Legal

Privacy Policy

Effective date: [effective date] · Last updated: [date]

Draft — pending final legal review. This is a first draft published for transparency during our private beta. It is being reviewed with legal counsel and may change. It is not yet a final agreement and is not legal advice. Bracketed items are details still being finalised. Questions: legal@olivecompute.com.

This Privacy Policy explains how [legal entity name], a U.S. C-corporation being formed in [state of incorporation](“Olive,” the “Company,” “we,” “us,” or “our”) collects, uses, shares, and protects personal data. It applies to:

  1. Visitors to our public marketing website (the “Site”);
  2. Customers who use our compute services (the “Customers”); and
  3. Hardware contributors who install the Olive Agent and provide idle compute capacity (“Device Owners” or “Providers”).

We have written this policy to address the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”). Because our Site and beta are publicly accessible, we assume EU, UK, and California users may reach them.

Plain-language summary (not a substitute for the full policy):We collect account, contact, and device information to run a two-sided compute marketplace. The most important thing to understand is in Section 1: your compute jobs run on other people’s hardware that we do not physically control, so Olive is intended only for non-sensitive data today.

1. Important: how your data is handled on untrusted hardware

Unlike a traditional cloud provider, Olive is a decentralized compute platform. Jobs submitted by Customers are routed through our control plane (hosted on Amazon Web Services) and then scheduled to run on third-party consumer or corporate machines operated by independent Device Owners.

We apply meaningful technical safeguards, including running every workload inside a signed, network-isolated Docker sandbox on the host device, signing job artifacts and results with Ed25519 keys, and verifying results through sampled redundant execution. These measures protect the integrity of computation (that the job ran correctly and was not tampered with).

They do not guarantee secrecy. On commodity consumer hardware, we cannot cryptographically guarantee that the owner of a device is unable to access or inspect data while a job is running in memory. As a result:

  • Customers should submit only non-sensitive, public, or customer-non-confidential data and open-weight models.
  • The platform is not intended for highly confidential personal data, special-category data (GDPR Art. 9), protected health information (PHI/HIPAA), payment card data (PCI), financial account data, or other regulated or highly sensitive categories.
  • Both Customers and Device Owners acknowledge this architecture and agree that any processing of transient job content occurs on this basis.

A future “confidential tier” running on attested corporate hardware with Trusted Execution Environments (TEEs) is planned but not available. Nothing in this policy should be read as a present commitment to provide it.

2. Our roles under GDPR / UK GDPR

DataOlive’s roleNotes
Account, marketing/contact, and device-profile dataControllerWe determine the purposes and means of processing this data.
Customer-submitted job inputs and outputs (“Job Content”)ProcessorThe Customer is the Controller for any personal data inside Job Content. A Data Processing Addendum (DPA) governs this relationship — see Section 7 and the Customer Terms.
Device Owner’s handling of transient job execution dataSub-processorWhen a Device Owner runs a sandboxed job, transient connection metadata may be processed on their hardware.

3. Personal data we collect

A. Information you provide directly

  • Early-access & contact forms (Site visitors): name, email, company/organization, and message text. Collected via Formspree, our third-party form provider.
  • Customer accounts: name, email, password (stored as a bcrypt hash), optional company/organization, API keys, metadata about submitted jobs, and (when billing goes live) billing/payment data and transaction history.
  • Device Owner accounts: name, email, password (bcrypt hash), and (when payouts go live) payout details and tax information (e.g., Form W-9 / W-8BEN data, taxpayer identification number, address).

B. Automated / technical data

  • Device hardware profile (Device Owners): CPU cores/model, RAM, GPU type/VRAM, OS version, agent performance metrics, uptime/availability, and heartbeat signals.
  • Usage and connectivity data: approximate region, IP address, browser/OS, and platform telemetry from authenticated users.

C. Job Content

  • Customer-provided inputs, containers/model references, and resulting outputs, handled as described in Section 1. Job Content transits our AWS control plane and executes in a transient local sandbox on a Device Owner’s machine, with no persistent storage of Job Content on the Device Owner’s hardware after the job completes.

