Privacy Policy
Last Updated: May 2026
Privacy Policy
Version 1.3, June 2026 Entity: Journey Bound Media, LLC dba DecodeIQ Jurisdiction: State of New Mexico, United States Contact: Privacy Email Version history: v1.3: switched analytics to an opt-out model; rewrote §8 with PostHog and Google Analytics disclosures, opt-out instructions, a California Do Not Sell statement, and a cookie list. v1.2: corrected §6 to reflect that analysis data is retained while the account is active and deleted on account deletion; added scan de-identification disclosure. v1.1: initial release.
1. Introduction
DecodeIQ ("we," "our," "us") operates as a Buyer Intelligence Service for e-commerce sellers. This policy explains what data we collect, why we collect it, how it flows through our systems, how long we retain it, and what rights you have.
Our approach to privacy mirrors our engineering philosophy: structure before surface. Data governance is designed at the source, through architecture, not afterthought.
This policy covers all DecodeIQ domains and services:
- decodeiq.ai (marketing site)
- app.decodeiq.ai (SaaS application)
- blog.decodeiq.ai (education hub)
- related APIs, dashboards, and integrations
2. Data Map: From Input to Deletion
Below is a transparent schematic of how personal and operational data moves through our system.
All systems operate under contractual data-processing agreements and secure transfer mechanisms (SCCs or Data Privacy Framework).
3. Data We Collect
3.1 Information You Provide
- Account Data: email, name, organization, password hash
- Workspace Data: plan tier, usage history
- Billing Data: Stripe customer ID, subscription metadata
- Communications: messages sent to DecodeIQ (support, feedback)
- Analysis Inputs: URLs submitted for analysis, text content pasted for analysis
3.2 Information Collected Automatically
- Log Data: IP address, device type, browser version, timestamps
- Usage Data: page visits, API events, error codes (PostHog, GA, Sentry)
- Cookies & Tracking: session cookies, analytics and marketing pixels (with consent)
3.3 Derived or Processed Data
- Buyer Intelligence Outputs: Voice Maps, buyer language patterns, and recommendations produced by the buyer intelligence engine
- These contain no personal identifiers. They are retained while your account is active and are deleted when you delete your account.
4. Purposes and Legal Bases for Processing
| Purpose | Legal Basis (GDPR) | Description |
|---|---|---|
| Account creation & login | Contract | Manage user identity and workspace access |
| Payment processing | Contract | Manage subscriptions and billing |
| Service operation (buyer intelligence) | Contract | Execute user-initiated category scans and content generations |
| Platform improvement | Legitimate Interest | Monitor usage, performance, and reliability |
| Marketing analytics | Consent | Measure campaign effectiveness (LinkedIn, Meta, Reddit, X) |
| Legal compliance & auditing | Legal Obligation | Maintain accounting and security records |
5. Processors and International Transfers
We use industry-standard providers to host, process, and deliver DecodeIQ services:
| Category | Processor | Jurisdiction | Transfer Mechanism |
|---|---|---|---|
| Hosting & Database | Supabase (Postgres, Auth, Storage) | U.S. | SCCs / DPF |
| Frontend Hosting | Vercel | U.S. | DPF |
| DNS / CDN | Cloudflare | U.S. / EU | DPF |
| Vector Storage | Pinecone | U.S. | DPF |
| Payments | Stripe | U.S. / EU | DPF |
| AI Processing | OpenAI, Anthropic, Google (Gemini) | U.S. | SCCs / DPF |
| Analytics | PostHog, Google Analytics | U.S. / EU | SCCs / DPF |
| Error Monitoring | Sentry | U.S. | DPF |
| Marketing / Email | Resend | U.S. | DPF |
All sub-processors are contractually bound to confidentiality and security obligations consistent with GDPR Art. 28.
6. Retention Policy
| Data Type | Retention | Deletion Mechanism |
|---|---|---|
| Active accounts | While account remains active | On deletion request |
| Logs & telemetry | ≤ 90 days | Automated rotation |
| Billing & invoices | 7 years | Legal requirement |
| Analysis data (Voice Maps, generated content) | While the account remains active | Deleted on account deletion |
| Scan records (queries and collected public data) | While the account remains active; de-identified and retained as aggregate corpus after account deletion | user link removed on deletion |
| Backups | 30-day rolling window | Encrypted destruction |
When you delete your account, we remove your account-holder records. This includes your profile, login identifiers, generated content, Voice Maps, credit balances and history, and the vector embeddings associated with your account. We retain anonymized scan records and the aggregated buyer-voice content drawn from public third-party sources, such as forum, review, and video discussions. These retained records are stripped of the identifiers that link them to your account, and we use them only in aggregate to maintain and improve category-level buyer-language analysis.
