Decades Privacy Policy
1. Who we are and what this covers
Decades is a voice-first journaling and reflection app. You speak; the app transcribes, processes, and turns your entries into insights over time.
Operator: Decades is currently operated by Lau Khaniff Roziz as a sole proprietorship registered in Singapore. Incorporation as a private limited company (Pte Ltd) is planned for 2026, at which point this policy will be updated to reflect the new entity.
Contact: privacy@decades.app for all privacy-related questions, rights requests, regulatory inquiries, or concerns about data handling. A postal correspondence address is available on request to verified rights-requesters and regulatory authorities — please reach us by email first to coordinate.
This policy covers the Decades iOS app, the Decades backend service, and the Decades website. It applies to everyone who creates an account, regardless of where you live.
2. Information we collect
We collect data in the following categories:
Account data. Your email address, a hashed password, the date you signed up, and basic device metadata (iOS version, device model) captured at sign-up.
Voice recordings and transcripts. When you record an entry, the audio is uploaded for transcription and then stored. The transcript is preserved as immutable source evidence (we never overwrite the original — see Section 7). If you edit a transcript, both the original and your edit are kept.
AI-derived analyses. From each transcript, our processing pipeline derives a number of structured signals: domain weights (the three realms — Introspection, Ambition, Connection), emotional frequencies (curiosity, gratitude, anxiety, determination, etc.), thematic tags, value signals, internal tensions, and several therapeutic hook structures (CBT, ART, QFT prompts). These are stored alongside your entry.
Longitudinal aggregations. Daily, weekly, monthly, quarterly, yearly, and era-level summaries are computed and stored on your behalf. These are the "patterns over time" feature; they are derived from your entries and exist only as long as your entries do.
Identity documents. If you choose to upload personality documents (Co-Star, Pattern, human-design charts, etc.) to enrich your identity layer, these are stored alongside your account.
Gaming progress. XP earned, achievements unlocked, chapter transitions, and similar progress indicators tied to your journaling activity.
Access audit log. When a Decades support session touches your data (see Section 7), a record is written to your account-visible audit log: who accessed, when, for what stated reason. You can view this log inside the app at Settings → Privacy.
Operational telemetry. Basic event records — account creation, last login, app version — stored in our own database. We do not use third-party analytics SDKs.
We do not collect: precise geolocation, contacts, photos, advertising identifiers, biometric data beyond the voiceprints implicit in your recordings, or any data from third-party advertising networks (we don't integrate any).
3. How we use it
Your data is used to deliver the core product features — transcription, insight generation, aggregations, gaming, identity reflection, and account management — and for nothing else.
Legal basis (for GDPR users):
- Contract performance (GDPR Article 6(1)(b)): processing necessary to operate the journaling features you signed up for.
- Explicit consent (GDPR Article 9(2)(a)): voice recordings are special-category data because they implicitly carry emotional/health-adjacent content. We rely on your explicit consent at sign-up and at recording.
- Legitimate interest (GDPR Article 6(1)(f)): operational security, fraud prevention, and audited support investigations. Each support access leaves a receipt visible to you (see Section 7).
We do not use your content to train any machine-learning model — neither our own (we don't train any) nor third-party models. Our subprocessors commit to the same posture under their API terms.
4. AI processing (folded disclosure)
Decades uses third-party AI services to transcribe your voice and to generate insights from your text. The processing involves:
For voice → text: Audio is sent to OpenAI's Whisper API (or AssemblyAI for some longer recordings) at the moment of transcription. The audio is returned as text. We do not retain a copy of the audio on the AI vendor's side beyond the vendor's documented retention window (see docs/subprocessors.md for current windows). Decades stores the resulting transcript in your account.
For insights: Transcript text is sent to Anthropic's Claude API at the moment of inference, along with structured prompts that ask for the various analyses described in Section 2. The model's response is returned and stored.
Vendor retention: OpenAI's default retention is 30 days for abuse monitoring; Anthropic's is 7 days. Neither vendor uses our commercial API traffic for model training. AssemblyAI uses a 1-hour minimum TTL for asynchronous transcription. Up-to-date details — including any Zero Data Retention (ZDR) agreements as we sign them — live in docs/subprocessors.md, which is published in our public documentation directory and updated within 30 days of any change.
Consent and revocation: AI processing is enabled by default. You can revoke AI consent at any time in Settings → Privacy. When you revoke consent, Decades enters local-only mode — voice recording, transcription, and text entry continue to work, but no AI summaries, insights, autosynth updates, or aggregations run for new entries. Existing AI-generated content remains in your account until you delete it. Functionality returns when you re-consent.
