Privacy Policy
TL;DR — what you actually want to know
We collect only the data we need to operate our services. We don't sell your data. We don't train AI models on your content. We support GDPR, DPDP (India), CCPA (California) deletion requests within 30 days. Email [email protected] for any privacy request.
1. Who we are
DCS AI Technologies L.L.C ("DCS", "we", "us", "our") is a company registered in Dubai, United Arab Emirates. This Privacy Policy applies to all services operated under the dcsai.ai and dcslabs.ai domains and their subdomains.
For privacy questions or requests, contact [email protected]. Our designated data protection contact is the Founder, Deepak Dudi.
2. What data we collect
2.1 Data you give us directly
- Account data — when you sign up for the free Memory tier or any paid tier: email address, GitHub handle (optional), agent identity references (your Agent SBT addresses on Base).
- Content data — memory writes you store via our Sovereign Memory API. This is what your agent stores; we never inspect or train on it.
- Inquiry data — when you email us at hello@, press@, founder@, investors@, standards@, careers@, security@, builders@, or [email protected]/dcsai.ai: your email address and message contents.
2.2 Data we collect automatically
- Usage telemetry — API call volumes, error rates, latency percentiles, region of origin (country only, not city). Used for capacity planning and incident response.
- Web analytics — page views and referrers on dcsai.ai and dcslabs.ai. We use a privacy-respecting analytics solution (Plausible) that does not set cookies or build cross-site profiles.
- Blockchain data — wallet addresses that mint Agent SBTs are recorded on Base mainnet. This is by design and inherent to public-blockchain operation.
2.3 Data we explicitly do not collect
- We do not collect biometric data, government IDs, or financial account information.
- We do not buy or augment your data from third-party brokers.
- We do not use third-party advertising cookies or trackers.
- We do not train AI models on your memory writes or any user-supplied content.
3. How we use your data
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Operating the services you signed up for | Contract (Art. 6(1)(b)) |
| Capacity planning and uptime | Legitimate interests (Art. 6(1)(f)) |
| Responding to your inquiries | Contract / legitimate interests |
| Complying with regulatory requirements (RTI, DPDP §8) | Legal obligation (Art. 6(1)(c)) |
| Aggregated, non-identifying public stats (dcslabs.ai/stats) | Legitimate interests |
4. Who we share data with
We share data only with the following categories of recipients, and only the minimum required:
- Infrastructure subprocessors — Cloudflare (CDN + Pages hosting), Render (backend hosting), Supabase (managed Postgres + pgvector), OpenAI (embedding generation for memory). Each operates under a Data Processing Agreement.
- Payment processors — Stripe (for fiat billing), Coinbase Commerce or direct USDC (for on-chain billing). We do not store payment card details.
- Email infrastructure — Cloudflare Email Routing (inbound), Resend (outbound). Subject-line and recipient metadata may be retained for deliverability purposes only.
- Regulators or law enforcement — only when legally compelled by a valid order. We will notify the affected user unless prohibited by law.
We do not share data with advertisers, data brokers, or any party not listed above.
5. Where your data is stored
Data is stored in two production regions: us-east-1 and eu-west-1. Data of users physically located in the EU/EEA is preferentially stored in eu-west-1. Cross-region replication exists for failover only.
If you require strictly regional storage (e.g., for DPDP §8 sovereignty requirements), contact [email protected] — we offer air-gappable on-premise deployments for sovereign customers.
6. How long we keep it
| Data category | Retention period |
|---|---|
| Account data | Until account closure + 30 days for billing reconciliation, then deleted |
| Memory content | While your account is active; deleted on request within 30 days |
| R+2 receipts (cryptographic) | Retained indefinitely as part of the audit chain; users may export and delete their own chain via /api/memory/export + /api/memory/burn |
| Inquiry emails | 2 years from last response, then archived |
| Usage telemetry (aggregated) | Indefinite; cannot be used to re-identify individual users |
| Server logs | 30 days |
7. Your rights
Depending on where you live, you have some or all of these rights. To exercise any of them, email [email protected] with the request. We respond within 30 days (faster in practice).
- Right of access — get a copy of all data we hold about you.
- Right to rectification — correct inaccurate data.
- Right to erasure — delete your data ("right to be forgotten"). Note: R+2 cryptographic receipts cannot be modified in place but can be marked as logically deleted; the cryptographic chain itself remains immutable.
- Right to portability — export your data in a machine-readable format.
- Right to object — to specific processing activities.
- Right to withdraw consent — for any processing based on consent.
- Right to lodge a complaint — with your local data protection authority (UK ICO, Indian DPB, EU DPAs, etc.).
8. India DPDP §8 specific commitments
For users in India, we additionally commit to the obligations under the Digital Personal Data Protection Act, 2023:
- §8(4) Accuracy — we make reasonable efforts to maintain accuracy. Users may correct their data via the API at any time.
- §8(5) Safeguards — we implement encryption-at-rest (AES-256), encryption-in-transit (TLS 1.3), and access controls (role-based). All access is logged.
- §8(6) Notification — in the event of a personal data breach affecting Indian residents, we will notify the Data Protection Board of India within 72 hours, in accordance with the Act.
- §8(8) Children — our services are not directed at users under 18. We do not knowingly process data of minors.
The R+2 Open Provenance Standard we operate (dcslabs.ai/standard) makes DPDP §8 compliance demonstrable — every action involving personal data is cryptographically signed and auditable.
9. Cookies and similar technologies
We use strictly necessary cookies only on dcsai.ai and dcslabs.ai (for session authentication when logged in). We do not use third-party advertising cookies, social media tracking pixels, or cross-site behavioral profiling.
Our web analytics provider (Plausible) is cookie-free by design.
10. Changes to this policy
We will update this page when we materially change how we handle data. Material changes will be announced on dcsai.ai/blog at least 14 days before they take effect, and active users will be emailed. The "Last updated" date at the top of this page always reflects the current version.
11. Contact
Privacy questions or requests: [email protected]
Security incidents or vulnerability reports: [email protected]
All other inquiries: [email protected]
Postal: DCS AI Technologies L.L.C, Dubai, United Arab Emirates. For mail delivery requests, please email [email protected] to arrange a current courier address.