Decision Log

Privacy Policy

Last updated: November 29, 2025

NOTICE: DecisionLog is currently in BETA version. The service may contain bugs, be unstable, and be subject to frequent changes.

Introduction

DecisionLog is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our DecisionLog service, including our website and application.

Information We Collect

2.1 Personal Information

When you create an account, we collect information such as your name, email address, and authentication details provided through Auth0. We do not store your passwords directly.

We also collect:

  • Display name
  • Preferred language settings
  • Avatar or profile picture (if provided)
  • User ID assigned by Auth0

2.2 Usage Information

We collect information about how you use our Service, including:

  • Decisions you create, edit, view, and delete
  • Collections you organize
  • Templates you use or create
  • Decision replacement chains and archives
  • Search queries and filters
  • Date and time of interactions with the platform

2.3 Marketing Consent Data

If you opt-in to marketing communications:

  • Your marketing consent status (yes/no)
  • Date and time when consent was given or withdrawn
  • IP address at the time of consent (for compliance and fraud prevention)
  • Email address for newsletter delivery

2.4 Technical Data

We automatically collect certain technical information:

  • IP address
  • Browser type and version
  • Device type and operating system
  • Time zone settings
  • Cookie data (see our Cookie Policy below)
  • Usage analytics through Google Analytics (if consent given)

For mobile app users:

  • Device model and manufacturer
  • Operating system version
  • App version
  • Crash logs and diagnostics (Firebase Crashlytics)
  • Analytics events (Firebase Analytics)

2.5 Third-Party Authentication Data

When you authenticate through Auth0, we receive:

  • Your Auth0 user ID
  • Email address verified by Auth0
  • Profile information you've shared with Auth0 (name, picture)
  • OAuth tokens for session management

Auth0 may process additional data according to their own privacy policy.

Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases as required by the General Data Protection Regulation (GDPR):

3.1 Contract Performance (Art. 6(1)(b) GDPR)

Processing necessary for the performance of the contract between you and DecisionLog:

  • Creating and managing your user account
  • Providing access to Service features (decisions, collections, templates)
  • Storing and displaying your content
  • Authenticating your access via Auth0
  • Delivering customer support
  • Processing your settings and preferences

3.2 Consent (Art. 6(1)(a) GDPR)

Processing based on your explicit consent:

  • Newsletter subscription and marketing communications (via MailerLite)
  • Website analytics and usage tracking (Google Analytics - optional, web only)
  • Storing marketing consent metadata (IP address, timestamp)
  • Processing profile data (avatar, display name)

You may withdraw consent at any time by:

  • Unsubscribing from newsletters (click unsubscribe link in emails)
  • Declining analytics cookies through our cookie consent banner
  • Updating your marketing preferences in account settings
  • Contacting us at contact@decisionlog.me

Withdrawing consent does not affect the lawfulness of processing based on consent before withdrawal.

3.3 Legitimate Interests (Art. 6(1)(f) GDPR)

Processing necessary for our legitimate business interests (balanced against your rights):

  • Detecting and preventing fraud, abuse, and security threats
  • Improving and optimizing Service functionality and performance
  • Analyzing usage patterns to enhance user experience (anonymized data)
  • Maintaining service stability and preventing technical issues
  • Mobile app crash reporting and diagnostics (Firebase Crashlytics) - essential for identifying and fixing bugs, ensuring app stability and user safety
  • Mobile app usage analytics (Firebase Analytics) - helps us understand how users interact with the mobile app to improve functionality and user experience
  • Enforcing our Terms of Service
  • Protecting our legal rights and interests

Mobile App Users: Firebase Analytics and Crashlytics are an integral part of our mobile application, essential for ensuring stability and improving functionality. Data is collected anonymously and is not sold to third parties.

How We Use Your Information

We use the information we collect to:

  • Provide and maintain our Service
  • Manage your account and authenticate your access
  • Provide customer support and respond to your inquiries
  • Improve and optimize our Service
  • Comply with legal obligations

Information Sharing

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

  • With your explicit consent
  • To comply with legal requirements or law enforcement requests
  • With trusted service providers who assist in operating our Service (such as Auth0 for authentication)
  • In connection with a business transaction, such as a merger or acquisition

Data Security and Limitations

5.1 Security Measures

We implement industry-standard security practices including:

  • HTTPS/TLS encryption for all data in transit between your device and our servers
  • Secure authentication via Auth0 with JSON Web Tokens (JWT)
  • Access controls and authentication requirements for all Service features
  • Secure token storage on mobile devices (Android KeyStore, iOS Keychain)
  • Regular security updates and monitoring for vulnerabilities
  • Password security: We never store your passwords directly (handled by Auth0)

5.2 Encryption Limitations

IMPORTANT: While we encrypt data during transmission (in transit), our database does NOT use encryption at rest. This means:

  • Your data is stored in unencrypted form on our database servers
  • In the event of a database breach or unauthorized server access, your data could be exposed in readable form
  • We implement access controls and security measures to prevent unauthorized access, but these do not provide encryption of stored data

We are transparent about this limitation to help you make informed decisions about what data to store in DecisionLog.

