Privacy Policy

Effective Date: January 14th, 2026

1. Introduction

Deck (“we”, “us”, or “our”) is operated by Soho Tech Holdings Pty Ltd, an Australian company. We provide a customer feedback management platform that helps product teams synthesize, organize, and share user research insights.

This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our service at getdeck.io (the “Service”). We are committed to protecting your privacy and handling your data transparently.

Contact Information:

Soho Tech Holdings Pty Ltd

Unit 34, 15-19 Boundary St, Darlinghurst, Sydney 2010, Australia

Privacy inquiries: matt.teixeira@getdeck.io

2. Information We Collect

2.1 Account Information

We use Clerk for authentication. When you create an account, the following information may be collected and stored by Clerk:

Email address
Name and surname (if you sign up via social login such as Google)
Organization membership information

Note: Deck does not store personal identity information in our own databases. This data is managed by Clerk in accordance with their privacy practices.

2.2 Customer Feedback Data

When you use Deck, you may upload or connect the following types of data:

User interview recordings: Video and audio files you upload directly to Deck
Transcripts: Text transcriptions of your interviews
Insights and themes: Synthesized insights generated from your feedback data
Video snippets: Highlight clips created from your recordings

2.3 Integration Data

If you connect third-party services to Deck:

CRM Integrations (Salesforce, HubSpot, Attio): We store only CRM user and account IDs. We do not store CRM record data. When you filter by CRM properties, we query your CRM in real-time. Your organization administrator controls which CRM fields can be queried.
Slack Integration: We fetch data from Slack channels you designate and can post insights to channels you specify.

2.4 Usage Analytics

We collect anonymized usage data through PostHog and RudderStack using cookieless tracking. This includes:

Feature usage patterns
Performance metrics
Error logs

We do not use cookies for analytics tracking.

2.5 Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank account details, or other payment credentials on our servers.

3. How We Use Your Information

We use your information for the following purposes:

Providing the Service: Processing your feedback data, generating insights, and enabling collaboration features
AI-Powered Analysis: Sending transcripts and insights to large language model (LLM) providers to generate synthesized insights (see Section 4)
Service Improvement: Analyzing anonymized usage patterns to improve functionality
Communication: Sending service-related notifications and responding to support requests
Legal Compliance: Meeting our legal obligations and protecting our rights

4. Data Processing by AI Providers

To provide AI-powered synthesis and insight generation, we send certain data to third-party LLM providers:

Google (Gemini)
Anthropic (Claude)
OpenAI

What we send: Interview transcripts, insights, and themes for processing.

Important: We use these providers via their APIs. Your data is not used to train their AI models and is not retained by these providers beyond the immediate processing of your request.

5. Data Storage and Regional Hosting

5.1 Your Choice of Data Region

Organization administrators can choose where their data is stored from the following regions:

United States: Oregon
Europe: London
Australia: Sydney

This regional choice applies to:

Database storage (Neon Postgres)
Full interview recordings (Vercel Blob)
Video snippets (AWS S3)

5.2 Infrastructure Providers

We use the following infrastructure providers:

Vercel: Application hosting and blob storage
Neon: PostgreSQL database
AWS: S3 storage for video snippets
Upstash: Redis caching
Clerk: Authentication (note: Clerk data region cannot be selected by users)
Nango: Third-party integrations

6. Data Retention

Active accounts: We retain your data for as long as your account is active.

Inactive accounts: If your account has no activity for 365 consecutive days, your data may be deleted.

Deletion requests: When you request deletion of your data, we will complete the deletion within 14 days of your request.

7. Data Sharing

We do not sell your data. We do not share your data for advertising purposes.

We share data only with:

Service providers: The infrastructure and AI providers listed in this policy, solely to operate the Service
Legal requirements: When required by law, court order, or government request
Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to you

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

8.1 All Users

Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate data
Deletion: Request deletion of your data
Data portability: Request your data in a portable format

8.2 Additional Rights for EU/UK Users (GDPR)

If you are located in the European Union or United Kingdom, you also have the right to:

Restrict processing: Request that we limit how we use your data
Object to processing: Object to processing based on legitimate interests
Lodge a complaint: File a complaint with your local data protection authority

Legal basis for processing (GDPR): We process your data based on: (a) your consent; (b) performance of our contract with you; (c) our legitimate business interests; or (d) compliance with legal obligations.

8.3 Exercising Your Rights

To exercise any of these rights, contact us at matt.teixeira@getdeck.io. We will respond within 30 days (or sooner where required by law).

9. Security

We implement appropriate technical and organizational measures to protect your data, including:

Encryption of data in transit (TLS) and at rest
Access controls and authentication
Regular security assessments
Infrastructure hosted on enterprise-grade cloud providers

We are building our practices in accordance with SOC 2 certification standards.

10. International Data Transfers

While you can choose your primary data storage region, some data processing may occur in other locations:

AI processing: Data sent to LLM providers may be processed in the United States
Authentication: Clerk may process authentication data in the United States
Analytics: Anonymized usage data may be processed internationally

Where data is transferred internationally, we ensure appropriate safeguards are in place, including standard contractual clauses where applicable.