7. User Rights (GDPR / CCPA)
You may at any time:
- Access a copy of your personal data
- Correct inaccuracies
- Request deletion or anonymization
- Restrict or object to processing
- Export data in portable format
- Withdraw cookie or marketing consent
Submit requests via Privacy Email or your account settings panel. We respond within 30 days (45 for complex cases).
8. Cookies and Tracking Technologies
8.1 What We Use
We use two analytics tools to understand how people use our site:
- PostHog (product analytics): page views, session duration, clicks, and feature usage. PostHog assigns an anonymous ID. We do not send it your name or email on the marketing site.
- Google Analytics (site usage analytics): page views, session duration, and device and browser information.
These tools collect usage data. They do not collect the content of your scans or generated copy. We do not share your personal data with third parties for advertising purposes.
8.2 Your Choices
Analytics runs by default. You can opt out at any time:
- Click "Opt Out" on the cookie banner at the bottom of the page.
- Or contact us at Privacy Email.
Opting out sets a preference cookie and stops analytics collection. On your next visit PostHog will not load and Google Analytics switches to a denied consent state.
8.3 California Privacy Rights (CCPA / CPRA)
If you live in California, you have the right to know what personal information we collect and to ask us to delete it.
Do Not Sell or Share My Personal Information. DecodeIQ does not sell your personal information. We do not share it for cross-context behavioral advertising. To exercise your California privacy rights, contact Privacy Email.
8.4 Cookie List
| Cookie | Purpose | Lifespan |
|---|---|---|
| diq-tracking-consent | Stores your tracking preference (granted or denied) | 1 year |
| diq-banner-dismissed | Records that you closed the cookie banner | 1 year |
| PostHog cookies (ph_*) | Anonymous analytics session and device IDs | Up to 1 year |
| Google Analytics (_ga, ga*) | Distinguishes visitors for aggregate analytics | Up to 2 years |
9. Security Measures
DecodeIQ's architecture implements security-by-design principles for data protection:
- AES-256 encryption at rest, TLS 1.3 in transit
- Supabase Row-Level Security for workspace isolation
- Multi-factor access for internal admin systems
- 24-hour RPO / 15-minute RTO backup targets
- Continuous telemetry via PostHog, GA, and Sentry
- Automated incident detection and 72-hour notification policy
10. Logging and Telemetry
We log events to maintain reliability and detect abuse:
- Application logs (Supabase, Vercel, Cloudflare)
- Usage metrics and error tracking (PostHog, Google Analytics, Sentry)
- Marketing attribution (LinkedIn, Reddit, X, Meta pixels)
Logs exclude content of analysis reports or private documents. IP addresses are truncated or anonymized where required by GDPR.
11. Data Transfers Outside Your Region
If you reside in the EU, EEA, or UK, data may be transferred to the U.S. under:
- Standard Contractual Clauses (2021/914/EU), or
- Participation in the EU-U.S. Data Privacy Framework.
Copies of relevant clauses can be requested via Privacy Email.
12. Children's Privacy
DecodeIQ does not target or knowingly collect data from individuals under 16 years old. If you believe a minor has provided information, contact us immediately for deletion.
13. Updates to this Policy
We update this policy to reflect system or regulatory changes. Version history is logged at the top of this document. Significant updates trigger email notice to active subscribers.
14. Contact & Controller Information
Controller: Journey Bound Media, LLC dba DecodeIQ Albuquerque, New Mexico, United States Privacy Email
Supervisory Authority (EU users): You may also contact your local Data Protection Authority.
15. Summary Commitments
- No sale of personal data.
- No hidden third-party sharing.
- Transparent retention and deletion.
- 72-hour breach notification.
- Consent first for marketing.
- Architecture designed for compliance, not patched for it.
Effective Date: June 22, 2026 Version: 1.3