Privacy Policy

Last updated: April 9, 2026

NOTICE: Decision Log is currently in BETA version. The service may contain bugs, be unstable, and be subject to frequent changes.

Introduction

Decision Log is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Decision Log service, including our website and application.

Information We Collect

2.1 Personal Information

When you create an account, we collect information such as your name, email address, and authentication details provided through Kinde. We do not store your passwords directly.

We also collect:

• Display name
• Preferred language settings
• Avatar or profile picture (if provided)
• User ID assigned by Kinde

2.2 User Content

We store the content you create in the app in our database — solely so that you can return to it in future sessions:

• Decisions (content, dates, status, replacement chains, archives)
• Collections
• Templates
• Your filters and recent searches (as part of your view state)

What we do with this data: we store it in the database and display it back to you after authentication.

What we do not do:

• We do not read the content of your decisions
• We do not analyze it (we do not use AI/ML on user content)
• We do not share it with third parties
• We do not use it for advertising or model training
• We do not sell it

This content is processed solely on the basis of contract performance (Art. 6(1)(b) GDPR) and is accessible only to you after login. You can export or delete it at any time (see "Your Rights" below).

2.3 Marketing Consent Data

If you opt-in to marketing communications:

• Your marketing consent status (yes/no)
• Date and time when consent was given or withdrawn
• IP address at the time of consent (for compliance and fraud prevention)
• Email address for newsletter delivery

2.4 Technical Data

We automatically collect certain technical information:

• IP address
• Browser type and version
• Device type and operating system
• Time zone settings
• Usage analytics (with your consent — see Cookie Policy below)

For mobile app users:

• Device model and manufacturer
• Operating system version
• App version
• Crash logs and diagnostics (Firebase Crashlytics)
• Analytics events (PostHog)

2.5 Third-Party Authentication Data

When you authenticate through Kinde, we receive:

• Your Kinde user ID
• Email address verified by Kinde
• Profile information you've shared with Kinde (name, picture)
• OAuth tokens for session management

Kinde may process additional data according to their own privacy policy.

Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases as required by the General Data Protection Regulation (GDPR):

3.1 Contract Performance (Art. 6(1)(b) GDPR)

Processing necessary for the performance of the contract between you and Decision Log:

• Creating and managing your user account
• Providing access to Service features (decisions, collections, templates)
• Storing and displaying your content
• Authenticating your access via Kinde
• Delivering customer support
• Processing your settings and preferences

3.2 Consent (Art. 6(1)(a) GDPR)

Processing based on your explicit consent:

• Newsletter subscription and marketing communications (via MailerLite)
• Storing marketing consent metadata (IP address, timestamp)
• Processing profile data (avatar, display name)
• Web and mobile product analytics (PostHog, Google Analytics) — collected only after you accept the cookie banner

You may withdraw consent at any time by:

• Unsubscribing from newsletters (click unsubscribe link in emails)
• Clearing the cookie consent in your browser to re-trigger the banner
• Updating your marketing preferences in account settings
• Contacting us at contact@decisionlog.me

Withdrawing consent does not affect the lawfulness of processing based on consent before withdrawal.

3.3 Legitimate Interests (Art. 6(1)(f) GDPR)

Processing necessary for our legitimate business interests (balanced against your rights):

• Detecting and preventing fraud, abuse, and security threats
• Improving and optimizing Service functionality and performance
• Analyzing usage patterns to enhance user experience
• Maintaining service stability and preventing technical issues
• Mobile app crash reporting and diagnostics (Firebase Crashlytics) - essential for identifying and fixing bugs, ensuring app stability and user safety
• Enforcing our Terms of Service
• Protecting our legal rights and interests

Analytics: We use PostHog (data stored in the EU) and Google Analytics to understand usage patterns and improve our product. Analytics events are linked to a user ID so we can recognise the same person across web, Android and iOS — the user ID is an internal identifier, not your email or name. We do not send your content to analytics: your decisions, notes, tags, titles, comments and any text you enter into the app stay private and never reach our analytics providers. Analytics is collected after you accept the cookie banner on web, turned on by default in mobile and can be turned off in Settings → System → Privacy. Firebase Crashlytics is used on mobile for crash reporting. Data is not sold to third parties.

