deckshare.ai

Version 2026.05.2 · Effective 2026-05-27

Privacy Notice

How deckshare.ai collects, uses, and protects personal data. Compliant with the UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025.

1. Who we are

deckshare.ai is operated by deckshare Ltd (the "controller"), registered in England and Wales. You can reach us at privacy@deckshare.ai. Until we appoint a formal Data Protection Officer, all privacy enquiries are handled by the security team at security@deckshare.ai.

2. What data we collect

We collect three categories of personal data:

  • Founder data: name, email, hashed password (via Clerk), Stripe customer ID, billing address, IP address, browser fingerprint.
  • Visitor data: email address (entered at the email gate), one-time passcode (hashed), full name, company, job title, optional LinkedIn URL, IP address (used to compute the watermark identifier, retained 90 days then truncated to /24 or /56), browser user-agent fingerprint, session timestamps.
  • Telemetry: page-by-page dwell time, slide-view sequence, download and room activity events, audit-log entries. All telemetry is keyed to a session ID rather than a stable cross-site identifier.

3. How we use it

Each purpose has a single named lawful basis under UK GDPR Article 6:

  • Service delivery (Art. 6(1)(b), contract): authenticating founders, provisioning data rooms, rendering documents, processing payments.
  • Watermarking and audit logging (Art. 6(1)(f), legitimate interests): deterring unauthorised disclosure of customer materials. Recognised legitimate interest for network security under the DUAA 2025 schedule; no separate LIA required.
  • Investor-intent summarisation (Art. 6(1)(f), legitimate interests): we summarise per-session dwell traces with an on-edge Llama 3.1 model so founders can act on insight. This is not Article 22 automated decision-making; the DUAA 2025 amendment narrows Article 22 to special-category data, which we do not process.
  • Service improvement (Art. 6(1)(a), consent): optional product analytics via PostHog. Off by default; opt in via the cookie banner or Cookie preferences in the footer.
  • Marketing measurement (Art. 6(1)(a), consent): optional Google Ads measurement. Consent Mode defaults to denied until you accept marketing cookies.
  • Legal compliance (Art. 6(1)(c)): tax records, anti-fraud, lawful requests.

4. Who we share data with

We disclose data to a tightly-scoped list of subprocessors. See the full table at /legal/subprocessors. We do not sell personal data. We use Google Ads measurement only where marketing consent has been granted.

5. International transfers

Personal data is stored primarily within our contracted EU-region hosting footprint. Some subprocessors (Clerk, Resend) transfer data to the United States. We rely on:

  • The UK Extension to the EU-US Data Privacy Framework for US transfers from the UK.
  • The UK International Data Transfer Addendum to the EU Standard Contractual Clauses where DPF is not in force.
  • The DUAA 2025 risk-based test: we assess each new third-country recipient against standards "not materially lower" than the UK's.

6. Retention

Retention periods match the data classification matrix:

  • Audit log entries: 7 years from creation. Immutable.
  • Visitor sessions: until the founder deletes the space, then purged within 30 days.
  • Raw IPs: 90 days, then truncated to the /24 (IPv4) or /56 (IPv6) prefix.
  • OTP codes: 10 minutes (hash only; plaintext never persisted).
  • Billing records: 7 years (HMRC requirement).

7. Your rights

Under UK GDPR Articles 15-22 you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Have inaccurate data corrected (Art. 16).
  • Have your data erased (Art. 17), subject to legal-retention requirements.
  • Restrict processing (Art. 18).
  • Data portability (Art. 20).
  • Object to processing based on legitimate interests (Art. 21).
  • Withdraw consent at any time, where consent is the basis.
  • Not be subject to a fully-automated decision with legal or significant effect.

Exercise any of these rights at /legal/your-rights. We respond within one calendar month (extendable to three for complex requests). Under the DUAA 2025 "stop the clock" rule the deadline pauses if we need to verify your identity.

8. Children

Our service is not directed at children under 18. We do not knowingly collect data from them. We apply the DUAA 2025 considerations for online services likely to be accessed by children to our consumer-facing surfaces, even though our customer base is professional.

9. Cookies and similar technologies

We use a small set of strictly-necessary cookies (Clerk session, Stripe checkout return, visitor JWT, Turnstile bot mitigation). We use privacy-preserving beacon analytics, which is cookieless and requires no consent under PECR. Optional product analytics (PostHog) and marketing measurement (Google Ads) only run after you opt in. See /legal/cookies for the complete list.

10. Automated processing

Hosted models summarise per-session dwell traces for the founder dashboard. Output is descriptive, not determinative, and never used to grant or deny access to a service, product, or right. As such it falls outside Article 22 of UK GDPR (further narrowed by the DUAA 2025 amendment to special-category data only).

11. How to complain

If you are unhappy with our handling of your personal data, you can complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint. EU and EEA residents may complain to their national supervisory authority.

12. Updates

Material changes are signalled in the Version label at the bottom of this page and listed in the changelog feed at /legal/changelog.json. Paying customers under a Data Processing Addendum receive 30 days' prior notice of material subprocessor changes.

Privacy Notice · deckshare.ai