Privacy Policy

Last Updated: May 26, 2025

This Privacy Policy describes how Decklio collects, uses, and protects your personal information when you use our educational flashcard platform.

---

Table of Contents

1. Data Controller Information
2. Data We Collect
3. Lawful Basis for Processing
4. How We Use Your Data
5. Data Sharing
6. Data Security
7. Data Retention
8. Your Privacy Rights
9. International Transfers
10. Contact Information

---

1. Data Controller Information

Data Controller: Inferlio
KVK Registration Number: 97190772
Registered Address: Truus Gelsingstraat 287, 6663 RE Nijmegen, The Netherlands
Data Protection Officer: support@decklio.com

2. Data We Collect

2.1 Account Information

• Email address (required for authentication)
• Password (stored encrypted)
• Profile information (name, profile URL)
• Account preferences and settings

2.2 Educational Content

• Flashcard content you create
• Study session data and progress metrics
• Performance analytics and learning patterns
• Spaced repetition algorithm data
• Quiz results and completion rates

2.3 AI Processing Data

• Content sent to AI providers (OpenAI GPT-4o, Google Gemini, Anthropic Claude)
• Web content imported for flashcard creation
• AI-generated suggestions and enhancements

2.4 Social Features

• Public deck sharing preferences
• User profile information for discovery
• Community interactions and reports

2.5 Payment Information

• Subscription details for Pro accounts
• Payment processing data (handled by third-party processors)
• Usage tracking for billing purposes

2.6 Technical Data

• Device information and browser type
• IP address and location data
• Usage patterns and feature interactions
• Error logs and performance metrics

3. Lawful Basis for Processing

3.1 Contract Performance (GDPR Art. 6(1)(b))

• Providing core educational services
• Account management and authentication
• Content storage and synchronization
• Pro subscription features

3.2 Legitimate Interests (GDPR Art. 6(1)(f))

• Service improvement and analytics
• Security monitoring and fraud prevention
• Technical support and troubleshooting
• Marketing to existing customers

3.3 Consent (GDPR Art. 6(1)(a))

• Marketing communications to prospects
• Optional analytics and research participation
• Third-party service integrations

3.4 Legal Obligation (GDPR Art. 6(1)(c))

• Financial record keeping
• Tax compliance
• Legal dispute resolution

4. How We Use Your Data

4.1 Service Provision

• Creating and managing your account
• Storing and organizing your flashcards
• Providing spaced repetition algorithms
• Enabling collaborative features

4.2 Service Improvement

• Analyzing usage patterns to enhance features
• Identifying and fixing technical issues
• Developing new educational tools
• Optimizing performance and user experience

4.3 Communication

• Sending service-related notifications
• Providing customer support
• Notifying about policy updates
• Marketing communications (with consent)

4.4 Security and Compliance

• Detecting and preventing fraud
• Ensuring platform security
• Complying with legal obligations
• Enforcing terms of service

5. Data Sharing and Third-Party Services

5.1 Essential Service Providers

• Supabase: Database hosting and authentication services
• Vercel: Application hosting and content delivery
• Payment Processors: Subscription billing and payment processing

5.2 AI Service Providers

• OpenAI: Content generation and enhancement via GPT-4o
• Google: AI processing via Gemini models
• Anthropic: Content processing via Claude models
• OpenRouter: AI model routing and processing intermediary
• Firecrawl (Mendable): Web content scraping for flashcard creation

5.3 Analytics and Monitoring

• Google Analytics: Website usage analytics and performance tracking
• Google Tag Manager: Managing analytics and marketing tags
• Sentry: Error monitoring and performance tracking

5.4 Legal Disclosures

We may disclose your information when required by law, court order, or to protect our rights and the safety of our users.

Data Processing Agreements: All third-party processors operate under Data Processing Agreements (DPAs) that ensure GDPR compliance and adequate data protection measures.

6. Data Security

6.1 Technical Safeguards

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Regular security updates and vulnerability assessments
• Access controls and authentication mechanisms
• Automated threat detection and prevention

6.2 Organizational Measures

• Staff training on data protection
• Access on a need-to-know basis
• Regular security audits and penetration testing
• Incident response and data breach procedures

6.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

• Notify relevant supervisory authorities within 72 hours
• Inform affected users without undue delay
• Provide clear information about the breach and our response
• Take immediate steps to mitigate the impact

7. Data Retention

7.1 Account Data

• Active Accounts: Retained while your account is active
• Inactive Accounts: Deleted after 2 years of inactivity
• Deleted Accounts: Immediately anonymized or deleted

7.2 Content Data

• Flashcards: Retained until account deletion
• Study Progress: Retained for 3 years after last activity
• Public Content: May be retained anonymously for community benefit

7.3 Legal and Business Records

• Payment Records: 7 years for tax compliance
• Support Communications: 3 years
• Legal Documentation: As required by applicable law

7.4 Technical Logs

• Error Logs: 30 days
• Access Logs: 90 days
• Security Logs: 1 year

8. Your Privacy Rights

Under GDPR, CCPA, and other privacy laws, you have the following rights:

8.1 Right of Access

Request a copy of all personal data we hold about you.

8.2 Right to Rectification

Correct inaccurate or incomplete personal data.

8.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data under certain circumstances.

8.4 Right to Data Portability

Receive your data in a structured, machine-readable format.

8.5 Right to Object

Object to processing based on legitimate interests or for marketing purposes.

8.6 Right to Restrict Processing

Limit how we process your data under certain circumstances.

8.7 How to Exercise Your Rights

• Email us at privacy@decklio.com
• Use the privacy request form (when available)
• Contact our Data Protection Officer

Response Time: We will respond to your request within 30 days (GDPR) or 45 days (CCPA).

9. International Data Transfers

Your data may be processed in countries outside your residence, including:

9.1 Transfer Mechanisms

• Adequacy Decisions: Transfers to countries with adequate protection levels
• Standard Contractual Clauses: EU-approved data transfer agreements
• Certification Programs: Privacy Shield successors and similar frameworks

9.2 Safeguards

• All transfers include appropriate safeguards
• Regular compliance monitoring
• Impact assessments for high-risk transfers
• User notification of transfer arrangements

10. Contact Information

Privacy Inquiries: support@decklio.com
Registered Address: Truus Gelsingstraat 287, 6663 RE Nijmegen, The Netherlands

Note: For privacy-related questions, requests to exercise your data protection rights, or general inquiries, please contact us at support@decklio.com. We will respond within 30 days as required by GDPR.

Dutch Data Protection Authority

Autoriteit Persoonsgegevens (AP): autoriteitpersoonsgegevens.nl

---

Privacy Policy Updates

We may update this Privacy Policy from time to time. When we make material changes:

• We will notify you via email at least 30 days before changes take effect
• We will display a prominent notice on our website
• For significant changes, we may require your renewed consent
• Previous versions will be archived and available upon request