How We Use Your Information

We use the information we collect to:

• Provide and maintain our Service
• Manage your account and authenticate your access
• Provide customer support and respond to your inquiries
• Improve and optimize our Service
• Comply with legal obligations

Information Sharing

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

• With your explicit consent
• To comply with legal requirements or law enforcement requests
• With trusted service providers who assist in operating our Service (such as Kinde for authentication)
• In connection with a business transaction, such as a merger or acquisition

Data Security and Limitations

5.1 Security Measures

We implement industry-standard security practices including:

• HTTPS/TLS encryption for all data in transit between your device and our servers
• Secure authentication via Kinde with JSON Web Tokens (JWT)
• Access controls and authentication requirements for all Service features
• Secure token storage on mobile devices (Android KeyStore, iOS Keychain)
• Regular security updates and monitoring for vulnerabilities
• Password security: We never store your passwords directly (handled by Kinde)

5.2 Encryption Limitations

IMPORTANT: While we encrypt data during transmission (in transit), our database does NOT use encryption at rest. This means:

• Your data is stored in unencrypted form on our database servers
• In the event of a database breach or unauthorized server access, your data could be exposed in readable form
• We implement access controls and security measures to prevent unauthorized access, but these do not provide encryption of stored data

We are transparent about this limitation to help you make informed decisions about what data to store in Decision Log.

5.3 No Absolute Security Guarantee

NO METHOD OF TRANSMISSION OR STORAGE IS 100% SECURE. Despite our security measures:

• We cannot guarantee absolute security of your data
• Cyber attacks, technical failures, or security breaches may occur
• Data may be intercepted, accessed, or compromised by unauthorized parties

By using Decision Log, you acknowledge and accept these security limitations and the associated risks.

5.4 Security Incident Notification

In the event of a data breach that compromises your personal information:

• We will notify you via email within 72 hours of becoming aware of the breach (as required by GDPR)
• The notification will include: nature of the breach, data affected, steps we're taking, and recommendations for you
• We will also notify relevant supervisory authorities as required by applicable law

If you become aware of any security vulnerability or breach, please contact us immediately at contact@decisionlog.me.

International Data Transfers

6.1 Cross-Border Data Processing

Your personal information may be transferred to, stored, and processed in countries outside the European Economic Area (EEA), including the United States. These countries may have data protection laws that differ from those in your jurisdiction.

6.2 Third-Party Services Located Within EEA

We use the following services that process data within the EEA:

Authentication (European Union):

• Kinde (data stored in EU-Ireland): User authentication and account management. Kinde is an Australian company but we have configured our account to store all authentication data in the EU-Ireland region.

Analytics (European Union):

• PostHog (data stored in EU): Product analytics. Data is anonymized and processed within the EU region. Activated after user consent.

Analytics (United States):

• Google Analytics (USA): Web traffic analytics. Activated after user consent.

6.3 Third-Party Services Located Outside EEA

We use the following services that process data outside the EEA:

Infrastructure (United States):

• Render.com (USA): Application and database hosting

Media (United States):

• Cloudinary (USA): Image storage and processing for user avatars
• Firebase Crashlytics (USA): Mobile app crash reporting and diagnostics (enabled by default, legitimate interest basis)

Payments:

• Paddle (UK): Web payment processing, subscription management, and checkout (Merchant of Record). Processes: email, transaction IDs, billing dates, subscription status.
• RevenueCat (USA): Mobile in-app purchase and subscription management for iOS and Android. Processes: subscription status, purchase history, app user IDs, product data.

App Distribution:

• Apple App Store (USA): iOS app distribution, updates, and in-app purchase processing
• Google Play Store (USA): Android app distribution, updates, and in-app purchase processing

Email Marketing (Various Locations):

• MailerLite (Lithuania/EU and global CDN): Newsletter delivery and marketing communications (optional, requires consent)

6.4 Legal Basis for Transfers

We transfer your data internationally based on:

1. Your explicit consent - By using our Service, you consent to international data transfers

2. Necessity for contract performance - Transfers are necessary to provide the Service you requested

3. Standard Contractual Clauses (SCCs) - Where applicable, our service providers use EU-approved SCCs

4. Legitimate interests - In providing and improving our Service

6.5 Data Protection Safeguards

While our service providers may be certified under frameworks such as the EU-U.S. Data Privacy Framework or use Standard Contractual Clauses, we cannot guarantee the same level of data protection as required under EU law.

Different countries have different legal requirements for government access to data. Data stored in the United States may be subject to access requests from U.S. government authorities.

By using Decision Log, you acknowledge and consent to these international data transfers and the associated risks.

Data Retention

7.1 Active Account Data

We retain your personal information for as long as your account remains active and you continue to use our Service.