5.3 No Absolute Security Guarantee

NO METHOD OF TRANSMISSION OR STORAGE IS 100% SECURE. Despite our security measures:

  • We cannot guarantee absolute security of your data
  • Cyber attacks, technical failures, or security breaches may occur
  • Data may be intercepted, accessed, or compromised by unauthorized parties

By using DecisionLog, you acknowledge and accept these security limitations and the associated risks.

5.4 Security Incident Notification

In the event of a data breach that compromises your personal information:

  • We will notify you via email within 72 hours of becoming aware of the breach (as required by GDPR)
  • The notification will include: nature of the breach, data affected, steps we're taking, and recommendations for you
  • We will also notify relevant supervisory authorities as required by applicable law

If you become aware of any security vulnerability or breach, please contact us immediately at contact@decisionlog.me.

International Data Transfers

6.1 Cross-Border Data Processing

Your personal information may be transferred to, stored, and processed in countries outside the European Economic Area (EEA), including the United States. These countries may have data protection laws that differ from those in your jurisdiction.

6.2 Third-Party Services Located Outside EEA

We use the following services that process data outside the EEA:

Authentication and Infrastructure (United States):

  • Auth0 (USA): User authentication and account management
  • Render.com (USA): Application and database hosting

Media and Analytics (United States):

  • Cloudinary (USA): Image storage and processing for user avatars
  • Google Analytics (USA): Website analytics and usage tracking (optional, requires consent)
  • Firebase Analytics (USA): Mobile app analytics (enabled by default, legitimate interest basis)
  • Firebase Crashlytics (USA): Mobile app crash reporting and diagnostics (enabled by default, legitimate interest basis)

Email Marketing (Various Locations):

  • MailerLite (Lithuania/EU and global CDN): Newsletter delivery and marketing communications (optional, requires consent)

6.3 Legal Basis for Transfers

We transfer your data internationally based on:

1. Your explicit consent - By using our Service, you consent to international data transfers

2. Necessity for contract performance - Transfers are necessary to provide the Service you requested

3. Standard Contractual Clauses (SCCs) - Where applicable, our service providers use EU-approved SCCs

4. Legitimate interests - In providing and improving our Service

6.4 Data Protection Safeguards

While our service providers may be certified under frameworks such as the EU-U.S. Data Privacy Framework or use Standard Contractual Clauses, we cannot guarantee the same level of data protection as required under EU law.

Different countries have different legal requirements for government access to data. Data stored in the United States may be subject to access requests from U.S. government authorities.

By using DecisionLog, you acknowledge and consent to these international data transfers and the associated risks.

Data Retention

7.1 Active Account Data

We retain your personal information for as long as your account remains active and you continue to use our Service.

7.2 Account Deletion

When you request account deletion:

  • Your data is no longer accessible through the Service interface
  • We retain data for up to 90 days before permanent deletion
  • During this period you may recover your account by contacting us

7.3 Permanent Deletion

After the retention period expires:

  • Personal identifiable information is permanently deleted from our primary database
  • Backups containing your data may persist for up to 6 months due to backup retention cycles
  • Anonymized analytics data may be retained indefinitely for statistical purposes (with all personal identifiers removed)

7.4 Marketing Data Retention

If you subscribe to our newsletter:

  • Marketing consent data (email, IP address, timestamp) is retained until you unsubscribe
  • After unsubscription, we retain your email address for 3 years to honor your opt-out preference and prevent accidental re-subscription
  • MailerLite retains data according to their own retention policy

7.5 Legal and Compliance Retention

Certain data may be retained longer when required by law:

  • Tax and accounting records: 7 years (legal requirement in Poland)
  • Security incident logs: 2 years (security and fraud prevention)
  • Legal dispute records: Duration of dispute + 3 years (statute of limitations)

7.6 Data Minimization

We regularly review stored data and delete information that is no longer necessary for the purposes for which it was collected.

Children's Privacy

DecisionLog is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at contact@decisionlog.me. We will promptly delete such information from our systems.

Cookie Policy

10.1 What Are Cookies

Cookies are small text files stored on your device when you visit our website. We use cookies to provide, secure, and improve our Service.

10.2 Types of Cookies We Use

Essential Cookies (Strictly Necessary):

  • Authentication cookies: User session management
  • Locale preference: Stores your language preference

Analytics Cookies (Optional - Require Consent):

  • Google Analytics: Tracks page views, user interactions, and usage patterns (you can opt-out using browser settings)

Mobile App Local Storage:

  • Android: Encrypted storage via DataStore and KeyStore (auth tokens)
  • iOS: Secure storage via Keychain (auth tokens)

10.3 Managing Cookies

You can control cookies through your browser settings:

  • Most browsers allow you to refuse cookies or delete existing cookies
  • Disabling essential cookies may prevent you from using certain Service features
  • Analytics cookies can be disabled without affecting core functionality

For mobile apps, uninstalling the app deletes all local storage.

