End User Privacy Policy

1. Introduction

Deck Software Inc. and its affiliates ("Deck," "we," "us," or "our") are committed to protecting the privacy of end users who interact with our platform through the services provided by our business customers. This End User Privacy Policy explains how we collect, use, share, and safeguard your personal information when you use applications, services, or experiences powered by Deck. We believe in transparent data handling and will never use your information in ways that are inconsistent with this policy.

2. Data We Collect

We collect information in several categories when you interact with Deck-powered services:

Personal Identifiable Information (PII)

We may collect personally identifiable information that you provide or that is provided on your behalf, including:

• Name and contact information (email address, phone number)
• Physical address and mailing address
• Account credentials (usernames, passwords, authentication tokens) when you authorize access to third-party services
• Payment and billing information (processed by our payment service providers; we do not store full payment card details)

Device and Usage Data

When you access Deck-powered services, we automatically collect technical and usage information, including:

• IP address and approximate geographic location
• Browser type, version, and language
• Operating system and device type
• Timestamps of access and session duration
• Device identifiers (where applicable and permitted by law)

Transactional and Service Usage Data

We collect information related to your use of our services, including:

• Records of transactions and interactions performed through Deck-powered applications
• Activity logs (actions performed, workflows executed, applications accessed)
• Service preferences and settings
• Error reports and performance metrics

Third-Party Data

We may receive information about you from:

• Verification partners and identity providers when you authenticate or verify your identity
• Public sources (e.g., publicly available business or professional information) where relevant to the service
• Our business customers who use Deck to provide services to you

3. How We Use Your Data

We use the data we collect for the following purposes. We do not sell your personal information.

Service Provisioning

To provide, operate, and maintain the Deck platform; provision isolated environments; execute workflows; and deliver the services you or your organization has requested.

Security and Fraud Prevention

To protect against unauthorized access, fraud, abuse, and security incidents; to verify identity; and to enforce our terms and policies.

User Experience Enhancement

To understand how our services are used, improve performance, diagnose issues, and tailor features to better serve you.

Regulatory Compliance

To comply with applicable laws, regulations, court orders, and government requests.

Communication

To send you service-related notifications, respond to inquiries, provide support, and (with your consent) send marketing or promotional communications.

4. How We Share Your Data

We do not sell your personal information. We may share your data in the following circumstances:

Authorized Service Providers

We share data with trusted third-party service providers who assist us in operating our platform, such as cloud infrastructure providers, payment processors, analytics services, and customer support tools. These providers are contractually bound to protect your data and use it only for the purposes we specify.

Business Partners

We may share information with our business customers who use Deck to provide services to you, to the extent necessary for them to deliver those services and in accordance with their own privacy policies.

Legal Authorities

We may disclose your information when required by law, subpoena, court order, or government request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Corporate Transactions

In the event of a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

5. Your Data Protection Rights

Depending on your location, you may have the following rights regarding your personal data:

Access

Request a copy of the personal information we hold about you.

Correction

Request that we correct inaccurate or incomplete personal information.

Deletion

Request that we delete your personal information, subject to certain exceptions (e.g., legal retention requirements).

Restriction

Request that we restrict the processing of your personal information in certain circumstances.

Objection

Object to processing based on legitimate interests or for direct marketing purposes.

Data Portability

Request a copy of your data in a structured, commonly used, machine-readable format.

To exercise these rights, please contact us at [email protected]. We will respond to your request within the timeframe required by applicable law.

6. Retention and Deletion

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, including to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. When data is no longer needed, we securely delete or anonymize it using industry-standard deletion protocols. We do not retain your data longer than required by law or for legitimate business purposes.

7. Security Measures

We implement industry-standard security measures to protect your data:

Encryption

Data is encrypted in transit using TLS and at rest using AES-256 encryption. Credentials are stored in a secure vault with access controls and automatic rotation capabilities.

