Privacy Policy
Last updated: March 18, 2026
This Privacy Policy explains how DCP (“DCP”, “we”, “us”) collects, uses, stores, and protects your personal data. DCP operates as a GPU compute marketplace serving users in Saudi Arabia and complies with the Saudi Personal Data Protection Law (PDPL) (Royal Decree M/19, effective September 2023) and its implementing regulations.
1. Data Controller
DCP is the data controller for personal data processed through dcp.sa and the DCP API. For privacy inquiries, contact: privacy@dcp.sa
2. Personal Data We Collect
We collect the following categories of personal data:
Providers (GPU owners)
- Identity data: Full name, email address, phone number (optional)
- Hardware data: GPU model, VRAM, driver version, operating system, GPU count
- Network data: IP address, hostname (collected via daemon heartbeat every 30 seconds)
- Financial data: Earnings balance (SAR), job completion history, payout records
- Performance data: Uptime metrics, reliability score, job success rate
Renters (compute buyers)
- Identity data: Full name, email address, organization (optional)
- Financial data: Wallet balance (SAR), top-up history, job billing records
- Usage data: Job submissions, job type, compute time, job status and output
3. Legal Basis for Processing (PDPL Article 5)
We process your personal data on the following bases:
- Contractual necessity: To provide the DCP marketplace service you registered for
- Explicit consent: For cross-border data transfers and non-essential processing (obtained at registration)
- Legal obligation: Financial records retained per SAMA regulations (7 years)
- Legitimate interest: Platform security monitoring, fraud prevention, abuse detection
4. How We Use Your Data
- Operate the DCP GPU compute marketplace (job routing, billing, payouts)
- Authenticate your account using your API key
- Monitor platform health, detect fraud, and enforce rate limits
- Send important service notifications (security alerts, policy changes)
- Comply with Saudi regulatory requirements (SAMA, ZATCA, PDPL)
We do not sell your personal data to third parties. We do not use your data for advertising.
5. Data Storage and Cross-Border Transfer
Important disclosure (PDPL Article 29): DCP’s backend servers are currently hosted on Hostinger infrastructure located in Lithuania (EU) and the United States. The DCP web frontend and serverless functions are deployed to Vercel, which routes by default to US-East (iad1) with regional fallbacks across the EU and Asia. This means your personal data (account profile, job history, usage events, billing metadata) is transferred to and stored outside the Kingdom of Saudi Arabia for those workloads.
Payments and payouts are processed through Moyasar, a Saudi-licensed payment service provider regulated by SAMA. Full card numbers, CVVs, and bank-side credentials are held by Moyasar inside the Kingdom and never reach DCP’s servers — tokenization happens client-side via Moyasar’s SDK against their hosted endpoint.
DCP’s backend does persist the following payment-adjacent fields on the out-of-Kingdom database to operate the marketplace:
- For providers who register a payout account: full Saudi IBAN, account holder name, and the Moyasar payout-account UUID (
providers.payout_iban,payout_holder_name,moyasar_payout_account_id). - For renters who enable saved-card auto-top-up: the Moyasar card token id (an opaque reference, not the card number itself), card brand, and last-four digits for display (
renters.moyasar_card_token,moyasar_card_brand,moyasar_card_last4). - Transaction history for every top-up, auto-top-up attempt, payout, and inference settlement: amounts, statuses, timestamps, Moyasar reference ids, and failure reasons. These are required by SAMA for the seven-year retention window and are surfaced in the renter and provider dashboards as well as admin reconciliation.
Saved card tokens can be removed at any time from /renter/billing (the “Remove” action), which also disables auto-top-up. Provider IBANs can be updated in /provider/settings. Account deletion erases these fields except where retained for SAMA financial-records obligations.
Compute jobs themselves (model inference) run on provider GPUs registered to the platform. Provider GPUs may physically reside in the Kingdom or in other jurisdictions; the marketplace listing surfaces the provider’s declared region where available.
For each completed inference job, DCP’s backend persists the prompt (jobs.task_spec) and the model response (jobs.result) on the out-of-Kingdom database to support debugging, dispute resolution, and the renter dashboard’s job-history view. Per the “Data Retention” table below, these payload columns are nulled out automatically 90 days after job completion by the daily cleanup worker (backend/src/services/cleanup.js). Job metadata (id, timing, cost, status) is retained for the seven-year SAMA window after the payload is cleared.
By registering and using DCP, you provide explicit consent to this cross-border transfer as required by PDPL Article 29. Saudi residents and entities subject to NDMO data-classification requirements should review the SDAIA Cross-Border Transfer Regulation (September 2024) before sending sensitive workloads through the platform. We are planning migration of the DCP backend and Vercel functions to Saudi Arabia-hosted infrastructure (STC Cloud or AWS Bahrain ap-southeast-3) in Q3 2026; this disclosure will be updated when the migration completes.
6. Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Account data (name, email) | Until account deletion | Contractual necessity |
| Heartbeat logs (IP, GPU metrics) | 30 days | Platform operations |
| Job logs | 90 days | Debugging, dispute resolution |
| Job records (metadata only, payload cleared after 90 days) | 7 years | SAMA financial regulation |
| Payment records | 7 years | SAMA financial regulation (never deleted) |
Automated data retention enforcement runs daily at 02:00 UTC. Payment and billing records are exempt from deletion to comply with Saudi financial regulations.
7. Your Rights (PDPL Chapter 3)
Under the PDPL, you have the following rights:
- Right of access: Request a copy of your personal data — email privacy@dcp.sa
- Right to correction: Request correction of inaccurate data — contact privacy@dcp.sa
- Right to erasure (right to be forgotten): Delete your account and anonymize your PII via the API:
DELETE /api/providers/meorDELETE /api/renters/me. Financial records are retained as required by law. - Right to withdraw consent: You may withdraw consent at any time by deleting your account. Withdrawal does not affect the lawfulness of prior processing.
- Right to lodge a complaint: You may file a complaint with the Saudi Data and AI Authority (SDAIA) at sdaia.gov.sa
8. Security
We implement technical and organizational security measures including: TLS encryption in transit, cryptographically random API keys, parameterized database queries, rate limiting, CORS lockdown, and security headers. See our Security Policy for full details including our vulnerability disclosure process.
In the event of a personal data breach, we will notify affected users and SDAIA within 72 hours of discovery, as required by PDPL Article 19.
9. Cookies and Local Storage
DCP uses browser localStorage to store your API key for session persistence. No tracking cookies or third-party advertising trackers are used. No cookies are set by the DCP API.
10. Third-Party Services
- Billing partner: payment data is handled through our configured payment partner, using standard security practices.
- Vercel: Frontend hosting and CDN (edge caching of pages, no PII stored)
- Supabase: Real-time data sync for provider metrics (anonymized aggregate data only)
11. Changes to This Policy
We will notify registered users of material changes via email at least 14 days before changes take effect. The “Last Updated” date at the top of this policy reflects the most recent revision.
12. Contact
- Privacy inquiries (PDPL rights requests): privacy@dcp.sa
- Security vulnerabilities: security@dcp.sa
- General support: support@dcp.sa