Privacy Policy

The short version

dist0 is a small, early-stage team. We try to collect the least amount of personal information we need to run a useful product, and we are direct about what we do with it. Here is the short version, with the details below.

• We collect what you give us — email, the URL you submit, brand inputs — plus basic usage data needed to run and improve the Service.
• We do not sell your personal information, and we do not share it for cross-context behavioral advertising. No ad networks, no data brokers.
• We use a small set of trusted vendors for hosting, email, analytics, and AI processing. Each handles data on our behalf under a written agreement.
• You can ask us to access, correct, export, or delete your personal information at any time at support@dist0.com.

Who we are and what this covers

This Privacy Policy describes how dist0 ("dist0," "we," "us") handles personal information when you use dist0.com, our waitlist, the playbook audit tool, the dist0 Slack bot, and any related services (the "Service").

dist0 is operated by NULLREACH LTD, a private limited company registered in England and Wales, with a registered office at Suite 11615, 61 Bridge Street, Kington, United Kingdom, HR5 3DJ. NULLREACH LTD is the data controller for personal information processed through the Service for the purposes of UK, EU, and Swiss data protection law. Our data protection contact is Tao Wu, reachable at support@dist0.com.

Use of the Service is also governed by our Terms of Service.

Information we collect

Information you give us

• Waitlist signup: email address, plus any optional information you choose to add (such as company name or role).
• Playbook audit: the URL you submit, brand inputs you share, and the resulting audit findings.
• Slack bot: when a workspace administrator installs the dist0 Slack bot, Slack sends us workspace and user identifiers, the OAuth grant, and the messages routed to our app (direct messages with the bot, channel messages where it is mentioned, and events under the bot token scopes we request).
• Support and feedback: messages you send us by email or through any in-product feedback control.

Information collected automatically

• Device and log data: IP address, user agent, referring page, pages viewed, and timestamps. Used for security, debugging, and aggregated analytics.
• Cookies and similar: a minimal set of first-party cookies for session and basic analytics. See Cookies and tracking.

Information from third parties

If you reach us through a referral, partner, or social link, we may receive a referral identifier. We do not buy contact lists.

How we use information

We use information to:

• Provide the Service, including running audits, generating drafts, and delivering waitlist updates.
• Communicate with you about product updates, launch invites, and things we think will help you. You can unsubscribe from non-essential email at any time using the link in every message.
• Improve the Service, including diagnosing problems, measuring feature use in aggregate, and refining our playbook. We do not use your Inputs to train general-purpose AI models. See AI processing.
• Keep the Service safe, including detecting abuse, preventing fraud, and enforcing our Terms.
• Comply with legal obligations.

For users in the EU, UK, and Switzerland, the legal bases we rely on are:

• Contract — running the Service you requested.
• Legitimate interests — improving the Service, keeping it secure, and direct outreach to existing users about similar products.
• Consent — for optional marketing email and non-essential cookies, where required.
• Legal obligation — when a law applies to us.

How we share information

We do not sell or share your personal information for cross-context behavioral advertising, as those terms are defined under the CCPA / CPRA and similar laws. We do not have, and have never had, contractual relationships with ad networks or data brokers for that purpose.

We share information only in these limited cases:

• Service providers (processors): companies that run parts of the Service on our behalf — including hosting, content delivery, transactional email, error monitoring, product analytics, and AI model providers used to generate Output. They process data only to perform the service we asked for, under written data processing agreements.
• Legal and safety: when required by law, valid legal process, or to protect the rights, property, or safety of dist0, our users, or the public.
• Business transfers: if dist0 is involved in a merger, acquisition, financing, or asset sale, your information may be part of that transaction. We will give notice before any personal information becomes subject to a different privacy policy.
• With your direction: when you ask us to share something — for example, by giving us a public URL to share findings with a teammate.

A current list of our material subprocessors, including hosting, database, email, AI model providers, and Slack, is published at dist0.com/subprocessors.

Cookies and tracking

We use a small set of first-party cookies and similar technologies. The categories are:

• Essential: session, security, and form state. These cannot be disabled without breaking the Service.
• Analytics: aggregate usage measurement to understand how the Service is used and what to improve. Where required by law, we ask for consent before loading these.

We do not use third-party advertising cookies or tracking pixels for ad targeting. You can control cookies through your browser settings, including blocking or deleting them, though this can affect parts of the Service.