Access Controls

We employ role-based access controls, least-privilege principles, and multi-factor authentication where appropriate to limit access to personal data.

Continuous Monitoring

We monitor our systems for suspicious activity, vulnerabilities, and potential breaches.

Incident Response

We maintain incident response procedures to quickly identify, contain, and remediate security events. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected individuals and relevant authorities as required by law.

8. International Data Transfers

Deck is headquartered in Montreal, Quebec, Canada. Your data may be transferred to, stored, and processed in countries other than your own. When we transfer data internationally, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements (DPAs) with our service providers
• GDPR-compliant transfer mechanisms for data originating in the EEA or UK

9. Compliance with Global Regulations

We comply with applicable privacy and data protection laws in the jurisdictions where we operate, including:

• GDPR (European Union): For individuals in the EEA, we comply with the General Data Protection Regulation and respect your rights to access, rectify, erase, restrict processing, data portability, and to object to processing.
• CCPA (California): For California residents, we comply with the California Consumer Privacy Act and respect your right to know, delete, opt out of sale (we do not sell personal information), and non-discrimination.
• UK DPA 2018 / UK GDPR: For individuals in the United Kingdom, we comply with the UK GDPR and the Data Protection Act 2018.
• Other frameworks: We also consider and comply with other regional frameworks such as PIPEDA (Canada), LGPD (Brazil), and similar laws where applicable.

10. Regional End User Agreements

United States

If you are an end user located in the United States:

• CCPA Compliance: We comply with the California Consumer Privacy Act. California residents have the right to know what personal information we collect, to request deletion, to opt out of the sale of personal information (we do not sell personal information), and to non-discrimination for exercising these rights.
• Opt-Out Rights: You may opt out of marketing communications at any time by clicking the unsubscribe link in our emails or contacting us at [email protected].
• Account Management: You may access, correct, or request deletion of your personal information by contacting us at [email protected].
• Responsibilities: You are responsible for providing accurate information and for maintaining the security of your account credentials.
• Disclaimers: Our services are provided "as is" to the extent permitted by law. We disclaim warranties to the maximum extent permitted by applicable law.

United Kingdom

If you are an end user located in the United Kingdom:

• UK GDPR / DPA 2018 Compliance: We comply with the UK General Data Protection Regulation and the Data Protection Act 2018. You have rights to access, rectify, erase, restrict processing, data portability, and to object to processing. You may also lodge a complaint with the Information Commissioner's Office (ICO).
• Eligibility: Our services are intended for users who meet the eligibility requirements set by our business customers. You must be at least 18 years of age (or the age of majority in your jurisdiction) to use our services.
• Responsibilities: You are responsible for ensuring that your use of our services complies with applicable law and the terms governing your relationship with the business customer providing you access.
• Complaints: For financial services-related complaints, you may have the right to refer your complaint to the Financial Ombudsman Service where applicable.

European Union / European Economic Area

If you are an end user located in the European Union or European Economic Area:

• GDPR Rights: You have the right to access your personal data, to have inaccurate data corrected, to have your data erased in certain circumstances, to restrict processing, to data portability, and to object to processing. You also have the right to withdraw consent where processing is based on consent, and to lodge a complaint with a data protection authority in your country.
• EEA Eligibility: Our services are intended for users who meet the eligibility requirements set by our business customers. You must be at least 16 years of age (or the applicable age of consent in your jurisdiction) to use our services.
• Responsibilities: You are responsible for ensuring that your use of our services complies with applicable law and the terms governing your relationship with the business customer providing you access.
• Complaints: You have the right to lodge a complaint with your local data protection authority (supervisory authority) if you believe our processing of your personal data infringes applicable law.

11. Changes to This Policy

We may update this End User Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on this page and updating the "Updated on" date. For significant changes, we may also provide additional notice (e.g., by email or through our platform). We encourage you to review this policy periodically.

12. Contact Information

If you have questions about this End User Privacy Policy or wish to exercise your privacy rights, please contact us: