Privacy Policy

AiStaff Global FZ-LLC ("AiStaff", "we", "us", "our") operates the AiStaff platform at aistaffglobal.com, including the AiTalent Freelancer Marketplace, AI Agent Marketplace, and AIRobot Rental Marketplace. We are committed to protecting your personal data and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and UAE data protection legislation.

Data controller: [email protected]

We collect the following categories of personal data:

• Identity data: Name, email address, and profile information provided via OAuth (GitHub, Google, LinkedIn, Facebook).
• Verification data: OAuth provider user IDs and connection timestamps. For Tier 2 verification, we store only a Zero-Knowledge Proof commitment — a cryptographic hash of Blake3(nonce ∥ zk_proof). Raw biometric data is never transmitted or stored.
• Professional data: Skills, hourly rate, availability, role, and agency affiliation where provided.
• Transaction data: Escrow records, payout amounts, and transaction IDs stored immutably for financial compliance.
• Contract data: NDA/SOW documents and SHA-256 document hashes. We store the hash — not the full document — in our audit trail.
• Usage data: Log data, IP addresses, and session information collected automatically when you use the Platform.
• Communications: Messages, proposals, and notifications sent through the Platform.

We process your personal data for the following purposes:

• Contract performance: Providing and operating the marketplace, processing escrow transactions, and facilitating agreements between clients and service providers.
• Legal obligation: Maintaining immutable financial records, audit logs, and complying with anti-money-laundering and KYC requirements.
• Legitimate interest: Fraud prevention, platform security, trust score calculation, and reputation management.
• Consent: Sending marketing communications (where you have opted in) and optional analytics.

Tier 2 identity verification uses Zero-Knowledge Proofs (ZKP) based on the Groth16 protocol over the BN254 elliptic curve. This means:

• Your biometric data is processed locally on your device or by a trusted verification partner.
• Only a cryptographic commitment — Blake3(nonce ∥ proof) — is transmitted to and stored by AiStaff.
• This commitment cannot be reversed to reconstruct your biometric data.
• Nonces are single-use and invalidated immediately after proof submission.
• We never store, transmit, or log raw biometric templates at any layer of our infrastructure.

We do not sell your personal data. We share data only with:

• Other Platform users: Your public profile, skills, trust score, and reputation badge are visible to other users as necessary for marketplace operation.
• Payment processors: Transaction details shared with payment providers solely for processing escrow and payouts.
• Infrastructure providers: Cloud hosting and email delivery providers under data processing agreements.
• Legal authorities: Where required by law, court order, or to protect rights and safety.

AI models used on the Platform process data locally or via providers bound by data processing agreements. No user data is used to train third-party AI models.

• Financial records: Retained for 7 years to meet accounting and legal obligations. These cannot be deleted.
• Profile data: Retained while your account is active and for 30 days after deletion to allow recovery.
• Telemetry events: Archived after 90 days, not deleted.
• Audit logs: Append-only; retained indefinitely for compliance. Individual entries cannot be deleted.

Depending on your location, you may have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Correct inaccurate or incomplete data.
• Erasure: Request deletion of your account and profile data (subject to retention obligations for financial records).
• Portability: Receive your data in a structured, machine-readable format, including W3C Verifiable Credential export of your reputation badge.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Where processing is based on consent, withdraw it at any time.

To exercise your rights, contact [email protected]. We will respond within 30 days.

We use only strictly necessary cookies for authentication (session cookies via NextAuth.js). We do not use third-party advertising trackers. When you log in via a social provider (GitHub, Google, LinkedIn, Facebook), that provider's own privacy policy applies to the data they collect during authentication.

We implement technical and organisational measures to protect your data, including:

• TLS 1.3 encryption for all data in transit.
• All services operate under zero-trust networking with short-lived internal JWTs (5-minute TTL).
• Database credentials rotated every 30 days.
• All AI agent plugins run in isolated Wasmtime sandboxes.
• Penetration testing conducted before major releases.

In the event of a data breach affecting your rights, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of it.

Your data may be processed in countries outside the UAE or EU. Where we transfer personal data internationally, we ensure adequate protection via Standard Contractual Clauses (SCCs) or equivalent safeguards as required by applicable law.

The Platform is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at [email protected] and we will delete it promptly.

We may update this Privacy Policy periodically. We will notify you of material changes by email or by a prominent notice on the Platform at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

For privacy questions or to exercise your rights: [email protected]

If you are in the EU and believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection supervisory authority.