Privacy Policy

This Privacy Policy describes how dist0 (“dist0,” “we,” “us”) handles personal information when you use dist0.com, our waitlist, the playbook audit tool, and any related services (the “Service”).

For the purposes of EU and UK data protection law, dist0 acts as the data controller for personal information processed through the Service. Use of the Service is also governed by our Terms of Service.

Information you give us

• Waitlist signup: email address and any optional information you choose to provide, such as company name or role.
• Playbook audit: the URL you submit, brand inputs you share, and the resulting audit findings.
• Support and feedback: messages you send us by email or through any in-product feedback control.

Information collected automatically

• Device and log data: IP address, user agent, referring page, pages viewed, and timestamps. Used for security, debugging, and aggregated analytics.
• Cookies and similar: a minimal set of first-party cookies for session and basic analytics. See Cookies and tracking.

Information from third parties

If you reach us through a referral, partner, or social link, we may receive a referral identifier. We do not buy contact lists.

We use information to:

• Provide the Service, including running audits, generating drafts, and delivering waitlist updates.
• Communicate with you about product updates, launch invites, and things we think will help you. You can unsubscribe from non- essential email at any time.
• Improve the Service, including diagnosing problems, measuring feature use in aggregate, and refining our playbook.
• Keep the Service safe, including detecting abuse, preventing fraud, and enforcing our Terms.
• Comply with legal obligations.

For users in the EU, UK, and similar jurisdictions, the legal bases we rely on are: performance of a contract (running the Service you requested), our legitimate interests (improving the Service and keeping it safe), your consent (where required for marketing email or optional cookies), and compliance with legal obligations.

We do not sell your personal information, and we do not share it with third parties for their own advertising. We share information only in these limited cases:

• Service providers: hosting (Vercel), database (managed Postgres), email delivery, error tracking, analytics, and AI model providers used to generate Output. They process data on our behalf under written agreements.
• Legal and safety: when required by law, valid legal process, or to protect the rights, property, or safety of dist0, our users, or the public.
• Business transfers: if dist0 is involved in a merger, acquisition, or asset sale, your information may be part of that transaction. We will give notice before personal information becomes subject to a different privacy policy.
• With your direction: when you ask us to share something, for example by giving us a public URL to share findings with a teammate.

We use a small set of first-party cookies and similar technologies. The categories are:

• Essential: session, security, and form state. These cannot be disabled without breaking the Service.
• Analytics: aggregate usage measurement to understand how the Service is used and what to improve. Where required by law, we ask for consent before loading these.

We do not use third-party advertising cookies. You can control cookies through your browser settings, including blocking or deleting them, with the understanding that this can affect parts of the Service.

dist0 uses large language models and related AI tools to analyze the inputs you submit and generate audit findings, drafts, and suggestions. We send only what is necessary to produce the requested Output, for example the URL you submitted and a small set of contextual prompts.

We work with AI providers under contracts that prohibit them from training their general-purpose models on your inputs or outputs. We do not give AI providers your email or other identifying information unless required to operate the Service.

We keep personal information only as long as we need it for the purposes described in this Policy:

• Waitlist entries: until you ask us to remove them or until launch communications are complete.
• Audit inputs and outputs: retained while you have an active relationship with us, then deleted or anonymized within a reasonable period.
• Logs and security data: retained for a short window sufficient for debugging and abuse detection, typically 30 to 90 days.

We may retain limited information longer when needed to comply with legal obligations, resolve disputes, or enforce our agreements.

We use reasonable administrative, technical, and physical safeguards to protect personal information, including TLS in transit, encrypted storage at rest with our hosting providers, principle-of-least- privilege access for our team, and regular review of vendors.

No system is perfectly secure. If we ever experience a breach that affects you, we will notify you in line with applicable law.

Depending on where you live, you may have the right to access, correct, export, or delete your personal information; object to or restrict certain processing; withdraw consent; and lodge a complaint with your data protection authority.

To exercise any of these rights, email support@dist0.com. We will respond within the timeframe required by applicable law (typically 30 days). We may need to verify your identity before acting on a request.

California residents have additional rights under the CCPA / CPRA, including the right to know what categories of personal information we collect, the right to delete, the right to correct, the right to opt out of sale or sharing for cross-context behavioral advertising (we do neither), and the right not to be discriminated against for exercising these rights.

dist0 operates globally and uses cloud providers based primarily in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States or other countries.

For transfers from the EU, UK, and Switzerland, we rely on appropriate safeguards, including the Standard Contractual Clauses adopted by the European Commission, where applicable.

The Service is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has given us personal information, please contact us and we will delete it.

We will update this Policy as the Service evolves. When we do, we will update the “Last updated” date at the top and, for material changes, give reasonable notice through the Service or by email if we have one for you.

For privacy questions, requests, or to reach our privacy contact, email support@dist0.com. We try to reply within a few business days.