7.2 Account Deletion

When you request account deletion:

• Your data is no longer accessible through the Service interface
• We retain data for up to 90 days before permanent deletion
• During this period you may recover your account by contacting us

7.3 Permanent Deletion

After the retention period expires:

• Personal identifiable information is permanently deleted from our primary database
• Backups containing your data may persist for up to 6 months due to backup retention cycles
• Analytics data is retained according to the analytics providers' policies (PostHog, Google Analytics). When you delete your account, we also request deletion of the corresponding analytics profile in PostHog so that future events cannot be linked to you.

7.4 Marketing Data Retention

If you subscribe to our newsletter:

• Marketing consent data (email, IP address, timestamp) is retained until you unsubscribe
• After unsubscription, we retain your email address for 3 years to honor your opt-out preference and prevent accidental re-subscription
• MailerLite retains data according to their own retention policy

7.5 Legal and Compliance Retention

Certain data may be retained longer when required by law:

• Tax and accounting records: 7 years (legal requirement in Poland)
• Security incident logs: 2 years (security and fraud prevention)
• Legal dispute records: Duration of dispute + 3 years (statute of limitations)

7.6 Data Minimization

We regularly review stored data and delete information that is no longer necessary for the purposes for which it was collected.

Children's Privacy

Decision Log is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at contact@decisionlog.me. We will promptly delete such information from our systems.

Cookie Policy

10.1 Strictly Necessary Cookies (No Consent Required)

These cookies are essential for the Service to function and do not require consent:

• Authentication cookies: Session management via Kinde
• Locale preference: Stores your language preference
• Cookie consent record: Stores your cookie banner choice in localStorage

10.2 Analytics Cookies (Optional — Consent Required)

We use the following analytics tools, activated only after you accept the cookie banner:

• PostHog (EU): Product analytics. Events are linked to your account user ID for cross-device understanding; data stored in the EU (Ireland).
• Google Analytics (USA): Web traffic analytics. Events are linked to your account user ID when you are signed in.

You can withdraw consent at any time by clearing the cookie consent record in your browser, which will re-trigger the banner on your next visit. Declining analytics does not affect access to the Service.

10.3 Mobile App Local Storage

• Android: Encrypted storage via DataStore and KeyStore (auth tokens)
• iOS: Secure storage via Keychain (auth tokens)

10.4 Third-Party Cookies

Kinde (authentication) may set strictly necessary session cookies. These are required for the Service to function and do not require consent.

• Kinde: https://kinde.com/legal/privacy-policy/

Third-Party Services We Use

We use the following third-party services to provide and improve Decision Log:

11.1 Authentication and User Management

Kinde (data stored in EU-Ireland) - Privacy policy: https://kinde.com/legal/privacy-policy/

11.2 Infrastructure and Hosting

Render.com (USA) - Privacy policy: https://render.com/privacy

11.3 Image Storage and Processing

Cloudinary (USA)

• Purpose: Avatar image upload, storage, and transformation
• Data processed: User-uploaded avatar images, Cloudinary public IDs
• Privacy policy: https://cloudinary.com/privacy

11.4 Product Analytics (Optional — Consent Required)

PostHog (EU)

• Purpose: Product analytics
• Legal basis: Consent (cookie banner)
• Data location: EU (Ireland)
• What we send: Events are linked to a user ID so we can understand how the same person uses the app across web, Android and iOS — which features get used and where users get stuck. The user ID is an internal identifier, not your email or name. We do not send the content you create — your decisions, notes, tags, titles, comments and any text you enter into the app stay private and never reach PostHog. You can request deletion of your analytics profile by deleting your account.
• Privacy policy: https://posthog.com/privacy

Google Analytics / Firebase Analytics (USA)

• Purpose: Web traffic analytics (Google Analytics) and mobile app product analytics (Firebase Analytics, feeding the same Google Analytics 4 property)
• Legal basis: Consent (cookie banner on web; in-app "Analytics" toggle in Settings → System → Privacy on mobile, default ON)
• What we send: Events are linked to a user ID for cross-device understanding when you are signed in. We do not send the content you create — your decisions, notes and any text you enter into the app are not sent to analytics.
• Privacy policy: https://policies.google.com/privacy

11.5 Mobile App Crash Reporting (Enabled by Default - Legitimate Interest Basis)

Firebase Crashlytics (USA, Mobile App)

• Purpose: Crash reporting and diagnostics for mobile app
• Legal basis: Legitimate interests (ensuring app stability and security)
• Data processed: Crash logs, stack traces, device info, app version
• Privacy policy: https://firebase.google.com/support/privacy

11.6 Payments - Web (Contract Performance)

Paddle (UK)

