Privacy Policy
Last updated: May 2026 · Policy version: 4
1. Introduction
CoreDeck Ltd. ("CoreDeck", "we", "us", "our") operates the CoreDeck platform, an AI-powered deck building and task management service. This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable data protection laws.
Data Controller:
CoreDeck Ltd.
Israel
Email: [email protected]
2. Age Requirement
CoreDeck is intended for users aged 18 and older. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a person under 18, we will delete that data promptly.
3. Data We Collect
3.1 Account Data
- Email address (required for registration)
- First name and last name (optional, or from Google profile)
- Profile picture (from Google OAuth, if linked)
- Authentication provider (local, Google, or both)
- Account creation date and last login date
3.2 Content Data
- Projects ("Decks") you create, including names and descriptions
- Tasks and their full conversation history with AI models
- Files you upload (text, PDFs, images) and their metadata
3.3 Usage Data
- AI model usage: provider, model name, token counts, estimated costs
- Search queries executed through the platform
- Session information: login timestamps, authentication method
3.4 Technical Data
- IP address (for security event logging and rate limiting)
- User agent / browser information (for security event logging)
3.5 Billing Data
- Subscription plan, billing cycle, payment status
- Subscription, customer, and transaction identifiers issued by our Merchant of Record (Paddle); we do not store payment card numbers or other payment instrument details — those are stored by Paddle, our Merchant of Record (see section 6)
- Invoice and transaction records issued by Paddle on our behalf, kept by us for audit purposes
3.6 Marketing Site Analytics
On coredeck.ai (this marketing site), we collect aggregated analytics
via self-hosted Umami at analytics.coredeck.ai: page URL, referrer,
session duration, screen resolution, and country derived from a hashed/truncated IP.
No cookies and no cross-site tracking are used. Marketing-site analytics
are retained for up to 90 days. Legal basis: legitimate interest in measuring site
performance and aggregate audience.
4. Legal Basis for Processing
| Processing Activity | Legal Basis (GDPR Art. 6) |
|---|---|
| Account management & authentication | Contract performance (Art. 6(1)(b)) |
| AI task processing & deck management | Contract performance (Art. 6(1)(b)) |
| Billing & subscription management | Contract performance (Art. 6(1)(b)) |
| Security event logging & fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Usage analytics for service improvement | Legitimate interest (Art. 6(1)(f)) |
5. How We Use Your Data
We use your personal data to:
- Provide, maintain, and improve the CoreDeck platform
- Process your AI tasks and manage your projects
- Manage your subscription and billing
- Send transactional emails (account verification, password reset)
- Detect and prevent fraud, abuse, and security incidents
- Send marketing communications (only with your explicit consent)
6. Data Sharing & Sub-Processors
We share your data only with third-party service providers necessary to operate CoreDeck. We do not sell your personal data.
| Sub-Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Anthropic (Claude API) | AI model processing | Task prompts, conversation content | USA |
| OpenAI API | AI model processing | Task prompts, conversation content | USA |
| Google AI (Gemini) | AI model processing | Task prompts, conversation content | USA |
| Google Cloud Platform | Infrastructure hosting | All platform data | us-central1 (USA) |
| Google OAuth | Authentication | Email, name, profile picture | Global |
| Paddle.com Market Limited (UK) and Paddle.com Inc. (USA) | Merchant of Record — subscription billing, payment processing, tax calculation and remittance, invoicing, refund and chargeback handling | Name, email, billing address, country/region, transaction amount and currency, subscription identifiers, IP address (for fraud prevention), payment-method metadata (PCI-tokenised; no raw card numbers) | Global (data centres in EU and USA) |
| Serper.dev | Web search for AI tasks | Search queries | USA |
A current list is also published at /subprocessors.
Paddle as Merchant of Record. Paddle is the seller of record for paid subscriptions to CoreDeck. For the transactions Paddle processes, Paddle is the data controller for the payment-method information and tax-related data that you provide at checkout (under Paddle's own privacy notice), and acts as our processor for the subscription-identifier and transaction-record data that flows back to CoreDeck for audit and entitlement purposes. Paddle's privacy practices and sub-processors (including its own payment-processing partners) are described in Paddle's Privacy Notice and Paddle's Trust Centre.
7. International Data Transfers
Your data is stored on Google Cloud Platform in the us-central1 (Iowa, USA) region. For users in the European Economic Area (EEA), this constitutes a transfer of personal data outside the EEA. These transfers are protected by:
- Standard Contractual Clauses (SCCs) incorporated into our agreements with sub-processors
- The data protection frameworks maintained by our sub-processors (Google, Anthropic, OpenAI, Paddle)
- For payment-related data, Paddle as Merchant of Record operates data centres in the EU and USA and offers its own DPA covering international transfers under Article 46 GDPR
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion |
| Content data (projects, tasks, files) | Until account deletion or manual deletion by user |
| Usage events (AI model usage) | Up to 3 years |
| Search events | Up to 3 years |
| Security events (login attempts, etc.) | Up to 3 years |
| Activity events | Up to 3 years |
| Billing aggregates | As required for financial and tax compliance |
| Data export requests | Up to 2 days after completion |
| Marketing site analytics (Umami) | Up to 90 days |
After account deletion, personal data is permanently removed within thirty (30) days, with two narrow exceptions retained on the legal bases set out in GDPR Article 17(3):
- Billing aggregates and transaction records required for financial, tax, and accounting compliance (GDPR Art. 17(3)(b) — compliance with a legal obligation). These are stored in an aggregated form and, where individual records are retained, are minimised to the data necessary for audit and statutory record-keeping.
