Privacy Policy
Last Updated: January 2026
Privacy Policy
Version 1.1 — January 2026 Entity: Journey Bound Media, LLC dba DecodeIQ Jurisdiction: State of New Mexico, United States Contact: Privacy Email
1. Introduction
DecodeIQ ("we," "our," "us") operates as a Semantic Intelligence Service for content analysis. This policy explains what data we collect, why we collect it, how it flows through our systems, how long we retain it, and what rights you have.
Our approach to privacy mirrors our engineering philosophy: structure before surface. Data governance is designed at the source—through architecture, not afterthought.
This policy covers all DecodeIQ domains and services:
- decodeiq.ai (marketing site)
- app.decodeiq.ai (SaaS application)
- blog.decodeiq.ai (education hub)
- related APIs, dashboards, and integrations
2. Data Map: From Input to Deletion
Below is a transparent schematic of how personal and operational data moves through our system.
All systems operate under contractual data-processing agreements and secure transfer mechanisms (SCCs or Data Privacy Framework).
3. Data We Collect
3.1 Information You Provide
- Account Data: email, name, organization, password hash
- Workspace Data: plan tier, usage history
- Billing Data: Stripe customer ID, subscription metadata
- Communications: messages sent to DecodeIQ (support, feedback)
- Analysis Inputs: URLs submitted for analysis, text content pasted for analysis
3.2 Information Collected Automatically
- Log Data: IP address, device type, browser version, timestamps
- Usage Data: page visits, API events, error codes (PostHog, GA)
- Cookies & Tracking: session cookies, analytics and marketing pixels (with consent)
3.3 Derived or Processed Data
- Semantic Analysis Outputs: text embeddings, entities, metrics, and recommendations produced by the semantic analysis engine
- These contain no personal identifiers and are deleted automatically after report retention period expires (48 hours to unlimited, based on plan tier).
4. Purposes and Legal Bases for Processing
| Purpose | Legal Basis (GDPR) | Description |
|---|---|---|
| Account creation & login | Contract | Manage user identity and workspace access |
| Payment processing | Contract | Manage subscriptions and billing |
| Service operation (semantic analysis) | Contract | Execute user-initiated page analyses |
| Platform improvement | Legitimate Interest | Monitor usage, performance, and reliability |
| Marketing analytics | Consent | Measure campaign effectiveness (LinkedIn, Meta, Reddit, X) |
| Legal compliance & auditing | Legal Obligation | Maintain accounting and security records |
5. Processors and International Transfers
We use industry-standard providers to host, process, and deliver DecodeIQ services:
| Category | Processor | Jurisdiction | Transfer Mechanism |
|---|---|---|---|
| Hosting & Database | Supabase (Postgres, Auth, Storage) | U.S. | SCCs / DPF |
| Frontend Hosting | Vercel | U.S. | DPF |
| DNS / CDN | Cloudflare | U.S. / EU | DPF |
| Vector Storage | Pinecone | U.S. | DPF |
| Payments | Stripe | U.S. / EU | DPF |
| AI Processing | OpenAI, Anthropic, Google (Gemini) | U.S. | SCCs / DPF |
| Analytics | PostHog, Google Analytics | U.S. / EU | SCCs / DPF |
| Marketing / Email | MailerLite | EU | SCCs |
All sub-processors are contractually bound to confidentiality and security obligations consistent with GDPR Art. 28.
6. Retention Policy
| Data Type | Retention | Deletion Mechanism |
|---|---|---|
| Active accounts | While account remains active | On deletion request |
| Logs & telemetry | ≤ 90 days | Automated rotation |
| Billing & invoices | 7 years | Legal requirement |
| Analysis reports (Basic tier) | 48 hours post-generation | Automated deletion |
| Analysis reports (Starter tier) | 30 days post-generation | Automated deletion |
| Analysis reports (Pro tier) | Unlimited (while subscribed) | On account deletion |
| Backups | 30-day rolling window | Encrypted destruction |
7. User Rights (GDPR / CCPA)
You may at any time:
- Access a copy of your personal data
- Correct inaccuracies
- Request deletion or anonymization
- Restrict or object to processing
- Export data in portable format
- Withdraw cookie or marketing consent
Submit requests via Privacy Email or your account settings panel. We respond within 30 days (45 for complex cases).
8. Cookies and Tracking Technologies
We categorize cookies into:
- Strictly Necessary: essential for login, session persistence, Stripe checkout
- Analytics: PostHog, Google Analytics (anonymous usage)
- Marketing: LinkedIn, Reddit, X, Meta pixels
- Functional: remembering preferences (language, consent)
You control activation via our cookie banner. Preferences are stored for 12 months in decodeiq_cookie_prefs. You may reset at any time under Manage Cookies in the site footer.
9. Security Measures
DecodeIQ's architecture implements security-by-design principles for data protection:
- AES-256 encryption at rest, TLS 1.3 in transit
- Supabase Row-Level Security for workspace isolation
- Multi-factor access for internal admin systems
- 24-hour RPO / 15-minute RTO backup targets
- Continuous telemetry via PostHog & GA
- Automated incident detection and 72-hour notification policy
10. Logging and Telemetry
We log events to maintain reliability and detect abuse:
- Application logs (Supabase, Vercel, Cloudflare)
- Usage metrics (PostHog, Google Analytics)
- Marketing attribution (LinkedIn, Reddit, X, Meta pixels)
Logs exclude content of analysis reports or private documents. IP addresses are truncated or anonymized where required by GDPR.
11. Data Transfers Outside Your Region
If you reside in the EU, EEA, or UK, data may be transferred to the U.S. under:
- Standard Contractual Clauses (2021/914/EU), or
- Participation in the EU–U.S. Data Privacy Framework.
Copies of relevant clauses can be requested via Privacy Email.
12. Children's Privacy
DecodeIQ does not target or knowingly collect data from individuals under 16 years old. If you believe a minor has provided information, contact us immediately for deletion.
13. Updates to this Policy
We update this policy to reflect system or regulatory changes. Version history is logged at the top of this document. Significant updates trigger email notice to active subscribers.
14. Contact & Controller Information
Controller: Journey Bound Media, LLC dba DecodeIQ Albuquerque, New Mexico, United States Privacy Email
Supervisory Authority (EU users): You may also contact your local Data Protection Authority.
15. Summary Commitments
- No sale of personal data.
- No hidden third-party sharing.
- Transparent retention and deletion.
- 72-hour breach notification.
- Consent first for marketing.
- Architecture designed for compliance, not patched for it.
Effective Date: January 27, 2026 Version: 1.1