standard Contractual Clauses (Art. 46(2)(c) GDPR), or the provider's adequacy certification. You may request details about the specific safeguards by contacting us at [email protected].

7. Data Retention

  • Account data: Retained for the duration of your account and deleted within 30 days of account termination upon request.
  • Relay messages: Cached only until delivered to your devices. Undelivered messages are purged after a maximum of 30 days.
  • Server logs: Retained for up to 30 days, then deleted.
  • Waitlist emails: Retained until early access launches or you request removal.

8. Security

We employ industry-standard security practices to protect the data we do hold. All connections to the relay service are encrypted in transit using TLS. Account credentials are stored using strong hashing algorithms. We conduct regular security reviews of the relay infrastructure.

For the security of the content you transmit, the Signal Protocol provides mathematical guarantees: end-to-end encryption, forward secrecy, and break-in recovery mean that even a full compromise of the relay server reveals nothing about your past or future messages.

9. Your Rights under GDPR

Under the EU General Data Protection Regulation, you have the following rights with respect to your personal data:

  • Right of access (Art. 15) — Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — Request correction of inaccurate data.
  • Right to erasure (Art. 17) — Request deletion of your personal data.
  • Right to restriction of processing (Art. 18) — Request restriction of processing under certain conditions.
  • Right to data portability (Art. 20) — Request your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) — Object to processing based on legitimate interest at any time.
  • Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority for us is:

The competent supervisory authority will be published here once the company registration is complete. In the meantime, you may contact any EU data protection authority of your choice.

11. Cookies

This website uses only technically necessary cookies required for the website to function (e.g., session management). These cookies do not require consent under Art. 6(1)(f) GDPR. We do not use tracking cookies, advertising cookies, or third-party cookies for profiling purposes.

12. Children's Privacy

d:spatch is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy as the Service evolves. When we make material changes, we will update the “Last updated” date above and notify registered users via their account email address. We encourage you to review this policy periodically.

14. Contact

For privacy questions, requests, or concerns, contact us at [email protected]. We take privacy inquiries seriously and will respond promptly.