Privacy policy

DeciDesk is operated by Dennis Heemskerk, based in the Netherlands. For any privacy-related question, reach us at privacy@decidesk.ai.

We collect only what we need to provide the service:

• Account information: your name, email address, and password (hashed, never stored in clear text).
• Profile photo: optional. If you upload one, it is stored on Vercel Blob (EU region) and shown alongside your name inside DeciDesk. You can remove it at any time from your profile page.
• Meeting recordings: when a team lead records an in-person meeting from their phone, the audio is uploaded to Vercel Blob (EU region) and sent to our transcription provider (AssemblyAI) to generate a text transcript. The transcript is posted into the meeting. Audio files are automatically deleted 90 days after the recording; transcripts are retained until the meeting is deleted. Team leads and organization administrators can delete a recording (audio + the placeholder in chat) at any time.
• Organization data: the name of your organization, company, departments, teams, projects, and the meetings and decisions you create inside DeciDesk.
• Usage data: pages visited, features used, and basic device information (operating system, browser, app version). We use this to keep DeciDesk reliable and fix bugs.
• Billing information: card details are collected and stored by our payment processor Stripe. We never see or store your full card number. We do store the billing email, company/VAT details, and an identifier that lets us look up your invoices in Stripe.
• Communications: if you contact us by email or via the contact form, we keep the message so we can reply.

• To create and maintain your account and let you sign in.
• To provide the core DeciDesk product (decisions, meetings, notifications, AI features).
• To send transactional emails: verification, password reset, invitations, daily overview.
• To process subscriptions and invoices.
• To keep the service secure, debug issues, and improve features.
• To answer your support questions.

We do not sell your data, and we do not use it for advertising. We do not share it with third parties except for the service providers below, who process it strictly on our behalf.

Some DeciDesk features use AI (for example, title suggestions and summaries). When you use these features, the relevant text is sent to our AI provider (Anthropic) to generate the output. We do not train AI models on your data, and our provider does not use your inputs to train their models.

We use a small number of processors to run DeciDesk. Each is contractually required to protect your data and only process it for the agreed purpose.

• Neon (EU) — Postgres database hosting.
• Vercel — application hosting, content delivery, and image storage (Vercel Blob, EU region) for optional profile photos.
• Stripe — payment processing, subscription management, invoicing, and tax calculation (Stripe Tax). Stripe is based in Ireland (Stripe Payments Europe Ltd.) for EU customers and the United States for non-EU customers.
• Anthropic — AI features (Claude).
• AssemblyAI — speech-to-text transcription for meeting recordings. Audio is processed only to generate a transcript and is not retained or used by AssemblyAI for model training.
• Resend — transactional email delivery.
• Microsoft / Apple — desktop app distribution and update delivery.

Our primary database is hosted in the European Union. Some processors above operate in the United States; in those cases data is transferred under Standard Contractual Clauses (SCCs) or equivalent safeguards approved by the European Commission.

• Account and organization data: as long as your account is active. When you delete your account, we delete or anonymize it within 30 days, except where we are legally required to retain it (e.g. invoices, which we keep for 7 years per Dutch tax law).
• Backups: included in encrypted backups for up to 35 days after deletion.
• Support emails: up to 2 years.

Under the GDPR (and equivalent laws), you can:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your account and associated data.
• Export your data in a portable format.
• Object to or restrict certain processing.
• Withdraw any consent you previously gave.
• Lodge a complaint with your local data protection authority (in the Netherlands: the Autoriteit Persoonsgegevens).

Most of these you can do directly from your account settings. If you need help, email privacy@decidesk.ai.

We use only the cookies strictly necessary to operate the service: an authentication cookie to keep you signed in, and a CSRF token for security. We do not use advertising or tracking cookies.

We protect your data with industry-standard measures: TLS encryption in transit, encryption at rest, hashed passwords (bcrypt), role-based access control, audit logging, and regular dependency updates. No system is 100% secure, but we take this seriously and will notify affected users in the event of a data breach as required by law.

A limited number of DeciDesk administrators may technically access stored data — including uploaded profile photos — when strictly necessary for operating the service, such as incident response, debugging a customer-reported issue, or honouring a deletion request. Access is restricted, requires multi-factor authentication, and is never used for any purpose other than running the service.

DeciDesk is a B2B product intended for use by adults in a work context. It is not directed at children under 16, and we do not knowingly collect data from them.

We may update this policy from time to time. The “Last updated” date at the top reflects the most recent change. For material changes we will notify active users by email.

Questions, requests, or concerns? Email privacy@decidesk.ai or visit the contact page.