Privacy Policy
Last Updated: October 2025
Privacy Policy
Version 1.0 — October 2025 Entity: Journey Bound Media, LLC dba DecodeIQ Jurisdiction: State of New Mexico, United States Contact: Privacy Email
1. Introduction
DecodeIQ ("we," "our," "us") operates as a Source-First Semantic Intelligence Platform. This policy explains what data we collect, why we collect it, how it flows through our systems, how long we retain it, and what rights you have.
Our approach to privacy mirrors our engineering philosophy: structure before surface. Data governance is designed at the source—through architecture, not afterthought.
This policy covers all DecodeIQ domains and services:
- decodeiq.ai (marketing site)
- app.decodeiq.ai (SaaS application)
- blog.decodeiq.ai (education hub)
- related APIs, dashboards, and integrations
2. Data Map: From Input to Deletion
Below is a transparent schematic of how personal and operational data moves through our system.
All systems operate under contractual data-processing agreements and secure transfer mechanisms (SCCs or Data Privacy Framework).
3. Data We Collect
3.1 Information You Provide
- Account Data: email, name, organization, password hash
- Workspace Data: plan tier, credits, usage history
- Billing Data: Stripe customer ID, subscription metadata
- Communications: messages sent to DecodeIQ (support, feedback)
3.2 Information Collected Automatically
- Log Data: IP address, device type, browser version, timestamps
- Usage Data: page visits, API events, error codes (PostHog, GA)
- Cookies & Tracking: session cookies, analytics and marketing pixels (with consent)
3.3 Derived or Processed Data
- Semantic Analysis Outputs: text embeddings, entities, and metrics produced by the MNSU Engine
- These contain no personal identifiers and are deleted automatically after job completion or within 30 days.
4. Purposes and Legal Bases for Processing
| Purpose | Legal Basis (GDPR) | Description |
|---|---|---|
| Account creation & login | Contract | Manage user identity and workspace access |
| Payment processing | Contract | Manage subscriptions and billing |
| Service operation (MNSU processing) | Contract | Execute user-initiated scans and analyses |
| Platform improvement | Legitimate Interest | Monitor usage, performance, and reliability |
| Marketing analytics | Consent | Measure campaign effectiveness (LinkedIn, Meta, Reddit, X) |
| Legal compliance & auditing | Legal Obligation | Maintain accounting and security records |
5. Processors and International Transfers
We use industry-standard providers to host, process, and deliver DecodeIQ services:
| Category | Processor | Jurisdiction | Transfer Mechanism |
|---|---|---|---|
| Hosting & Database | Supabase (Postgres, Auth, Storage) | U.S. | SCCs / DPF |
| Frontend Hosting | Vercel | U.S. | DPF |
| DNS / CDN | Cloudflare | U.S. / EU | DPF |
| Search Data | Bright Data | U.S. / Israel | SCCs |
| Crawling / Ingestion | SpiderCloud | EU / U.S. | SCCs |
| Vector Storage | Pinecone | U.S. | DPF |
| Payments | Stripe | U.S. / EU | DPF |
| AI Processing | OpenAI, Anthropic, Google (Gemini) | U.S. | SCCs / DPF |
| Analytics | PostHog, Google Analytics | U.S. / EU | SCCs / DPF |
| Marketing / Email | MailerLite | EU | SCCs |
All sub-processors are contractually bound to confidentiality and security obligations consistent with GDPR Art. 28.
6. Retention Policy
| Data Type | Retention | Deletion Mechanism |
|---|---|---|
| Active accounts | While account remains active | On deletion request |
| Logs & telemetry | ≤ 90 days | Automated rotation |
| Billing & invoices | 7 years | Legal requirement |
| Briefs & analysis outputs | ≤ 30 days post-completion | Automated deletion |
| Backups | 30-day rolling window | Encrypted destruction |
7. User Rights (GDPR / CCPA)
You may at any time:
- Access a copy of your personal data
- Correct inaccuracies
- Request deletion or anonymization
- Restrict or object to processing
- Export data in portable format
- Withdraw cookie or marketing consent
Submit requests via Privacy Email or your account settings panel. We respond within 30 days (45 for complex cases).
8. Cookies and Tracking Technologies
We categorize cookies into:
- Strictly Necessary: essential for login, session persistence, Stripe checkout
- Analytics: PostHog, Google Analytics (anonymous usage)
- Marketing: LinkedIn, Reddit, X, Meta pixels
- Functional: remembering preferences (language, consent)
You control activation via our cookie banner. Preferences are stored for 12 months in decodeiq_cookie_prefs. You may reset at any time under Manage Cookies in the site footer.
9. Security Measures
DecodeIQ's architecture implements retrievability-by-design principles for data protection:
- AES-256 encryption at rest, TLS 1.3 in transit
- Supabase Row-Level Security for workspace isolation
- Multi-factor access for internal admin systems
- 24-hour RPO / 15-minute RTO backup targets
- Continuous telemetry via PostHog & GA
- Automated incident detection and 72-hour notification policy
10. Logging and Telemetry
We log events to maintain reliability and detect abuse:
- Application logs (Supabase, Vercel, Cloudflare)
- Usage metrics (PostHog, Google Analytics)
- Marketing attribution (LinkedIn, Reddit, X, Meta pixels)
Logs exclude content of briefs or private documents. IP addresses are truncated or anonymized where required by GDPR.
11. Data Transfers Outside Your Region
If you reside in the EU, EEA, or UK, data may be transferred to the U.S. under:
- Standard Contractual Clauses (2021/914/EU), or
- Participation in the EU–U.S. Data Privacy Framework.
Copies of relevant clauses can be requested via Privacy Email.
12. Children's Privacy
DecodeIQ does not target or knowingly collect data from individuals under 16 years old. If you believe a minor has provided information, contact us immediately for deletion.
13. Updates to this Policy
We update this policy to reflect system or regulatory changes. Version history is logged at the top of this document. Significant updates trigger email notice to active subscribers.
14. Contact & Controller Information
Controller: Journey Bound Media, LLC dba DecodeIQ Albuquerque, New Mexico, United States Privacy Email
Supervisory Authority (EU users): You may also contact your local Data Protection Authority.
15. Summary Commitments
- No sale of personal data.
- No hidden third-party sharing.
- Transparent retention and deletion.
- 72-hour breach notification.
- Consent first for marketing.
- Architecture designed for compliance, not patched for it.
Effective Date: October 18, 2025 Version: 1.0