10.4 Third-Party Cookies

Third-party services (Auth0, Google Analytics) may set their own cookies. We do not control these cookies. Please review their privacy policies:

  • Auth0: https://auth0.com/privacy
  • Google Analytics: https://policies.google.com/privacy

Third-Party Services We Use

We use the following third-party services to provide and improve DecisionLog:

11.1 Authentication and User Management

Auth0 (USA) - Privacy policy: https://auth0.com/privacy

11.2 Infrastructure and Hosting

Render.com (USA) - Privacy policy: https://render.com/privacy

11.3 Image Storage and Processing

Cloudinary (USA)

  • Purpose: Avatar image upload, storage, and transformation
  • Data processed: User-uploaded avatar images, Cloudinary public IDs
  • Privacy policy: https://cloudinary.com/privacy

11.4 Website Analytics (Optional - Requires Consent)

Google Analytics (USA)

  • Purpose: Website usage analytics, user behavior tracking
  • Data processed: Page views, events, anonymized IP addresses, device info
  • Privacy policy: https://policies.google.com/privacy

11.5 Mobile App Monitoring (Enabled by Default - Legitimate Interest Basis)

Firebase Analytics (USA, Mobile App)

  • Purpose: Mobile app usage analytics and user engagement tracking
  • Legal basis: Legitimate interests (improving app functionality)
  • Data processed: Events, device info, app version, coarse location (from IP)
  • Privacy policy: https://firebase.google.com/support/privacy

Firebase Crashlytics (USA, Mobile App)

  • Purpose: Crash reporting and diagnostics for mobile app
  • Legal basis: Legitimate interests (ensuring app stability and security)
  • Data processed: Crash logs, stack traces, device info, app version
  • Privacy policy: https://firebase.google.com/support/privacy

11.6 Email Marketing (Optional - Requires Consent)

MailerLite (Lithuania/EU)

  • Purpose: Newsletter delivery and marketing communications
  • Data processed: Email address, display name, preferred language, marketing consent metadata
  • Privacy policy: https://www.mailerlite.com/legal/privacy-policy

11.7 Data Sharing with Third Parties

We share data with these services only as necessary to provide our Service. We do not sell your data to any third party.

Each third-party service processes data according to their own privacy policies. We recommend reviewing these policies to understand how your data is handled.

Your Rights

Under the General Data Protection Regulation (GDPR) and other applicable privacy laws, you have the following rights:

12.1 Right to Access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether your personal data is being processed and to access such data. You can request:

  • What personal data we hold about you
  • Why we are processing it
  • Who we share it with
  • How long we will keep it

12.2 Right to Rectification (Art. 16 GDPR)

You have the right to correct inaccurate personal data and to complete incomplete personal data.

12.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You have the right to request deletion of your personal data when:

  • The data is no longer necessary for the purposes for which it was collected
  • You withdraw your consent (where processing is based on consent)
  • You object to processing and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Deletion is required by legal obligation

Note: Your data will enter a 90-day soft delete period before permanent deletion. Backups may persist for up to 6 months.

12.4 Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request restriction of processing when:

  • You contest the accuracy of your personal data
  • The processing is unlawful but you prefer restriction over deletion
  • We no longer need the data but you need it for legal claims
  • You have objected to processing pending verification

12.5 Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV). You can request to transfer this data to another service provider.

How to export: Use the export feature in your account settings or contact us at contact@decisionlog.me.

12.6 Right to Object (Art. 21 GDPR)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes.

12.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.

12.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of alleged infringement.

Poland: Office for Personal Data Protection (UODO) - https://uodo.gov.pl

12.9 How to Exercise Your Rights

To exercise any of these rights, contact us at: contact@decisionlog.me

We will respond to your request within 30 days (as required by GDPR). In complex cases, we may extend this by an additional 60 days and will inform you of any delay.

12.10 Verification

To protect your privacy, we may request additional information to verify your identity before fulfilling your request.

12.11 No Fees

Exercising your rights is generally free of charge. However, we may charge a reasonable fee or refuse the request if it is manifestly unfounded, excessive, or repetitive.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

14.1 Notification of Changes

When we make material changes to this Privacy Policy:

  • We will update the "Last updated" date at the top of this page
  • We will notify you by email if the changes significantly affect your rights
  • We will post a notice on our Service for 30 days

14.2 Your Continued Use

Your continued use of the Service after the updated Privacy Policy becomes effective constitutes acceptance of the changes. If you do not agree with the updated Privacy Policy, you should stop using the Service and delete your account.

14.3 Review Regularly

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Contact Us

15.1 General Inquiries

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: contact@decisionlog.me

15.2 Data Protection Officer (If Applicable)

If required by law in the future, we will designate a Data Protection Officer (DPO). Contact information will be provided here when applicable.

15.3 EU Representative (If Applicable)

If required under GDPR Article 27, we will designate an EU representative. Contact information will be provided here when applicable.

---

Last updated: November 29, 2025

This Privacy Policy was comprehensively updated to ensure full GDPR compliance, transparency about data security limitations (including lack of encryption at rest), and detailed disclosure of all third-party services and international data transfers.