- AI-model usage records and search-query records (the "usage events" and "search events" rows above) are retained for up to 3 years to support billing audit, chargeback and dispute resolution, fraud investigation, and the establishment, exercise, or defence of legal claims (GDPR Art. 17(3)(e)). These records reference your user identifier so that disputed charges can be reconciled to the originating user; the records do not contain the content of your prompts or AI responses. The records are deleted automatically when the 3-year retention period expires.
If you have specific concerns about the retention of usage records following an account deletion request, contact [email protected] — we will assess any request to further restrict or anonymise those records on a case-by-case basis under Article 17(3)(e).
9. Your Rights
Under GDPR, you have the following rights:
9.1 Right of Access (Art. 15)
You can request a copy of all personal data we hold about you. Use the "Export My Data" feature in Settings, or contact [email protected].
9.2 Right to Rectification (Art. 16)
You can update your personal information (name, email) through the Settings page.
9.3 Right to Erasure (Art. 17)
You can delete your account through Settings > Delete Account. Upon your request, your account is deactivated immediately and permanent deletion of your personal data is completed within thirty (30) days, in accordance with GDPR Article 17.
Where operationally possible, account restoration may be available during this period if you contact [email protected]. Restoration is best-effort and cannot be guaranteed once permanent deletion has begun.
9.4 Right to Restriction of Processing (Art. 18)
You can restrict processing of your data through Settings > Privacy & Consent. When restricted, AI features are disabled but you retain access to your existing data.
9.5 Right to Data Portability (Art. 20)
You can export your data in a machine-readable JSON format through Settings > Export My Data.
9.6 Right to Object (Art. 21)
You can withdraw marketing consent at any time through Settings > Privacy & Consent.
9.7 Right to Withdraw Consent (Art. 7(3))
You can withdraw your marketing consent at any time. Withdrawal of consent to data processing or Terms of Service requires account deletion.
10. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Passwords are hashed using HMACSHA512 with per-user salts
- Access tokens are short-lived (15 minutes) JWT tokens
- Refresh tokens are single-use with rotation
- Service-to-service communication uses API key + JWT dual authentication
- Rate limiting on authentication endpoints
- Security event logging for all authentication activities
- No third-party advertising or behavioral tracking
11. Cookies
CoreDeck uses only essential cookies:
- refreshToken (HTTP-only, secure): Session management for authentication in the CoreDeck app. No tracking cookies, advertising cookies, or third-party cookies are used.
Our marketing site (coredeck.ai) uses cookieless analytics via Umami; see Section 3.6.
12. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
- Notify affected users without undue delay when the breach poses a high risk
- Document all breaches in our internal breach register
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Last updated" date and policy version number
- Require re-acceptance through the consent wall on your next login
- Notify you by email for significant changes
Version 4 (current). Clarifies (section 8) that AI-model usage records and search-query records are retained for up to 3 years after account deletion to support billing audit, fraud investigation, and the establishment, exercise, or defence of legal claims, under GDPR Article 17(3)(e). The content of your prompts and AI responses is not retained beyond account deletion — only the per-request metadata necessary for these purposes. No new categories of data are collected.
Version 3. This version replaced our previous payment-processing sub-processor with Paddle, which acts as our Merchant of Record (see section 6 and our Terms of Service section 8.5). The categories of billing data we collect were clarified accordingly (section 3.5). Because the addition of a new sub-processor for payment processing was a material change, all existing users were required to accept the updated Privacy Policy and Terms of Service through the in-app consent flow before continuing to use the Service.
14. Contact and Complaints
For privacy-related questions, requests, or complaints, contact us at [email protected].
You have the right to lodge a complaint with the data protection supervisory authority in your country of residence.
15. California Residents (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you specific rights regarding your personal information. This section supplements the rest of this Privacy Policy and applies only to California residents.
15.1 Categories of Personal Information We Collect
We collect the categories of personal information described in Section 3 of this Privacy Policy, which under CCPA include: identifiers (email, name, IP address), commercial information (subscription and transaction records), internet or electronic network activity (usage events, search events, security logs), and inferences drawn from the above (model and feature usage patterns).
15.2 Sources of Personal Information
We collect personal information directly from you, from your device when you use the Service, and from authentication providers when you sign in via Google OAuth.
15.3 Purposes
We use personal information for the purposes described in Section 5 of this Privacy Policy: providing and improving the Service, processing payments, communicating with you, and detecting fraud and abuse.
15.4 Disclosure to Third Parties
We share personal information with the sub-processors listed in Section 6 of this Privacy Policy. We do not "sell" personal information for monetary or other valuable consideration, and we do not "share" personal information for cross-context behavioral advertising, as those terms are defined under CCPA/CPRA.
15.5 Sensitive Personal Information
We do not collect or use sensitive personal information (as defined under CPRA) for purposes beyond those permitted without an opt-out right under CCPA §1798.121.
15.6 Your California Rights
You have the right to:
- Know what personal information we collect, use, and disclose
- Access a copy of your personal information
- Delete your personal information (subject to legal exceptions)
- Correct inaccurate personal information
- Opt out of the sale or sharing of personal information (we do not sell or share, but the right exists if our practices change)
- Limit the use of sensitive personal information
- Non-discrimination for exercising these rights
15.7 How to Exercise Your Rights
Submit any of the above requests through Settings > Export My Data, Settings > Delete Account, or by contacting [email protected]. We will verify your identity before fulfilling sensitive requests. You may also designate an authorized agent to make a request on your behalf, subject to verification.
15.8 Notice of Financial Incentives
We do not currently offer financial incentives in exchange for the collection, sale, or retention of personal information.
16. Other US State Residents
Residents of other US states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and others) have similar rights to those described in Section 15. Submit requests through the same channels.