Deckside
Sign inGet started

Privacy Policy

Last updated: June 12, 2026

Deckside is operated by DittoWorks Inc (“DittoWorks”, “we”, “us”), which is the data controller for the personal data described here. This policy explains what we collect, why, and what we do with it. The short version: we store your account and your conversation history so the Service can work, we send conversation content to the AI model provider to generate responses, and we do not sell your data or use it to train models.

1. What we collect

We collect only what the Service needs to work:

  • Account data — your email address and a salted, one-way hash of your password (we never store the password itself), plus email verification status and your plan tier.
  • Conversations — the prompts you send, agent responses, and the activity the agent reports back from your machines (commands it ran, their output, approval requests and your decisions). This history is what lets a conversation move between machines and survive restarts.
  • Machine pairing data — when you pair a machine we record basic connection details such as its hostname, the working directory the connector runs in, and connection timestamps, so you can see which machine a conversation is attached to.
  • API keys you add — if you bring your own model provider key, it is encrypted with AES-256-GCM before being stored and is never returned to the browser. It is decrypted server-side only to attach to model calls you initiate.
  • Billing data — if you buy a paid plan, payment is handled by our payment processor; we receive your plan tier and subscription status, not your card details.

2. What we deliberately do not collect

  • We do not run third-party advertising or tracking scripts on the Service.
  • We do not sell your data to anyone.
  • We do not use your conversations or your machines' output to train AI models.
  • The agent runs on your machine; your files stay there unless you ask the agent to share something into a conversation.

3. Command output and redaction

Conversation history can include the output of commands the agent ran on your machines, and that output can contain sensitive information (file paths, configuration, occasionally credentials printed by tools). Deckside passes events through automatic secret redaction before storing them, but redaction is best-effort. Treat conversation history as sensitive, avoid asking the agent to print secrets, and delete conversations you no longer need — deleting a conversation deletes its event history and revokes its connector's access.

4. Where your data goes

Your data is shared with third parties only to operate the Service:

  • AI model providers — your conversation content is sent to the model provider (currently OpenAI) to generate agent responses, either through Deckside's hosted access or your own API key. Their handling of API traffic is governed by their own terms.
  • Infrastructure providers — the platform runs on Amazon Web Services (in the United States); conversation history and account data are stored in AWS databases.
  • Email delivery — we send verification and account emails through our email provider.
  • Payment processing — paid plans are processed by our payment provider, which handles card data under its own privacy policy.

We may disclose data if required by law, but we will tell you when we are permitted to do so.

5. How long we keep it

Conversation history is kept until you delete the conversation. Account data is kept while your account exists. If you want your account and its data deleted entirely, email contact@deckside.ai from your account address and we will remove it within 30 days, except for minimal records we need to keep for legal or billing reasons.

6. Security

Machines connect outbound only — Deckside never opens ports on or reaches into your network. Access tokens are scoped and signed: a paired connector can act only for its own conversation, and its access ends when the conversation is deleted. Passwords are hashed with scrypt, stored API keys are encrypted at rest, and pairing a new machine requires explicit approval from a signed-in, verified browser session.

No internet service can promise perfect security. If we learn of a breach affecting your data, we will notify you without undue delay.

7. Cookies

Deckside uses cookies only to keep you signed in and to remember preferences like your theme. There are no advertising or cross-site tracking cookies.

8. Your rights

Depending on where you live (for example under the GDPR or similar laws), you may have rights to access, correct, export, or delete your personal data, and to object to or restrict certain processing. You can exercise most of these directly: your conversations are visible and deletable in the app, and account deletion is available by email. For anything else, contact us and we will respond within the timelines your local law requires.

9. Children

Deckside is not directed at children and may not be used by anyone under 16 (or the higher age of digital consent where you live). If you believe a child has created an account, contact us and we will delete it.

10. Changes to this policy

If we change this policy in a meaningful way, we will give notice (for example by email or in the app) before the change takes effect. The “last updated” date at the top always reflects the current version.

11. Contact

Deckside is operated by DittoWorks Inc. Privacy questions or requests: contact@deckside.ai. You can also reach us in the Deckside Discord, but please use email for account-specific requests so we can verify it's you.

Privacy Policy | Deckside