Privacy Policy

Last updated: May 28, 2026

Effective date: May 28, 2026

0dai (“we”, “us”, or “our”) operates the 0dai CLI, the 0dai API service at 0dai.dev, and related infrastructure. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding that information.

1. Information We Collect

1.1 Account Information

When you authenticate with 0dai (via Google OAuth or GitHub OAuth), we collect:

  • Your email address
  • Your display name
  • Avatar URL provided by the OAuth provider
  • OAuth provider ID (Google or GitHub)
  • Account creation timestamp

1.2 Project Telemetry

When you run 0dai init, 0dai sync, or other commands that communicate with our API, we collect:

  • Detected project stack (e.g., next-ts, python-fastapi)
  • CLI version number
  • Number of files generated or updated
  • Plan tier (free, pro, team)
  • Anonymous device fingerprint (hash of machine identifiers)
  • IP address (for rate limiting and abuse prevention)

We do not collect your source code, file contents, environment variables, API keys, or any secrets from your machine.

1.3 Usage Analytics

We operate self-hosted analytics (Umami) to understand feature usage and improve the service. This includes:

  • Page views on 0dai.dev
  • Feature interaction (which commands are used, how often)
  • Session duration and navigation paths

All analytics infrastructure is self-hosted. We do not use Google Analytics, Mixpanel, or any third-party analytics providers.

1.4 Feedback and Reports

When you submit feedback or project reports via 0dai feedback push or 0dai report push, we store:

  • Project stack and plan tier
  • CLI version and file counts
  • Feedback content (text you choose to send)
  • Timestamp and anonymous device fingerprint

1.5 Session and Swarm Data

When you use swarm delegation or session roaming, we may store:

  • Task descriptions and outcomes (not code)
  • Model selection decisions and costs
  • Session metadata (duration, status, tool used)

2. How We Use Information

We use collected information for:

  • Providing and maintaining the 0dai service
  • Authenticating your identity and managing your account
  • Enforcing plan limits and rate limits
  • Improving AI model recommendations and tool quality
  • Measuring feature usage to guide product development
  • Detecting and preventing abuse and fraud
  • Sending service-related notifications

3. Legal Basis for Processing (GDPR)

If you are a resident of the European Economic Area (EEA), our legal basis for processing your data includes:

  • Contract performance: Processing necessary to provide the 0dai service you requested
  • Legitimate interests: Improving our service, preventing fraud, and ensuring security
  • Consent: Where you have explicitly consented (e.g., feedback submission)

4. Data Sharing and Third Parties

0dai does not sell personal data to third parties.

4.1 Sub-processors

The full versioned sub-processor list — with purpose, data category, and processing region per entry — is published at /security#subprocessors. It is the authoritative list. Customers on the Pro and Team plans receive at least 14 days' email notice before a new sub-processor that touches customer data is added.

4.2 AI model providers (sub-processors)

When you run an agent, the prompt and tool inputs/outputs you choose to send go to the model provider you selected. Today that means Anthropic, OpenAI, or OpenRouter (each US-region). The purpose of transfer is model inference for the agent run you initiated.

Prompt and session data boundary. Only the prompt and tool I/O you intentionally route to a model provider crosses the boundary. Repository file contents,.env files, decrypted secrets, and prompt response bodies are not stored by 0dai. The 0dai API stores session and swarm metadata (task description, model, cost, status) but not the prompt text or response body itself. Bring-your-own-key (BYOK) routing sends prompts from your machine directly to the provider without transiting the 0dai API; see the data-flow diagram at /security#data-flow.

Our sub-processor contracts forbid model providers from using your prompt content to train their models.

4.3 Other categories

We may also share limited data with:

  • OAuth providers: Google and GitHub, solely for authentication purposes
  • Infrastructure providers: DigitalOcean (hosting), Cloudflare (DNS, TLS, edge), and self-hosted Umami analytics; server logs may contain IP addresses
  • Legal requirements: When required by law or to protect our rights and safety

5. Data Retention

The canonical retention schedule lives at /security#retention and is repeated below. The numbers here, on the Security page, and in the DPA one-pager must agree. If you spot drift, email hello@0dai.dev — that is a bug.

  • Account record (email, name, OAuth ID): kept until account deletion + 30 days. Backups roll off within 90 days.
  • Session and swarm metadata (task descriptions, model, cost, status): 180 days.
  • CLI telemetry (stack, command outcome, version, fingerprint hash): 365 days; raw rows deleted at 90 days, aggregates kept.
  • API server logs (IP, path, status, latency): 30 days.
  • Web analytics (self-hosted Umami): 365 days; daily rollups kept in aggregate.
  • Feedback you submit via the CLI or dashboard: until you ask us to delete it.
  • Backups (Postgres, object storage): 90 days, encrypted at rest. Hard-deleted at the 90-day mark.

6. Your Rights

Depending on your location, you may have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion of your data
  • Portability: Receive your data in a portable format
  • Objection: Object to processing based on legitimate interests
  • Restriction: Request limitation of processing

To exercise any of these rights, contact us at hello@0dai.dev. We will respond within 30 days.

7. Children's Privacy

0dai is not directed to individuals under 16. We do not knowingly collect personal information from children. If we learn we have collected data from a child under 16, we will delete it promptly.

8. Security

We implement reasonable security measures to protect your data, including:

  • HTTPS/TLS encryption for all API communications
  • Hashed device fingerprints (not raw identifiers)
  • Rate limiting and abuse detection systems
  • Restricted access to user data on our servers

No system is 100% secure. We cannot guarantee absolute security but will notify you of any data breach as required by law.

9. International Data Transfers

0dai's infrastructure may be located in jurisdictions different from your own. By using our service, you consent to the transfer of your data to these jurisdictions.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by posting the updated policy on this page with a new “Last updated” date.

11. Contact

For privacy questions, data requests, or complaints, contact:

hello@0dai.dev

If you are an EEA resident and have unresolved concerns, you have the right to lodge a complaint with your local data protection authority.