Privacy for the Decision API.

Who this applies to

This policy applies to decide.fyi, the Decision API, public reference applications, account and ops surfaces, checkout/payment flows, support requests, and related documentation pages.

If a signed order, data processing addendum, or enterprise agreement applies to your use, that written agreement controls where it conflicts with this public policy.

Information we collect

• Contact and account information: name, email, company, role, sign-in identifiers, support messages, and API access requests you submit.
• Payment and plan metadata: checkout status, customer identifiers, billing/work email, plan, subscription, and invoice-related metadata. Payment card handling is performed by Stripe; decide does not need full card numbers.
• API and runtime information: request inputs, context fields, verdicts, evidence codes, policy versions, decision IDs, request IDs, record hashes, replay metadata, latency, status, route, and usage counters needed to operate the API.
• Reference application inputs: vendor, region, plan, purchase timing, or similar fields submitted to source-backed refund, cancellation, return, or trial checks.
• Local browser data: sandbox history, saved demo cases, monitor preferences, and similar settings may be stored in your browser unless you clear them.
• Operational logs: limited metadata such as timestamp, route, status, latency, IP-derived rate-limit data, hashed identifiers, and error details for security, debugging, abuse prevention, and reliability.

How we use information

• Provide and secure the Decision API, reference applications, account access, checkout, API key provisioning, and support workflows.
• Generate and replay Decision Record v1 outputs when your integration calls the API.
• Enforce API keys, quotas, rate limits, billing state, and abuse controls.
• Respond to support, security review, procurement, billing, and access requests.
• Improve reliability, diagnose incidents, and maintain public status, trust, and source-alert surfaces.

Decision data boundaries

• Do not send unnecessary personal data, regulated data, secrets, or customer content into prompts, context, evidence, or notes fields.
• Production API keys are server-side credentials. Do not expose them in browsers, client apps, or public repositories.
• Decision records are operational records. They may be stored, replayed, exported, or reviewed according to your plan, configuration, and any signed agreement.
• Reference source alerts and vendor catalogs are public-source metadata and should not require customer personal data.

Decision lifecycle data

• Decision Records, execution receipts, Outcome Records, CRM sync receipts, policy intelligence, audit-chain metadata, and exported Decision Packets may include identifiers, hashes, evidence codes, policy metadata, action context, and caller-provided fields.
• Packet and verification flows are designed to make records portable and replayable for customer review; customers should avoid placing unnecessary personal data in fields that will be exported or shared.
• Outcome, confidence, benchmark, anomaly, and effectiveness reports are generated from caller-scoped or opt-in aggregate data according to the applicable endpoint behavior and configuration.

Service providers

We use service providers to host the site and API, authenticate accounts, process payments, send support or operational notifications, store runtime data, monitor uptime, and maintain source-alert feeds. These providers process information for the purposes described in this policy.

Visible providers may include Clerk for authentication and Stripe for payment processing. Other infrastructure providers may support hosting, storage, logs, email, metrics, and alerting.

Sharing

• We share information with service providers that help operate decide.
• We may share information when needed to comply with law, protect rights and safety, investigate abuse, or complete a business transfer.
• We may share information at your direction, such as when you ask us to support a procurement review or integration handoff.
• We do not sell personal data and we do not use customer prompts or decision inputs to train public AI models.

Review and export requests

• Account, support, and billing data requests can be sent to support@decide.fyi.
• Decision API export, retention, or deletion requirements should be reviewed with API access terms and any signed agreement because auditability, billing, security, and legal obligations can affect what may be deleted.
• Security or procurement reviewers can use the public trust, security, status, terms, and verification pages as the first-pass packet before requesting a custom questionnaire response.

Retention and deletion

We keep information for as long as needed to operate the service, provide support, meet billing or security obligations, resolve disputes, and maintain auditability. Some local browser data is controlled by your browser and can be cleared by you.

To request deletion, export, or correction of account or support data, email support@decide.fyi. Some records may need to be retained where required for billing, security, legal, or audit purposes.

Security

We use reasonable technical and operational safeguards for the current stage of the product, including HTTPS, auth-gated account and ops flows, API-key controls, rate limits, and log/replay boundaries. No public SOC 2, ISO 27001, HIPAA, or other regulated compliance certification/status claim is made unless separately published or agreed in writing.

For current security posture, see Security and Status.

Changes and contact

We may update this policy as the product, infrastructure, or legal requirements change. The updated date above shows the latest public revision.

Questions: support@decide.fyi.

Privacy review links

Use these resources together when reviewing data handling, commercial scope, security controls, and operational readiness.