Privacy Policy

Deck-Agent, Inc. ("Deck-Agent," "we," "us") is a Delaware corporation that operates askdeck.ai and the Deck-Agent service (the "Service"). This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, how long we keep it, and the rights you have. It is written to satisfy Articles 13 and 14 of the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and the Children's Online Privacy Protection Act ("COPPA").

We do not use Customer Content (briefs, voice recordings, transcripts, uploads, generated decks, or any derivative) to train, fine-tune, or otherwise improve our machine-learning models or those of our subprocessors. There is no opt-in and no opt-out — model training is simply not part of how the Service works. Our LLM subprocessor (currently Anthropic) provides the Service under contract terms that also prohibit training on Customer Content.

We keep personal data only as long as we need it for the purposes in Section 3, then delete it according to the schedule below.

• Account data — for the life of the account, then 30 days after closure.
• Briefs, voice recordings, and transcripts — 30 days from generation by default. You may delete earlier from the app or pin a deck to keep it longer.
• Generated decks — until you delete them. We run a 24-hour soft-delete grace window before permanent deletion.
• Brand-kit assets — until you remove them or close the account, then 30 days.
• Billing records and invoices — seven (7) years for U.S. tax and accounting purposes.
• Security and audit logs — 12 months.
• Support tickets and email correspondence — 24 months.

We may retain data longer where required by law, to enforce our Terms, or to resolve a dispute. Backups are encrypted, retained for up to 35 days, and overwritten on rotation.

Depending on where you live, you may have the following rights with respect to your personal data:

• access the personal data we hold about you;
• correct inaccurate or incomplete information;
• delete personal data (the "right to erasure");
• receive a portable copy of the personal data you provided to us;
• restrict or object to certain processing;
• withdraw consent at any time where consent is the lawful basis (without affecting prior lawful processing);
• opt out of profiling that produces legal or similarly significant effects (we do not engage in such profiling);
• opt out of the "sale" or "sharing" of personal information under the CCPA (we do not sell or share personal information as those terms are defined);
• lodge a complaint with your local data-protection supervisory authority — in the EU, your national authority; in the UK, the Information Commissioner's Office; in California, the California Privacy Protection Agency or the Attorney General.

Submit requests to [email protected] or from your account settings. We will respond within 30 days (45 in California), extendable once for complex requests. We may need to verify your identity before acting. Authorized agents may submit requests under California law with proof of authority. You can also export a copy of your data on demand from the app.

When you place a brief by calling our voice number, your call is recorded and a written transcript is produced and stored. We use the recording and transcript to generate your deck, to provide support, and to investigate abuse. A spoken or DTMF notice is played at the start of the call confirming that the call is being recorded; continuing the call constitutes consent to recording. Some U.S. states (including California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington) and many countries require all parties to consent to call recording. If you do not consent, hang up and use the web form, SMS, or email instead. You may request deletion of any recording or transcript at any time at [email protected].

We use strictly necessary cookies for sign-in sessions, CSRF protection, and load balancing, and first-party analytics cookies to measure aggregate product usage and reliability. We do not run third-party advertising cookies and do not participate in cross-site behavioral advertising. You can manage cookies in your browser settings; disabling strictly-necessary cookies will break sign-in. Where required, we present a cookie banner with controls before non-essential cookies are set. We honor Global Privacy Control ("GPC") signals as an opt-out of any sale or sharing under the CCPA, although as noted in Section 6 we do not sell or share personal information.

The Service is not directed to children under 13 and we do not knowingly collect personal information from children under 13. Users between 13 and 18 must have the involvement of a parent or legal guardian (see Terms of Service Section 3). If you believe a child under 13 has given us personal information, contact [email protected] and we will delete it promptly.

We rely on the following vendors to deliver the Service. Each is bound by a contract requiring confidentiality, appropriate security measures, and a no-training commitment for any model provider that processes Customer Content.

• Anthropic — LLM that drafts deck content. Receives your brief.
• ElevenLabs — voice intake (speech-to-text and voice-agent runtime). Receives call audio and transcripts.
• Clerk — authentication and account management. Receives email and authentication identifiers.
• Stripe — payments. Receives billing details and full card data (we do not).
• Twilio — voice numbers and SMS delivery. Receives phone numbers and SMS content.
• Postmark — transactional email. Receives email addresses and message contents.
• Svix — webhook delivery. Receives event payloads we emit to your endpoints.
• Cloudflare — CDN, DNS, and edge security. Processes traffic metadata and IP addresses.
• Fly.io — compute hosting. Processes all Service traffic and stores ephemeral runtime state.
• Neon — managed Postgres on AWS US-East. Stores account, brief, deck, and billing records.
• Tigris — S3-compatible object storage on AWS. Stores .pptx files, audio recordings, brand-kit assets.

We give at least 30 days' prior notice of new subprocessors to customers on the Pro and Teams plans (via email to the billing contact). The current list is also reflected in our Data Processing Addendum.

Personal data is stored by default in the United States (AWS US-East, via Neon for Postgres and Tigris for object storage). Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States or other countries that have not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (2021/914, Module 2 — Controller-to-Processor), the UK International Data Transfer Addendum, and the Swiss DPA equivalent. EU and UK customers may request that their data be stored in our EU region by emailing [email protected]; we will complete the migration on a best-efforts basis. Copies of the SCCs and our Data Processing Addendum are available at /dpa and on request.

We use technical and organizational measures appropriate to the risk, including encryption at rest (Tigris SSE; Postgres on encrypted AWS volumes), encryption in transit (TLS 1.3), role-based access control, principle of least privilege, append-only audit logging, continuous dependency and container vulnerability scanning, secure SDLC, background checks for personnel with production access, and security training. We are a new company — we do not yet hold SOC 2 attestation and have not yet completed a formal third-party penetration test (these are on our roadmap). No service can guarantee perfect security. If we discover a personal-data breach, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours, and we will notify affected customers without undue delay and within any timeline required by law.

We may update this Policy from time to time. For material changes we will provide at least 30 days' advance notice by email to the address on your account or by a prominent notice in the Service. Non-material changes take effect when posted. The "Last updated" date at the top reflects the latest revision.

Privacy questions, requests, and complaints: [email protected]. EU and UK residents may also lodge a complaint with their local supervisory authority. We will appoint an EU representative under GDPR Art. 27 and a UK representative if and when our processing meets the thresholds that require one; until then, you can reach us at the address above.