DECYD Privacy Policy
This Privacy Policy explains how DECYD, Inc. (“DECYD,” “we,” “us,” or “our”) collects, uses, shares, and protects your personal information when you use our AI-powered decision-making platform. This policy complies with the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), UK GDPR, Canada’s PIPEDA, Australia’s Privacy Act 1988, Japan’s APPI, and Singapore’s PDPA.
1. Controller Identity & Contact Information
Data Controller:
DECYD, Inc.
Email: privacy@decyd.io
Data Protection Officer (DPO): dpo@decyd.io
EU Representative (GDPR Article 27): To be designated if monthly EU users exceed 10,000.
UK Representative (UK GDPR Article 27): To be designated if monthly UK users exceed 10,000.
2. Personal Data We Collect
We collect the following categories of personal information:
| Data Type | Examples | Purpose |
|---|---|---|
| Account Information | Email, password (hashed), display name | Authentication, communications |
| Payment Information | Credit card, billing address, transaction history | Subscription processing, fraud prevention |
| Usage Data | IP address, device type, browser, session duration | Rate limiting, fraud prevention, analytics |
| User Context | Decision-making preferences, goals | Personalized AI recommendations |
| Memories | Saved decision notes, past choices | Semantic search, decision history |
| Memory Embeddings | 1,536-dimensional vector representations | Semantic ranking and search |
| Stage Queries | Decision prompts submitted to AI models | Multi-model AI response generation |
| Voice Audio | Voice input during Voice Tours (optional) | Real-time speech-to-text transcription |
| Support Interactions | Email communications, support tickets | Customer service, issue resolution |
Children’s Privacy: DECYD is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we become aware of such collection, we will delete the data promptly.
3. Legal Basis for Processing (GDPR Article 6 & Article 9)
| Data Type | Legal Basis | Explanation |
|---|---|---|
| Account Information | Contractual necessity (6(1)(b)) | Required to create and manage your account |
| Payment Information | Contractual necessity (6(1)(b)) + Legal obligation (6(1)(c)) | Processing payments; 7-year retention for tax compliance |
| Usage Data | Legitimate interest (6(1)(f)) | Fraud prevention, security, geo-detection for regulatory compliance |
| Memories | Contractual necessity (6(1)(b)) | Core feature of service |
| Memory Embeddings | Legitimate interest (6(1)(f)) | Non-identifiable mathematical vectors used to improve service quality |
| Stage Queries | Contractual necessity (6(1)(b)) | Generating AI responses |
| Voice Audio | Explicit consent (6(1)(a) + Art. 9(2)(a)) | Voice may contain special category data |
4. Voice Processing Consent (Article 9 Explicit Consent)
Under GDPR Article 9, processing special category data requires a higher standard of consent. Voice recordings create risk of capturing sensitive information if you discuss health conditions, political opinions, religious beliefs, or other Article 9 categories.
Before your first Voice Tour, you will encounter a consent modal requiring explicit opt-in. You may withdraw consent at any time in Settings → Voice Tours → “Disable Voice Processing.” Withdrawal takes effect immediately and does not affect the lawfulness of processing before withdrawal (GDPR Article 7(3)).
5. Third-Party Processors & Data Processing Agreements
| Processor | Service | Data Shared | Transfer |
|---|---|---|---|
| Anthropic (Claude) | Stage AI responses | Query prompts, user_id | Anthropic Ireland (EEA) |
| OpenAI | Stage, Embeddings, narrated TTS fallback | Query prompts, memories, optional voice output text | USA (EU-US DPF certified) |
| Google (Gemini) | Stage AI responses | Query prompts, user_id | USA (EU-US DPF certified) |
| xAI (Grok Voice) | Stage, interactive voice, narration | Query prompts, user_id, optional voice input/output | USA |
| LiveKit | Realtime voice transport | Session tokens, microphone streams, room metadata | USA |
| Moonshot AI (Kimi) | Stage AI responses (non-EU only) | Query prompts, user_id | China — EU/UK/Swiss excluded |
| Supabase | Database hosting | All account, memory data | USA/EU (EU-US DPF certified) |
| Vercel | Web hosting | IP addresses, session tokens | USA (EU-US DPF certified) |
| Stripe | Payment processing | Payment details | USA (EU-US DPF certified) |
Note on Moonshot AI (Kimi): Because China does not have an EU adequacy decision, Kimi is automatically excluded from Stage for EU/UK/Swiss users. Non-EU users are informed of China transfer risks in Stage settings.
6. International Data Transfers
DECYD operates globally and may transfer your personal data to countries outside your jurisdiction. We ensure appropriate safeguards (EU-US DPF, SCCs) as required by GDPR Art. 44-50 and UK GDPR. OpenAI, Google, Supabase, Vercel, and Stripe are certified under the EU-US Data Privacy Framework.
7. Data Retention Periods
| Data Type | Retention Period | Justification |
|---|---|---|
| Account Information | Until deletion + 30 days | Grace period for recovery |
| Payment Information | 7 years | Legal obligation: Tax compliance |
| Stage Queries | 90 days | Troubleshooting, abuse detection |
| Memories (text) | Until deletion + 30 days | User-controlled data |
| Memory Embeddings | Indefinite | Non-identifiable vectors |
| Voice Audio | Session only | Transient processing |
| Usage Logs | 90 days | Security monitoring |
8. Your Rights Under Data Protection Laws
GDPR Rights (EU/UK users): Access, Rectification, Erasure, Restriction, Portability, Objection, Withdraw Consent, Lodge Complaint with your national supervisory authority.
CCPA/CPRA Rights (California users): Know, Delete, Opt-Out of Sale/Sharing, Correct, Limit Use of Sensitive Personal Information, Non-Discrimination.
Email privacy@decyd.io to exercise these rights. We respond within 30 days. To delete your account and all data, go to Settings or contact us — your data is deleted within 30 days per GDPR Article 17.
9. Cookies & Tracking Technologies
We use essential cookies for authentication (supabase-auth-token) and fraud prevention (stripe_mid). Optional analytics cookies can be disabled in Settings. DECYD honors Global Privacy Control (GPC) signals.
10. Data Security
We implement industry-standard safeguards: TLS 1.3 encryption in transit, AES-256 database encryption at rest, bcrypt password hashing, and MFA for production access. Our incident response plan includes breach notification within 72 hours per GDPR Art. 33.
11. Changes to This Privacy Policy
Material changes will be notified via email at least 30 days before the effective date. Your continued use of DECYD after the effective date constitutes acceptance of the updated policy.
12. Contact Us
Email: privacy@decyd.io
Data Protection Officer: dpo@decyd.io