Privacy Policy

Last updated: March 17, 2026 · Effective: March 17, 2026

1. Data Controller

Lebensfluss e.V.
Verein zur Förderung ganzheitlicher Lebensweisen
Austria (Österreich)

ZVR-Zahl: 1758759096
Contact: privacy@destill.ai
Representative: Der Vorstand des Vereins

2. What Data We Collect

2.1 Tester Key Registration

When you request a tester key or AGI wrapper key via our Validation Consortium dashboards, we collect:

Data	Purpose	Legal Basis	Retention
Name / Organization	Key attribution & consortium membership	Art. 6(1)(b) GDPR — Contract	Duration of evaluation + 12 months
Email address	Key delivery & security notifications	Art. 6(1)(b) GDPR — Contract	Duration of evaluation + 12 months
Persona / Role	Bounty tier calculation	Art. 6(1)(f) GDPR — Legitimate Interest	Duration of evaluation
Use case description	Key configuration & research	Art. 6(1)(f) GDPR — Legitimate Interest	Duration of evaluation

2.2 OAuth Identity Verification (Optional)

If you choose to verify your identity via LinkedIn, GitHub, or Discord, we receive:

Public profile name and avatar
Profile URL
Email (if your provider settings allow it)

We never receive your password. We use the standard OAuth 2.0 Authorization Code flow with PKCE. We only request the identify / read:user scope — never post, write, or message permissions.

2.3 Benchmark & Scan Data

Prompts submitted to the AEGIS cascade for evaluation are:

Processed in memory only — not stored to disk
Anonymized aggregate statistics (scan count, threat distribution) are retained for research
No personally identifiable content from prompts is retained

2.4 Website Analytics

We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts. We collect only:

Server access logs (IP address, timestamp, requested URL) — retained for 30 days
These logs are processed solely for security monitoring and are never shared

3. Data Processing & Sub-Processors

Processor	Purpose	Location	Certification
Hetzner Online GmbH	Hosting & infrastructure	Germany / Finland (EU)	ISO 27001
Let's Encrypt	TLS certificates	USA (public CA)	—
Google Fonts	Typography (Inter, JetBrains Mono)	Global CDN	—

No data is transferred outside the EU for processing. Hosting, authentication, and all AI inference happens on sovereign Hetzner infrastructure.

4. Cookies

DESTILL.ai uses only essential cookies:

Cookie	Purpose	Duration	Type
`session_id`	Session management (if logged in)	Session	Essential
`oauth_state`	CSRF protection during OAuth flow	Session	Essential

We do not use analytics cookies, marketing cookies, or third-party tracking cookies. No cookie consent banner is required because we only use strictly necessary cookies (Art. 5(3) ePrivacy Directive, § 165(3) TKG 2021).

5. Your Rights (GDPR Art. 15–22)

As a data subject under the GDPR, you have the right to:

Access — Request a copy of your personal data (Art. 15)
Rectification — Correct inaccurate data (Art. 16)
Erasure — Request deletion ("Right to be Forgotten") (Art. 17)
Portability — Receive your data in machine-readable format (Art. 20)
Restriction — Limit processing in certain circumstances (Art. 18)
Object — Object to processing based on legitimate interest (Art. 21)
Withdrawal — Withdraw consent at any time (Art. 7(3))

To exercise your rights, email privacy@destill.ai. We respond within 30 days.

6. Data Security

We implement state-of-the-art security measures including:

Post-Quantum Cryptography — ML-KEM / ML-DSA for all new cryptographic operations
TLS 1.3 — All data in transit is encrypted
AEGIS Cascade — 114 safety agents protect all AI interactions
Sovereign Infrastructure — All data stays on EU-based Hetzner servers

7. International Transfers

We do not transfer personal data outside the European Economic Area (EEA). All processing occurs on Hetzner infrastructure located in Germany and Finland.

Google Fonts CSS/WOFF2 files are loaded from Google's CDN. This constitutes a request from your browser to Google's servers. If you want to prevent this, use a browser extension that blocks external font loading.

8. Children's Data

DESTILL.ai services are intended for professional use by researchers, developers, and security professionals. We do not knowingly collect data from persons under 16 years of age.

9. Supervisory Authority

You have the right to lodge a complaint with the Austrian Data Protection Authority:

Österreichische Datenschutzbehörde
Barichgasse 40–42, 1030 Vienna, Austria
dsb@dsb.gv.at · www.dsb.gv.at

10. Changes to This Policy

We may update this policy to reflect changes in our practices or applicable laws. Material changes will be communicated via our website. The "Last updated" date at the top indicates the most recent revision.

11. Contact

Data Protection Inquiries: privacy@destill.ai
General Contact: hello@destill.ai