11. Children's Privacy

Deck is a business-to-business service not intended for children. We do not knowingly collect personal information from anyone under 16 years of age. If you believe we have collected information from a child, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy on our website with a new effective date
Sending an email notification for significant changes

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: matt.teixeira@getdeck.io

Address:

Soho Tech Holdings Pty Ltd

Unit 34, 15-19 Boundary St

Darlinghurst, Sydney 2010, Australia

Privacy Policy

Effective Date: January 14th, 2026

1. Introduction

Contact Information:

Soho Tech Holdings Pty Ltd

Unit 34, 15-19 Boundary St, Darlinghurst, Sydney 2010, Australia

Privacy inquiries: matt.teixeira@getdeck.io

2. Information We Collect

2.1 Account Information

We use Clerk for authentication. When you create an account, the following information may be collected and stored by Clerk:

Email address
Name and surname (if you sign up via social login such as Google)
Organization membership information

Note: Deck does not store personal identity information in our own databases. This data is managed by Clerk in accordance with their privacy practices.

2.2 Customer Feedback Data

When you use Deck, you may upload or connect the following types of data:

User interview recordings: Video and audio files you upload directly to Deck
Transcripts: Text transcriptions of your interviews
Insights and themes: Synthesized insights generated from your feedback data
Video snippets: Highlight clips created from your recordings

2.3 Integration Data

If you connect third-party services to Deck:

CRM Integrations (Salesforce, HubSpot, Attio): We store only CRM user and account IDs. We do not store CRM record data. When you filter by CRM properties, we query your CRM in real-time. Your organization administrator controls which CRM fields can be queried.
Slack Integration: We fetch data from Slack channels you designate and can post insights to channels you specify.

2.4 Usage Analytics

We collect anonymized usage data through PostHog and RudderStack using cookieless tracking. This includes:

Feature usage patterns
Performance metrics
Error logs

We do not use cookies for analytics tracking.

2.5 Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank account details, or other payment credentials on our servers.

3. How We Use Your Information

We use your information for the following purposes:

Providing the Service: Processing your feedback data, generating insights, and enabling collaboration features
AI-Powered Analysis: Sending transcripts and insights to large language model (LLM) providers to generate synthesized insights (see Section 4)
Service Improvement: Analyzing anonymized usage patterns to improve functionality
Communication: Sending service-related notifications and responding to support requests
Legal Compliance: Meeting our legal obligations and protecting our rights

4. Data Processing by AI Providers

To provide AI-powered synthesis and insight generation, we send certain data to third-party LLM providers:

Google (Gemini)
Anthropic (Claude)
OpenAI

What we send: Interview transcripts, insights, and themes for processing.

Important: We use these providers via their APIs. Your data is not used to train their AI models and is not retained by these providers beyond the immediate processing of your request.

5. Data Storage and Regional Hosting

5.1 Your Choice of Data Region

Organization administrators can choose where their data is stored from the following regions:

United States: Oregon
Europe: London
Australia: Sydney

This regional choice applies to:

Database storage (Neon Postgres)
Full interview recordings (Vercel Blob)
Video snippets (AWS S3)

5.2 Infrastructure Providers

We use the following infrastructure providers:

Vercel: Application hosting and blob storage
Neon: PostgreSQL database
AWS: S3 storage for video snippets
Upstash: Redis caching
Clerk: Authentication (note: Clerk data region cannot be selected by users)
Nango: Third-party integrations

6. Data Retention

Active accounts: We retain your data for as long as your account is active.

Inactive accounts: If your account has no activity for 365 consecutive days, your data may be deleted.

Deletion requests: When you request deletion of your data, we will complete the deletion within 14 days of your request.

7. Data Sharing

We do not sell your data. We do not share your data for advertising purposes.

We share data only with:

Service providers: The infrastructure and AI providers listed in this policy, solely to operate the Service
Legal requirements: When required by law, court order, or government request
Business transfers: In connection with a merger, acquisition, or sale of assets, with notice to you

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

8.1 All Users

Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate data
Deletion: Request deletion of your data
Data portability: Request your data in a portable format

8.2 Additional Rights for EU/UK Users (GDPR)

If you are located in the European Union or United Kingdom, you also have the right to:

Restrict processing: Request that we limit how we use your data
Object to processing: Object to processing based on legitimate interests
Lodge a complaint: File a complaint with your local data protection authority

8.3 Exercising Your Rights

To exercise any of these rights, contact us at matt.teixeira@getdeck.io. We will respond within 30 days (or sooner where required by law).

9. Security

We implement appropriate technical and organizational measures to protect your data, including:

Encryption of data in transit (TLS) and at rest
Access controls and authentication
Regular security assessments
Infrastructure hosted on enterprise-grade cloud providers

We are building our practices in accordance with SOC 2 certification standards.

10. International Data Transfers

While you can choose your primary data storage region, some data processing may occur in other locations:

AI processing: Data sent to LLM providers may be processed in the United States
Authentication: Clerk may process authentication data in the United States
Analytics: Anonymized usage data may be processed internationally

Where data is transferred internationally, we ensure appropriate safeguards are in place, including standard contractual clauses where applicable.

11. Children's Privacy

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy on our website with a new effective date
Sending an email notification for significant changes

Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: matt.teixeira@getdeck.io

Address:

Soho Tech Holdings Pty Ltd

Unit 34, 15-19 Boundary St

Darlinghurst, Sydney 2010, Australia