• Purpose: Payment processing, subscription management, checkout, invoicing (Merchant of Record)
• Legal basis: Contract performance
• Data processed: Email address, transaction IDs, billing period dates, subscription status, custom user metadata
• Privacy policy: https://www.paddle.com/legal/privacy

11.7 Payments - Mobile (Contract Performance)

RevenueCat (USA)

• Purpose: In-app purchase and subscription management for iOS and Android
• Legal basis: Contract performance
• Data processed: Subscription status, purchase history, app user IDs, product/entitlement data
• Privacy policy: https://www.revenuecat.com/privacy

11.8 App Distribution

Apple App Store (USA) and Google Play Store (USA)

• Purpose: App hosting, delivery, updates, and in-app purchase payment processing
• Legal basis: Contract performance
• Data processed: Device identifiers, transaction data, app version
• Privacy policies: https://www.apple.com/privacy/ and https://policies.google.com/privacy

11.9 Email Marketing (Optional - Requires Consent)

MailerLite (Lithuania/EU)

• Purpose: Newsletter delivery and marketing communications
• Data processed: Email address, display name, preferred language, marketing consent metadata
• Privacy policy: https://www.mailerlite.com/legal/privacy-policy

11.10 Data Sharing with Third Parties

We share data with these services only as necessary to provide our Service. We do not sell your data to any third party.

Each third-party service processes data according to their own privacy policies. We recommend reviewing these policies to understand how your data is handled.

Your Rights

Under the General Data Protection Regulation (GDPR) and other applicable privacy laws, you have the following rights:

12.1 Right to Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether your personal data is being processed and to access such data. You can request:

• What personal data we hold about you
• Why we are processing it
• Who we share it with
• How long we will keep it

12.2 Right to Rectification (Art. 16 GDPR)

You have the right to correct inaccurate personal data and to complete incomplete personal data.

12.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You have the right to request deletion of your personal data when:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw your consent (where processing is based on consent)
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Deletion is required by legal obligation

Note: Your data will enter a 90-day soft delete period before permanent deletion. Backups may persist for up to 6 months.

12.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing when:

• You contest the accuracy of your personal data
• The processing is unlawful but you prefer restriction over deletion
• We no longer need the data but you need it for legal claims
• You have objected to processing pending verification

12.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV). You can request to transfer this data to another service provider.

How to export: Use the export feature in your account settings or contact us at contact@decisionlog.me.

12.6 Right to Object (Art. 21 GDPR)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

12.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.

12.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of alleged infringement.

Poland: Office for Personal Data Protection (UODO) - https://uodo.gov.pl

12.9 How to Exercise Your Rights

To exercise any of these rights, contact us at: contact@decisionlog.me

We will respond to your request within 30 days (as required by GDPR). In complex cases, we may extend this by an additional 60 days and will inform you of any delay.

12.10 Verification

To protect your privacy, we may request additional information to verify your identity before fulfilling your request.

12.11 No Fees

Exercising your rights is generally free of charge. However, we may charge a reasonable fee or refuse the request if it is manifestly unfounded, excessive, or repetitive.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

14.1 Notification of Changes

When we make material changes to this Privacy Policy:

• We will update the "Last updated" date at the top of this page
• We will notify you by email if the changes significantly affect your rights
• We will post a notice on our Service for 30 days

14.2 Your Continued Use

Your continued use of the Service after the updated Privacy Policy becomes effective constitutes acceptance of the changes. If you do not agree with the updated Privacy Policy, you should stop using the Service and delete your account.

14.3 Review Regularly

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Contact Us

15.1 General Inquiries

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: contact@decisionlog.me

15.2 Data Protection Officer (If Applicable)

If required by law in the future, we will designate a Data Protection Officer (DPO). Contact information will be provided here when applicable.

15.3 EU Representative (If Applicable)

If required under GDPR Article 27, we will designate an EU representative. Contact information will be provided here when applicable.

---

Last updated: April 27, 2026

This Privacy Policy was updated to reflect that analytics events (PostHog, Google Analytics, Firebase Analytics) are linked to a user ID so the same person can be recognised across web, Android and iOS. The user ID is an internal identifier (not your email or name). The content you create — decisions, notes, tags, titles, comments and any text entered into the app — is never sent to analytics. The consent mechanism is unchanged: web requires cookie banner acceptance, mobile is gated by the "Analytics" toggle in Settings → System → Privacy. Deleting your account also requests deletion of your analytics profile. Paddle and RevenueCat are used as payment processors.