Summary: We collect minimal data to operate the Platform. We never see your AI provider keys.
We don't train models on your content. We don't sell your data. We process payments via Stripe.
You can delete your account and data at any time.
1. Overview
LobsterPod ("we", "us", "the Platform") operates a distributed AI compute marketplace. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.
We are committed to data minimalism. Our architecture is designed so that sensitive data (especially Contributor API keys) never leaves the Contributor's machine. We collect only what's necessary to operate the marketplace.
2. What We Collect
2.1 Consumer Data
- Email address (if provided during registration) — for account recovery and billing communications
- API key hash — a one-way hash of your API key for authentication. We never store your raw API key after initial generation.
- Usage metadata — model names, token counts, timestamps, request IDs, latency measurements. We do NOT store prompt content or model outputs.
- Billing data — charges, balances, and payment method information (processed and stored by Stripe, not by us directly)
- IP address — logged transiently for rate limiting and security. Not stored long-term.
2.2 Contributor Data
- Contributor token hash — one-way hash for authentication
- Performance metrics — uptime, latency, success rate, quality scores, tier level
- Capability reports — which AI models your daemon can serve, system resource info
- Earnings and payout records — amounts earned, payout history, Stripe Connect account ID
- Connection metadata — WebSocket connection timestamps, daemon ID
2.3 Automatically Collected
- Log data — request IDs, HTTP status codes, response times, error types (no content)
- Prometheus metrics — aggregated, anonymous operational metrics (request counts, latency histograms, error rates)
3. How We Use Your Data
We use collected data exclusively for:
- Platform operation — routing requests, load balancing, quality scoring, pool management
- Billing — metering usage, calculating charges, processing payouts
- Security — rate limiting, abuse detection, fraud prevention, audit logging
- Platform improvement — aggregated, anonymized analytics to improve routing, reliability, and performance
- Communications — billing notifications, service announcements, security alerts (email, if provided)
4. What We Don't Collect
This is as important as what we do collect:
- Contributor API keys — never transmitted to or stored on the Platform. Zero-knowledge architecture.
- Prompt content — your chat messages are routed to Contributors in real-time and not stored by the Platform
- Model outputs — AI responses are streamed directly from Contributor to Consumer and not stored
- Training data — we do not use any data to train AI models. We don't run AI models.
- Browsing history — we don't track you across the web
5. Data Sharing
We do not sell your personal data. We share data only with:
- Stripe — our payment processor, for billing and payouts. Subject to Stripe's Privacy Policy.
- Infrastructure providers — hosting services that process data on our behalf under data processing agreements
- Law enforcement — only when required by valid legal process (subpoena, court order)
We will notify affected users of law enforcement requests unless legally prohibited from doing so.
6. Data Storage & Security
We employ industry-standard security measures:
- All data in transit is encrypted via TLS 1.3
- API keys and tokens are stored as salted, one-way hashes (bcrypt/SHA-256)
- Database access is restricted to Platform services with least-privilege permissions
- Infrastructure runs in isolated environments with regular security updates
- Audit logs track administrative access and security-relevant events
- Contributor API keys are encrypted at rest on the Contributor's machine using AES-256-GCM with a machine-derived key
7. Data Retention
- Usage metadata: Retained for 90 days for billing dispute resolution, then aggregated and anonymized
- Billing records: Retained for 7 years as required by tax and financial regulations
- Audit logs: Retained for 1 year
- Account data: Retained until account deletion, then purged within 30 days
- Prometheus metrics: Retained for 15 days (operational data only, no PII)
8. Your Rights
8.1 For All Users
- Access: Request a copy of all data we hold about you
- Correction: Update inaccurate data
- Deletion: Request deletion of your account and associated data
- Portability: Receive your data in a machine-readable format
8.2 GDPR (EU/EEA Users)
If you are in the EU/EEA, you have additional rights under the General Data Protection Regulation:
- Legal basis: We process data based on contract performance (providing the service) and legitimate interest (security, fraud prevention)
- Right to object: You may object to processing based on legitimate interest
- Right to restrict processing: You may request restriction in certain circumstances
- DPO: Contact our Data Protection Officer at [email protected]
- Supervisory authority: You have the right to lodge a complaint with your local data protection authority
8.3 CCPA (California Users)
If you are a California resident, under the California Consumer Privacy Act:
- Right to know: What personal information we collect and how it's used
- Right to delete: Request deletion of your personal information
- Right to opt-out: We do not sell personal information, so this right is satisfied by default
- Non-discrimination: We will not discriminate against you for exercising your rights
To exercise any of these rights, email [email protected]. We will respond within 30 days (GDPR) or 45 days (CCPA).
9. Cookies & Tracking
The Platform uses minimal cookies:
- Session cookies: For dashboard authentication (contributor and consumer dashboards). These are strictly necessary and cannot be opted out of while using the dashboards.
- localStorage: The API playground uses browser localStorage to persist conversation history and settings locally. This data never leaves your browser.
We do not use:
- Third-party analytics (no Google Analytics, no Mixpanel)
- Advertising cookies or tracking pixels
- Cross-site tracking of any kind
10. Children's Privacy
The Platform is not directed at children under 18 (or the applicable age of majority). We do not knowingly collect data from children. If you believe a child has provided us with data, contact us at [email protected] and we will delete it promptly.
11. International Data Transfers
The Platform is operated from the United States. If you access the Platform from outside the US, your data may be transferred to and processed in the US. For EU/EEA users, we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for data transfers.
12. Payment Processing
Payment processing is handled by Stripe, Inc. When you make a payment or receive a payout:
- Payment card details are collected and processed entirely by Stripe — they never touch our servers
- We receive only a tokenized reference and transaction metadata from Stripe
- Stripe's handling of your data is governed by Stripe's Privacy Policy
- Stripe is PCI DSS Level 1 certified, the highest level of payment security certification
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email (if provided) and a prominent notice on the Platform at least 30 days before taking effect. The "Last Updated" date at the top will always reflect the most recent version.
For privacy-related inquiries: