Privacy Policy
Last updated: March 18, 2026
This Privacy Policy explains how DCP (“DCP”, “we”, “us”) collects, uses, stores, and protects your personal data. DCP operates as a GPU compute marketplace serving users in Saudi Arabia and complies with the Saudi Personal Data Protection Law (PDPL) (Royal Decree M/19, effective September 2023) and its implementing regulations.
1. Data Controller
DCP is the data controller for personal data processed through dcp.sa and the DCP API. For privacy inquiries, contact: privacy@dcp.sa
2. Personal Data We Collect
We collect the following categories of personal data:
Providers (GPU owners)
- Identity data: Full name, email address, phone number (optional)
- Hardware data: GPU model, VRAM, driver version, operating system, GPU count
- Network data: IP address, hostname (collected via daemon heartbeat every 30 seconds)
- Financial data: Earnings balance (SAR), job completion history, payout records
- Performance data: Uptime metrics, reliability score, job success rate
Renters (compute buyers)
- Identity data: Full name, email address, organization (optional)
- Financial data: Wallet balance (SAR), top-up history, job billing records
- Usage data: Job submissions, job type, compute time, job status and output
3. Legal Basis for Processing (PDPL Article 5)
We process your personal data on the following bases:
- Contractual necessity: To provide the DCP marketplace service you registered for
- Explicit consent: For cross-border data transfers and non-essential processing (obtained at registration)
- Legal obligation: Financial records retained per SAMA regulations (7 years)
- Legitimate interest: Platform security monitoring, fraud prevention, abuse detection
4. How We Use Your Data
- Operate the DCP GPU compute marketplace (job routing, billing, payouts)
- Authenticate your account using your API key
- Monitor platform health, detect fraud, and enforce rate limits
- Send important service notifications (security alerts, policy changes)
- Comply with Saudi regulatory requirements (SAMA, ZATCA, PDPL)
We do not sell your personal data to third parties. We do not use your data for advertising.
5. Data Storage and Cross-Border Transfer
Important disclosure (PDPL Article 29): DCP’s backend servers are currently hosted on Hostinger infrastructure located in Lithuania (EU) and the United States. This means your personal data is transferred to and stored outside the Kingdom of Saudi Arabia.
By registering and using DCP, you provide explicit consent to this cross-border transfer as required by PDPL Article 29. We are planning migration to Saudi Arabia-hosted infrastructure (STC Cloud or AWS Bahrain ap-southeast-3) in Q3 2026.
The DCP frontend is served via Vercel (global CDN). Payments are processed through the configured payment provider.
6. Data Retention
| Data Type | Retention Period | Basis |
|---|---|---|
| Account data (name, email) | Until account deletion | Contractual necessity |
| Heartbeat logs (IP, GPU metrics) | 30 days | Platform operations |
| Job logs | 90 days | Debugging, dispute resolution |
| Job records (metadata only, payload cleared after 90 days) | 7 years | SAMA financial regulation |
| Payment records | 7 years | SAMA financial regulation (never deleted) |
Automated data retention enforcement runs daily at 02:00 UTC. Payment and billing records are exempt from deletion to comply with Saudi financial regulations.
7. Your Rights (PDPL Chapter 3)
Under the PDPL, you have the following rights:
- Right of access: Request a copy of your personal data — email privacy@dcp.sa
- Right to correction: Request correction of inaccurate data — contact privacy@dcp.sa
- Right to erasure (right to be forgotten): Delete your account and anonymize your PII via the API:
DELETE /api/providers/meorDELETE /api/renters/me. Financial records are retained as required by law. - Right to withdraw consent: You may withdraw consent at any time by deleting your account. Withdrawal does not affect the lawfulness of prior processing.
- Right to lodge a complaint: You may file a complaint with the Saudi Data and AI Authority (SDAIA) at sdaia.gov.sa
8. Security
We implement technical and organizational security measures including: TLS encryption in transit, cryptographically random API keys, parameterized database queries, rate limiting, CORS lockdown, and security headers. See our Security Policy for full details including our vulnerability disclosure process.
In the event of a personal data breach, we will notify affected users and SDAIA within 72 hours of discovery, as required by PDPL Article 19.
9. Cookies and Local Storage
DCP uses browser localStorage to store your API key for session persistence. No tracking cookies or third-party advertising trackers are used. No cookies are set by the DCP API.
10. Third-Party Services
- Billing partner: payment data is handled through our configured payment partner, using standard security practices.
- Vercel: Frontend hosting and CDN (edge caching of pages, no PII stored)
- Supabase: Real-time data sync for provider metrics (anonymized aggregate data only)
11. Changes to This Policy
We will notify registered users of material changes via email at least 14 days before changes take effect. The “Last Updated” date at the top of this policy reflects the most recent revision.
12. Contact
- Privacy inquiries (PDPL rights requests): privacy@dcp.sa
- Security vulnerabilities: security@dcp.sa
- General support: support@dcp.sa