Privacy Policy

Your data, your terms.

We built distro under the assumption that you'd read the privacy policy and want to know exactly what we do. So here it is, in plain English.

Last updated April 15, 202610 sections

1. The short version

We're a small team building distro. We collect the minimum data needed to run the product, we never sell it, we never train models on it, and you can export or delete everything you gave us at any time. If that sounds reasonable to you, the rest of this document is the detail. If it doesn't, please email us — we'd rather explain than have you misunderstand.

This policy was last updated April 15, 2026. We'll notify you in-app and by email if anything material changes.

2. What we collect

We collect three categories of data:

Account data

  • Email address (from OAuth or direct signup)
  • Display name and username (you choose these)
  • OAuth provider tokens (Google or GitHub), stored encrypted
  • Timezone (for scheduling notifications)

Product data

  • Apps you create (name, tagline, URL, category)
  • Ideas you capture and drafts you generate
  • Writing samples you provide for voice calibration
  • BYOK API keys for AI providers (encrypted at rest with libsodium)
  • Peer review interactions and credit history

Usage data

  • Feature usage events (what pages you visit, what actions you take)
  • Performance data (page load times, errors)
  • Approximate location (country-level, from IP)

3. What we don't collect

We don't use Meta Pixel. We don't use Google Analytics. We don't use any tracker that sells your data to third parties. We don't collect biometrics, your contacts, your calendar, or anything beyond what's listed above.

We also don't train AI models on your content. Your writing samples, ideas, and drafts are yours. They feed your personal voice calibration and nothing else.

4. How we use data

Your data is used for:

  • Running the product — showing your ideas, generating drafts in your voice, tracking streaks, delivering notifications.
  • Improving the product — understanding which features get used, where users get stuck, what breaks.
  • Supporting you — when you email support, we look at your account to help.
  • Billing — only for Pro subscribers, processed through Stripe.

We never sell, rent, or share your data with advertisers. We never use your content to train foundation models.

5. Subprocessors

We use these vendors to run distro. They have access only to what's necessary for their specific function:

  • Supabase — primary database (hosted in EU)
  • MongoDB Atlas — secondary database for AI caching and logs
  • DigitalOcean — application hosting, file storage (Spaces)
  • Inngest — background job processing
  • Zoho ZeptoMail — transactional email
  • Stripe — payment processing (Pro subscribers only)
  • PostHog — product analytics (self-hosted EU)
  • Sentry — error monitoring

A current list with regions and data scopes is always available at /subprocessors.

6. Your rights

Regardless of where you live, you have these rights over your data:

  • Access — download everything we have on you as JSON from Settings → Data Export.
  • Correction — edit your profile, apps, and content directly in the product.
  • Deletion — delete your account from Settings → Account. We remove everything within 30 days.
  • Portability — export in machine-readable JSON anytime.
  • Objection — email [email protected] to object to any specific processing.

If you're in the EU/UK, you also have the right to lodge a complaint with your local data protection authority. If you're in California, you have CCPA rights (right to know, delete, correct, opt-out of sale — though we don't sell, so the opt-out is already built in).

7. Data retention

Account data: kept while your account is active. Deleted within 30 days of account deletion.

Product data: kept while your account is active. Deleted within 30 days of account deletion, except where we need to retain for legal reasons (typically none).

Usage data: anonymized and aggregated after 180 days. Raw event logs deleted after 90 days.

Backups: our backup retention is 35 days. Deleted data may exist in backups for up to 35 days after deletion from the primary database.

8. Security

We take security seriously. API keys are encrypted at rest with libsodium (XSalsa20-Poly1305). All data in transit uses TLS 1.3. We use Row Level Security in Supabase to isolate user data at the database level. We run a bug bounty program — see the Security page.

9. Changes to this policy

We'll notify you of material changes via in-app banner and email at least 30 days before they take effect. Non-material changes (typos, clarifications) may be made without notice but will be reflected in the “last updated” date.

10. Contact

Questions about this policy? Email [email protected].

Data controller: distro, operated by [Legal Entity Name], registered in [Jurisdiction]. Postal address: [Address].

Back to topLast updated April 15, 2026