Privacy Policy
This is a plain-language summary of what Deckup collects, why, and what we do with it. The shorter version: we hold customer content only long enough to convert it, we don't sell anything, and we tell you exactly which third parties touch your data.
1. Information we collect
We collect only what we need to operate the service, bill you correctly, and keep things secure.
Account information
When you sign up, we collect your name, work email address, and a hashed password. If you authenticate via a third-party identity provider, we receive your provider user ID and profile email. We do not collect personal phone numbers, mailing addresses, or government IDs at the Starter or Pro tier.
Billing information
Payment instruments are tokenised and stored by our payments processor, [Stripe, Inc.] — Deckup never sees full card numbers. We retain the last four digits, card brand, expiry month, and billing country for receipts and tax compliance.
Usage data
For every API call we record: the API key prefix (not the secret), the endpoint, response status, byte size of the file submitted, slide count, and the wall-clock duration of the conversion. This data drives your usage dashboard, billing, and rate-limit enforcement.
Diagnostic and log data
HTTP request logs include the source IP address, user-agent string, and a request ID. Logs are retained for [30 days] for security and debugging, then deleted. We do not run third-party session-replay or behavioural analytics on the dashboard.
2. How we use information
We use the information described above to:
- Run the API — accept your PPTX files, convert them, and return the result.
- Authenticate API requests and enforce rate limits.
- Bill you correctly and provide receipts.
- Communicate about your account: service outages, security advisories, billing notices, and product changes that materially affect your integration.
- Detect and respond to abuse — credential stuffing, fraudulent payment activity, attempts to circumvent rate limits.
- Improve the product. Aggregate usage statistics — for example, "median conversion latency" or "share of decks that contain SmartArt" — inform our roadmap. We do not look inside individual customer files for product research.
We do not sell personal information. We do not use customer content to train machine-learning models.
3. Customer content (the PPTX files you send)
The files you upload — and the SVGs and sidecar JSON we generate from them — are "customer content." We treat customer content with stricter rules than account or usage data.
- Encrypted in transit and at rest. TLS 1.2+ on the wire, AES-256 at rest in object storage.
- Short retention by default. Live-mode conversion artefacts are deleted [24 hours] after conversion at the Starter tier, [90 days] at Pro, [365 days] at Scale. Test-mode artefacts are deleted after [1 hour]. You can delete any conversion immediately from the dashboard or API.
- Access is logged. A small number of engineers can read customer content for support and incident response. Every such access creates an audit log entry visible to Scale customers on request.
- No third-party training. Customer content is never sent to a third-party machine-learning service.
4. Sharing and subprocessors
We use a small set of vendors to operate Deckup. Each is bound by a data processing agreement and may only use customer data to provide their service to us.
| Subprocessor | Purpose | Location |
|---|---|---|
| [Amazon Web Services] | Compute, storage, object hosting | [us-east-1] |
| [Stripe, Inc.] | Payment processing | [United States] |
| [Postmark] | Transactional email (receipts, alerts) | [United States] |
| [Sentry] | Error tracking (no payload bodies sent) | [United States] |
| [Plausible Analytics] | Anonymous, cookie-free site analytics | [European Union] |
We will update this list before adding a new subprocessor and post a 30-day notice on the changelog. Scale customers can subscribe to email notifications for subprocessor changes.
We may disclose information when we have a good-faith belief that disclosure is necessary to comply with a valid legal process, enforce our terms, prevent fraud, or protect the rights and safety of users — and only the minimum required. We will notify the affected customer before complying with a legal request unless we are legally prohibited from doing so.
5. Data retention
Default retention periods, by category:
- Customer content: tier-dependent, as above.
- Usage records: 13 months, for billing reconciliation.
- Access logs: 30 days.
- Account profile: until you delete your account, plus a 30-day grace period in case of accidental deletion.
- Billing records: 7 years, as required by tax law in [applicable jurisdictions].
6. Security
We follow standard, boring security practices that work:
- TLS 1.2+ on every endpoint; HSTS preloaded.
- API secrets are hashed with bcrypt before storage. Only the key prefix is visible after creation.
- Mandatory two-factor authentication for every Deckup engineer.
- Least-privilege production access, gated through short-lived credentials and audit-logged.
- Quarterly third-party security review. SOC 2 Type II report is on the roadmap for [Q4 2026]; we will post the date here when it lands.
If you believe you have found a vulnerability, email security@deckup.io. We do not currently run a paid bounty programme but acknowledge contributors publicly with their permission.
7. Your rights
Depending on where you live, you may have the right to access, correct, port, or delete personal information we hold about you, and to object to or restrict certain processing. You can exercise most of these rights directly from the dashboard:
- Access & portability: export your account and usage data as JSON from Settings → Privacy.
- Deletion: delete any conversion individually, or delete the entire account from Settings → Account → Delete.
- Correction: edit your profile from Settings → Profile.
For anything that needs a human, email privacy@deckup.io. We aim to respond within [30 days].
8. International data transfers
Deckup operates primarily out of [us-east-1]. If you access the service from outside the United States, you are transferring data to the United States for processing. Where required, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum) as our transfer mechanism. A copy is available on request.
9. Cookies and analytics
The marketing site uses a single first-party session cookie for authentication on the dashboard. We do not set advertising or cross-site tracking cookies. Site analytics are provided by [Plausible], which is cookie-free and does not collect personal information.
10. Children
Deckup is a developer tool not directed at children. We do not knowingly collect personal information from anyone under [16]. If you believe a child has provided us information, email privacy@deckup.io and we will delete it.
11. Changes to this policy
If we make material changes, we will email account owners at least [30 days] before they take effect and post a changelog entry. Continued use of the service after the effective date constitutes acceptance.
12. Contact
Questions, requests, or complaints can go to:
- Email: privacy@deckup.io
- Postal: [Deckup Inc., Street, City, State, ZIP, Country]
If you are in the EU or UK, you also have the right to lodge a complaint with your local data protection authority.