Privacy Policy

1. Data Controller

DecisionOS (“we,” “us,” or “our”) is the data controller responsible for processing your personal data in connection with the DecisionOS platform. For privacy inquiries, contact us at privacy@decisionos.dev.

2. Data We Collect

We collect and process the following categories of data:

• Account information: Email address, name, profile picture, and organization membership, collected and managed through Clerk, our authentication provider.
• Organization data: Organization name, settings, plan tier, billing information, and member roles.
• Decision data: Decisions, rationale, alternatives considered, participants, outcomes, assumptions, tradeoffs, quality scores, tags, and related metadata submitted by your team.
• Meeting transcripts: Content from meeting transcription services (Otter.ai, Fireflies, Read.ai) sent via webhook for decision extraction.
• Slack messages: Messages from connected Slack channels that are processed through our decision classification pipeline.
• GitHub content: Pull request titles, descriptions, and comments from connected GitHub repositories.
• Jira issues: Issue summaries, descriptions, and metadata from connected Jira projects.
• Usage analytics: Page views, feature usage patterns, and performance metrics used to improve the product. These are collected in aggregate and are not linked to individual users.
• Comments and interactions: Comments, reactions, and review queue actions taken within the platform.

3. AI Processing Disclosure

DecisionOS uses artificial intelligence to provide its core features. We believe in full transparency about how AI processes your data:

• Decision classification (Anthropic Claude): Decision text and surrounding context are sent to Anthropic's Claude API for classification by type (technical, strategic, operational, etc.) and confidence scoring. Anthropic does not retain or train on data sent via their API. Processing is governed by Anthropic's commercial API terms, which prohibit use of customer data for model training.
• Semantic embeddings (OpenAI): Decision text is sent to OpenAI's embedding API (text-embedding-3-small) to generate vector representations for natural language search. OpenAI does not retain or train on data sent via their API under their business terms.
• Search reranking (Cohere, optional): When enabled, search results may be sent to Cohere's reranking API to improve search relevance. This feature is optional and can be disabled in organization settings.

Purpose limitation: AI processing is used solely for decision classification, search, and analytics within the DecisionOS platform. Your data is never used to train, fine-tune, or improve any AI model.

Opt-out: Organization administrators can disable AI classification in organization settings. When AI processing is disabled, decisions can still be manually classified and searched using keyword matching. To request complete removal of AI-processed data, contact privacy@decisionos.dev.

4. Legal Basis for Processing (GDPR Article 6)

We process personal data under the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the DecisionOS service as described in your subscription agreement, including storing decisions, running the classification pipeline, and generating analytics.
• Legitimate interest (Art. 6(1)(f)): Processing necessary for our legitimate interests in improving the service, preventing abuse, and ensuring platform security. This includes usage analytics, rate limiting, and audit logging.
• Consent (Art. 6(1)(a)): Where required, we obtain consent for optional processing activities such as connecting third-party integrations (Slack, GitHub, Jira) and enabling optional AI features (Cohere reranking).
• Legal obligation (Art. 6(1)(c)): Processing necessary to comply with legal obligations, such as maintaining audit logs and responding to lawful data requests.

5. Sub-Processors

We engage third-party sub-processors to deliver the DecisionOS service. Each sub-processor is bound by data processing agreements that require equivalent data protection standards. For the complete list of sub-processors including their purpose, data processed, and location, see our Sub-Processors page.

6. Data Retention

• Decision data: Retained for the duration of your subscription, with a default maximum retention period of 2 years. Organization administrators can configure shorter retention periods.
• Raw transcripts: Retained for 90 days by default (configurable per organization).
• Webhook delivery logs: Retained for 90 days.
• Audit logs: Retained for a minimum of 1 year for compliance purposes.
• Account data: Retained for the life of the account plus 30 days after cancellation to allow reactivation or data export.
• Backups: All data, including backups, is permanently deleted within 60 days after account cancellation.
• Deletion on request: You may request deletion of your personal data at any time. Requests are fulfilled within 30 days, subject to legal hold obligations.

7. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the following rights:

• Right of access (Art. 15): Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): Correct inaccurate or incomplete personal data.
• Right to erasure (Art. 17): Request deletion or anonymization of your personal data. DecisionOS anonymizes personal identifiers while preserving decision records for organizational continuity.
• Right to data portability (Art. 20): Export your data in machine-readable format (JSON or CSV) via Settings or the API.
• Right to restriction of processing (Art. 18): Request that we limit processing of your personal data in certain circumstances.
• Right to object (Art. 21): Object to processing based on legitimate interest, including profiling.

How to exercise your rights: Use the data export and erasure features in Settings, submit a request to privacy@decisionos.dev, or use the per-user DSAR export endpoint. We respond to all requests within 30 days.

You also have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.

8. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our primary sub-processors are located. For all such transfers, we rely on the European Commission's Standard Contractual Clauses (SCCs) to ensure an adequate level of data protection. Where a sub-processor is located in a country with an adequacy decision from the European Commission, transfers are made under that framework.

9. Cookies

DecisionOS uses only essential cookies required for authentication and session management, provided by Clerk. We do not use tracking cookies, analytics cookies, or advertising cookies. No cookie consent banner is required because we do not use non-essential cookies. For details, see our Cookie Policy.

10. Children's Privacy

DecisionOS is a business-to-business platform designed for professional use. Our service is not directed at children under the age of 16, and we do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected data from a child under 16, we will take steps to delete that data promptly.

11. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

• Categories of personal information collected: Identifiers (name, email), professional information (organization, role), internet activity (usage analytics), and content you provide (decisions, comments).
• No sale of personal information: We do not sell, and have never sold, personal information to third parties.
• No sharing for cross-context behavioral advertising: We do not share personal information for cross-context behavioral advertising purposes.
• Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to opt-out: As we do not sell personal information, the right to opt-out of sale does not apply. You may opt out of AI processing as described in Section 3.
• Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise your California privacy rights, contact privacy@decisionos.dev or use the data management features in Settings.

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice via email to the address associated with your account before the changes take effect. Non-material changes (such as clarifications or formatting updates) may be made without prior notice. We encourage you to review this page periodically. Your continued use of DecisionOS after changes take effect constitutes acceptance of the updated policy.

13. Contact

For privacy-related questions, concerns, or to exercise your data protection rights, contact us at:

privacy@decisionos.dev