4. Why we process it, and our lawful basis (GDPR Art. 6)

Processing activityData involvedLawful basis
Create and manage accountsName, email, password hash, API keysContract — Art. 6(1)(b)
Handle marketing leads / inquiriesName, email, company, messageConsent — Art. 6(1)(a), and/or Legitimate interests — Art. 6(1)(f)
Schedule, execute, and verify compute jobsJob Content; device profiles; region/IPContract — Art. 6(1)(b)
Issue payouts and meet tax-reporting dutiesPayout and tax dataLegal obligation — Art. 6(1)(c)
Secure, monitor, and improve the platform; detect fraud; verify integrityTelemetry, heartbeats, logs, IPLegitimate interests — Art. 6(1)(f)

Where we rely on legitimate interests, you may object (see Section 8). Where we rely on consent, you may withdraw it at any time.

5. Sub-processors and third parties we share data with

We share personal data with service providers strictly as needed to operate the platform.

  • Amazon Web Services (AWS) — hosting, managed databases (Postgres, Redis), and object storage.
  • Formspree — Site contact / lead-capture forms.
  • GitHub — distribution of the Olive Agent desktop application.
  • Google Fonts — web typography on our Site.
  • Google OAuth (planned) — federated sign-in.
  • Payment / payout processor (planned, e.g., Stripe) — Customer billing and Device Owner payouts when billing goes live.

We require third parties to handle personal data under written agreements with appropriate confidentiality and security obligations.

Open-weight model licenses. Models offered through the platform (e.g., Llama, Phi, Whisper) carry their own upstream licenses. These licenses govern the models, not personal data, but Customers remain responsible for compliance (see Customer Terms).

6. Data retention

We keep personal data only as long as needed for the purposes above or to meet legal obligations.

  • Account data: retained while the account is active; on a verified deletion request, deleted or anonymized within [# days] unless retention is legally required.
  • Job Content: transits the AWS control plane and is purged from active storage within [# hours/days] of job completion; removed from the Device Owner’s local sandbox on completion.
  • Device telemetry / heartbeat / reputation data: retained [# days].
  • Tax and financial records: retained [# years] to meet IRS and other statutory requirements.

7. International data transfers

Olive is based in the United States. Personal data from the European Economic Area (“EEA”) or the UK will be transferred to and processed in the United States. We rely on one or more of the following safeguards:

  • The EU Standard Contractual Clauses (2021 modules) and, for UK data, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, together with a Transfer Impact Assessment; and/or
  • The EU–US Data Privacy Framework (DPF) and UK Extension, if and when Olive self-certifies with the U.S. Department of Commerce.

Note that some sub-processors (e.g., AWS) may themselves be DPF-certified; that does not by itself cover transfers Olive receives directly from EEA/UK users.

8. Your privacy rights

A. EEA / UK (GDPR / UK GDPR)

You have the rights to: access your data; rectify inaccurate data; erase data (subject to exceptions); restrict or object to processing; data portability; and to withdraw consent. Because Olive does not use an immutable blockchain, erasure requests can be honored across our active systems.

To exercise these rights, contact us at privacy@olivecompute.com. We will respond within the period required by law (generally one month under GDPR). You may also lodge a complaint with your local supervisory authority.

B. California (CCPA/CPRA)

You have the rights to know, delete, correct, and to opt out of the “sale” or “sharing” of personal information, and the right to non-discrimination for exercising these rights.

We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under CCPA/CPRA. Our disclosures to AWS and other vendors are made for business purposes to service providers under written contracts.

To make a request, contact us at privacy@olivecompute.com.

9. Cookies and analytics

We use cookies that are strictly necessary to authenticate users and maintain sessions. Any non-essential or analytics cookies are set only with your consent via our cookie banner, and you can change your choice at any time. You can also configure your browser to refuse cookies, though some features may not work.

10. Children

Olive is not directed to, and is not intended for, anyone under 18. We do not knowingly collect data from anyone under 18. If we learn we have, we will delete it.

11. Changes to this policy

We may update this policy to reflect changes to the platform or the law. We will post the updated version on the Site and update the “Last updated” date. Material changes will be communicated via [notice method].

12. Contact

[legal entity name]
Privacy Email: privacy@olivecompute.com
Mailing address: [registered address]