Privacy Policy

1. Who We Are

Compudenser ("we", "our", "the company") operates the browser-native P2P compute platform available at compudenser.eu. We are incorporated in the European Union and subject to EU data protection law including the General Data Protection Regulation (GDPR) and the EU Data Act 2025.

2. Our Core Privacy Principle

3. Data We Collect

We collect minimal data required to operate the service:

• Account data: Email address and password hash when you create an account or join the waitlist
• Usage metadata: Anonymous session counts, plan tier, and feature usage — no content
• Technical logs: Server-side signaling events (connection handshake initiation only, not content)
• Payment data: Processed by our payment provider. We store only your plan status, not card details

What we never collect: the content of your compute sessions, files, AI model inputs/outputs, or any data transmitted between devices in your mesh.

4. Legal Basis for Processing (GDPR Art. 6)

• Contract performance (Art. 6(1)(b)): Account creation, plan management, service delivery
• Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, product analytics
• Consent (Art. 6(1)(a)): Marketing emails — opt-in only, revocable at any time

5. Data Location

All account and metadata is stored on servers located within the European Union. We do not transfer personal data to third countries. The P2P mesh data stays on your devices — it is never routed through our infrastructure.

We are fully compliant with Schrems II requirements. No data transfer agreements with US entities are required because no data leaves the EU.

6. Data Retention

• Account data: Retained for the duration of your account plus 30 days after deletion request
• Usage metadata: 13 months, then anonymised permanently
• Waitlist data: Until you opt out or 24 months, whichever is sooner
• Technical logs: 90 days maximum

7. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of access (Art. 15): Request a copy of your data
• Right to rectification (Art. 16): Correct inaccurate data
• Right to erasure (Art. 17): Request deletion ("right to be forgotten")
• Right to restriction (Art. 18): Limit how we process your data
• Right to portability (Art. 20): Receive your data in machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interests
• Right to withdraw consent: At any time for any consent-based processing

To exercise any of these rights, contact us at the address below. We respond within 30 days as required by GDPR.

8. Cookies

We use strictly necessary cookies for session management and authentication. We do not use advertising cookies, third-party tracking, or fingerprinting. Analytics, if used, are privacy-preserving and EU-hosted (no Google Analytics).

9. Third-Party Services

• Payment processing: Stripe (EU data processing agreement in place)
• Email delivery: EU-hosted transactional email provider
• Infrastructure: EU-region servers only

10. Security

All connections use TLS 1.3. P2P mesh connections use DTLS-SRTP (WebRTC standard). Account passwords are hashed using bcrypt. We conduct regular security reviews. In the event of a breach affecting personal data, we notify affected users and the relevant supervisory authority within 72 hours as required by GDPR Art. 33.

11. Children

Our service is not directed at children under 16. We do not knowingly collect data from children. If you believe we have inadvertently collected data from a minor, contact us immediately for deletion.

12. Changes to This Policy

We will notify registered users by email of material changes at least 30 days before they take effect. The latest version is always available at this URL.

13. Supervisory Authority

If you believe we have violated your data protection rights, you have the right to lodge a complaint with your national supervisory authority. For EU residents, a list of authorities is available at edpb.europa.eu.