AI processing of your inputs

dist0 uses large language models and related AI tools to analyze the Inputs you submit and generate audit findings, drafts, suggestions, and Slack assistant responses. We send only what is necessary to produce the requested Output — typically the URL you submitted, the Slack message we are replying to, and a small set of contextual prompts. We do not send your email or other identifying information to AI providers unless it is required to deliver a feature you asked for.

The current AI providers are OpenAI and Anthropic, used directly and through the OpenRouter routing layer. They are listed on the Subprocessors page. We use them under their standard enterprise or API terms, which by default do not train their general-purpose models on data submitted through those endpoints. Providers may retain inputs and outputs briefly under their standard abuse-monitoring policies. dist0 itself does not train third-party or proprietary models on your Inputs or Output.

Customer data processed by dist0 is logically isolated by workspace and stored in access-controlled environments. AI Output is generated by automated systems and can be wrong, incomplete, or out of date. Always review before publishing or acting on it.

Data retention

We keep personal information only as long as we need it for the purposes described in this Policy:

• Waitlist entries: until you ask us to remove them or until launch communications are complete.
• Audit inputs and outputs: retained while you have an active relationship with us, then deleted or anonymized within a reasonable period.
• Slack workspace data: retained for the duration of your subscription or for legitimate business purposes. After you uninstall the dist0 Slack bot or terminate your subscription, conversation history and indexed Slack content are deleted from our backend within 90 days. Messages remain in Slack itself, governed by your Slack data retention policies. To delete data sooner, a workspace administrator can uninstall the dist0 app or email us at the address below.
• Logs and security data: retained for a short window sufficient for debugging and abuse detection — typically 30 to 90 days.
• Email correspondence: retained for as long as needed to handle the conversation and any follow-up, then archived or deleted.

We may retain limited information longer when needed to comply with legal obligations, resolve disputes, or enforce our agreements.

Security

We use reasonable administrative, technical, and physical safeguards to protect personal information. Customer Data is encrypted at rest using AES-256 and in transit using TLS 1.2 or later. We apply principle-of-least-privilege access for our team, log access to production systems, and review our vendors regularly.

No system is perfectly secure. If we ever experience a breach that materially affects you, we will notify you in line with applicable law.

Your rights and choices

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Correct information that is inaccurate or incomplete.
• Delete personal information.
• Receive a portable copy of your information.
• Object to or restrict certain processing.
• Withdraw consent where we rely on it.
• Lodge a complaint with your data protection authority (in the EU, with your local supervisory authority; in the UK, with the ICO).

To exercise any of these rights, email support@dist0.com. We will respond within the timeframe required by applicable law (typically within 30 days, with one extension permitted under GDPR). We may need to verify your identity before acting on a request.

California residents (CCPA / CPRA)

California residents have additional rights, including the right to know what categories of personal information we collect, the right to delete, the right to correct, the right to opt out of sale or sharing for cross-context behavioral advertising (we do neither), the right to limit use of sensitive personal information (we do not collect sensitive personal information for inferring characteristics), and the right not to be discriminated against for exercising these rights. You can use an authorized agent to make a request.

In the past 12 months we have collected the following categories of personal information, as defined by the CCPA: identifiers (email, IP address), commercial information (URLs and brand inputs you submit), internet or network activity (usage logs), and inferences drawn from the above (audit findings). We share these categories only with the service providers described in How we share information.

International data transfers

dist0 operates globally. Primary storage and processing of Customer Data happen in the United States on infrastructure provided by the subprocessors listed at dist0.com/subprocessors. If you access the Service from outside the United States, your information will be transferred to and processed in the United States or other countries that may not have the same data protection laws as your jurisdiction. We do not currently guarantee regional data residency but continue to evaluate additional options.

Where we transfer personal information out of the EU, EEA, or Switzerland, we rely on the European Commission's Standard Contractual Clauses, the EU-U.S. Data Privacy Framework where a recipient is certified, or another safeguard recognized under applicable law. For UK transfers, we use the UK's International Data Transfer Agreement or the UK Addendum to the SCCs. Copies of these safeguards are available on request.

Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has given us personal information, please contact us and we will delete it.

Changes to this policy

We will update this Policy as the Service evolves. When we do, we will update the "Last updated" date at the top and, for material changes, give reasonable notice through the Service or by email if we have one for you.

Contact

For privacy questions or requests, email Tao Wu at support@dist0.com. We try to reply within a few business days.

You can also write to us at:

NULLREACH LTD
Suite 11615, 61 Bridge Street
Kington, United Kingdom, HR5 3DJ