Privacy Policy

5.1 Introduction

This Privacy Policy describes how dotgear, inc ("InfrPool," "Platform," "we," "us," or "our") collects, uses, stores, shares, and protects your personal information when you use the InfrPool platform, including the website at infrpool.com, APIs, dashboard, and worker software (collectively, the "Service").

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, you must not use the Service.

5.2 Personal Data We Collect

Account Information

When you create an account through Firebase Authentication (Google OAuth or GitHub OAuth), we collect:

• Email address (account identification, notifications, payout delivery)
• Display name (dashboard display, payout recipient name)
• Firebase UID (internal user identification, authentication)
• OAuth provider type (authentication method tracking)

Payment Information

• Consumer payments: Processed by Stripe. We store a Stripe Customer ID. We do not store credit card numbers, CVV, or full billing details.
• Supplier payouts: Your email address and display name are shared with Tremendous for reward delivery. We do not store payout method details.

Technical and Operational Data

• IP address (hashed using HMAC-SHA256, rotated every 90 days; raw IPs are never stored)
• API request metadata (billing, performance monitoring, dispute resolution)
• Device/browser fingerprint (hashed, for multi-account detection only)

Operational Metadata Logged Per Request

For each inference request, the following metadata is logged:

• Timestamp, Task ID, Model ID
• Token count (input and output)
• Latency (time-to-first-token, total duration)
• Consumer cost and Supplier earning (in micro-USD)
• Supply type and request status

This metadata does not include any prompt content or response content.

5.3 Prompt and Response Data — Non-Storage Policy

InfrPool does not store prompts or responses. This is a core architectural principle of the Platform.

• Prompts and responses are routed through servers in memory only for request routing and delivery.
• Upon completion or failure of a request, prompt and response data is discarded from server memory.
• No prompt or response content is written to databases, log files, object storage, or any other persistent medium.
• Server logs record only operational metadata.

Important limitation: Prompts are transmitted to and processed by Supplier-operated computing resources. While the Provider Terms prohibit Suppliers from logging or sharing prompt data, InfrPool cannot independently guarantee Supplier compliance at all times.

5.4 Image Generation Data

• Generated images are temporarily stored in Google Cloud Storage with a 24-hour time-to-live (TTL).
• After 24 hours, images are automatically and permanently deleted.
• No images are retained beyond the 24-hour TTL under any circumstances.
• Image metadata (timestamp, dimensions, model used, cost) is logged, but image content is not retained after TTL expiry.

5.5 How We Use Your Data

We use collected data for the following purposes:

• Providing the Service (account management, inference routing, billing)
• Processing payments and payouts
• Fraud detection and prevention
• Platform security and abuse prevention
• Service quality monitoring
• Email notifications (billing, expiry warnings, security alerts)
• Compliance with legal obligations

We do not use your data for:

• Advertising or ad targeting
• Selling to third parties
• Training AI models
• Profiling for purposes unrelated to the Service

5.6 Third-Party Data Sharing

We share personal data with the following third parties, limited to what is strictly necessary:

Stripe (Payment Processing)

Data shared: Email address, Stripe Customer ID, charge amounts. Purpose: Processing Consumer wallet charges, handling refunds and disputes.

Tremendous (Supplier Payouts)

Data shared: Email address, display name, payout amount. Purpose: Delivering payout rewards to Suppliers.

Firebase / Google Cloud Platform

Data shared: Authentication tokens, Firebase UID. Purpose: User authentication, infrastructure hosting.

SendGrid (Email Delivery)

Data shared: Email address. Purpose: Transactional email delivery.

We do not share, sell, rent, or trade your personal data with any other third parties except when required by law, to protect rights and safety, or in connection with a merger or acquisition (with prior notice).

5.7 Cookies and Session Management

InfrPool uses only essential cookies required for the Service to function:

• Firebase Auth ID token (authentication, 1-hour duration, auto-refreshed)
• Firebase Auth refresh token (session persistence, until logout or revocation)

InfrPool does not use third-party tracking cookies, analytics cookies, advertising cookies, or cross-site tracking mechanisms.

5.8 Data Storage and Security

All data is stored on Google Cloud Platform (GCP) infrastructure, initially in United States regions.

Security measures include:

• TLS 1.3 encryption in transit
• AES-256 encryption at rest
• HMAC-SHA256 IP address hashing with 90-day rotation
• GCP Secret Manager for secret management
• SHA-256 hash-only API key storage
• Cloud Armor WAF with reCAPTCHA Enterprise
• Firebase Auth + role-based access control
• Cloud SQL with private networking

In the event of a data breach, we will notify affected Users by email without undue delay and notify the relevant supervisory authority within 72 hours as required by GDPR Article 33.

5.9 Your Rights (GDPR / CCPA)

Rights Under GDPR (European Economic Area Users)

• Right of access: Request a copy of your personal data.
• Right to rectification: Request correction of inaccurate data.
• Right to erasure: Request deletion of your personal data.
• Right to restriction of processing.
• Right to data portability.
• Right to object to processing based on legitimate interests.

Rights Under CCPA (California Residents)

• Know what personal information we collect, use, and disclose.
• Request deletion of your personal information.
• Opt out of the sale of personal information. (Note: InfrPool does not sell personal information.)
• Non-discrimination for exercising your privacy rights.

How to Exercise Your Rights

You may request account deletion through the dashboard (Settings > Delete Account) or by contacting support.infrpool@dotgear.jp. The process includes:

• 72-hour grace period with cancellation option.
• After 72 hours: account anonymization (email, display name, Firebase UID replaced).
• Transaction records retained for financial audit compliance with anonymized references.
• Wallet event records retained for 365 days after anonymization, then permanently deleted.

Data export is available via the dashboard or API (GET /v1/me/export) as a JSON file with a 24-hour download link.

5.10 Data Retention

5.11 International Data Transfers

Data is primarily stored in the United States on Google Cloud Platform. If you are located outside the United States, your data will be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) and the data processing agreements of our service providers to ensure appropriate safeguards for international transfers.

5.12 Children's Privacy, Changes, and Contact

Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete that data.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before the changes take effect.

Contact Information

For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at: support.infrpool@dotgear.jp