A future build (Build 4, contingent on iOS 26 General Availability and Apple Foundation Models maturity) will introduce an on-device AI fallback so that revoking cloud-AI consent does not disable insights entirely. When that ships, this section will be revised accordingly and the change disclosed in our transparency report.
5. Subprocessors (who we share data with)
We use third-party services to deliver the product. The current complete list:
| Vendor | Purpose | Data touched |
|---|---|---|
| Supabase | Primary database, authentication, file storage | All user data, encrypted in transit |
| Anthropic | Claude API — insight generation | Entry text at moment of inference |
| OpenAI | Whisper API — voice transcription | Audio at moment of transcription |
| AssemblyAI | Alternative transcription for long-form recordings | Audio at moment of transcription |
| Railway | Cloud hosting for backend services | Whatever transits the backend; not persistently stored |
| Apple | iOS App Store distribution | Account info necessary for distribution |
We do not share your data with: advertising networks, analytics vendors, data brokers, or any party not listed above. We do not have data-partner relationships.
The complete, continuously-updated subprocessor list — including vendor privacy policies, retention windows, and an automated monthly audit that compares this list against our actual codebase — is at docs/subprocessors.md. Changes are reflected within 30 days and disclosed in the next quarterly transparency report.
6. Where your data lives (data residency)
The Supabase database that stores your account and entries is hosted in a single region (region details available on request). When entries are sent for AI processing, they transit to US-based vendors (OpenAI, Anthropic, AssemblyAI). Voice transcription typically completes in seconds; insight generation in tens of seconds. Data does not persist on those vendor side beyond the windows disclosed in Section 4.
If you are an EU resident, this means your data may be processed in the US during transcription and insight generation. By accepting AI processing at sign-up or by re-consenting in Settings, you provide explicit GDPR Article 49(1)(a) consent for these international transfers.
7. How long we keep your data
Active accounts: while your account exists, your data is retained.
Soft delete (30 days): when you delete an entry, it is marked as deleted but recoverable for 30 days via the in-app restore flow. This matches our orphan-recovery window for upload retries.
Hard delete (immediate, on account deletion): when you delete your Decades account, all your data — entries, transcripts, aggregations, audit logs, identity documents, gaming progress — is removed from the live database within 24 hours via a cascading deletion. Soft-deleted entries are also hard-deleted at this point.
Backups: Supabase retains automated database backups per its plan. Account deletion does not retroactively scrub backups; backup-window plaintext eventually ages out per Supabase's backup retention policy.
Vendor-side retention: addressed in Section 4 and tracked in docs/subprocessors.md.
8. Security and internal access
We take a transparency-over-secrecy posture: we tell you what's protected and what isn't.
What's protected: the database is encrypted in transit (TLS), authentication is required for all reads, and Postgres row-level security (RLS) ensures one user cannot read another user's data via the app. Voice recordings transit encrypted.
What's not yet protected (and will be): data at rest is not yet encrypted with a key we do not hold. That gates on Build 3 (Encrypted Vault) of our Privacy Build Ladder, which is conditional on scale and funding milestones. Build 4 (Private Intelligence) ships true end-to-end encryption and on-device AI for iOS 26+.
Internal access (the honest version): Decades is currently operated by one person. That person has administrative access to the database. We do not pretend otherwise. To make administrative access trustworthy in the absence of cryptography, we ship the following discipline mechanisms — collectively called Build 1 (Receipts):
- CLI access to user data uses a dedicated, restricted Postgres role (
support_role), not a superuser account. - A support investigation requires opening a 48-hour session via a function call that names the target user and a written reason (≥10 characters).
- That function call creates a visible entry in your own logbook. You see it. The entry stays for 48 hours; repeated access within that window does not create new entries.
- All non-app database activity is captured by Postgres's own forensic audit log (pgaudit) and can be produced on demand.
- A backend filter prevents these system-access entries from leaking into AI-derived features such as insights or autosynth.
The full architectural commitment — what we can honestly claim at each Build, and what we cannot — is published at docs/privacy-doctrine.md. Our quarterly transparency report discloses counts of access events, account deletions, and legal requests.
9. Your rights
You have the right to:
- Access the personal data we hold about you (GDPR Article 15 / CCPA right to know).
- Correct inaccurate data (GDPR Article 16). Many fields you can edit directly in the app; the rest can be corrected on request.
- Delete your data (GDPR Article 17 / CCPA right to delete). The in-app account deletion flow removes all your data; see Section 7.
- Export your data in a portable, machine-readable format (GDPR Article 20). Available on request at privacy@decades.app; in-app self-service export is planned for Build 2.
- Restrict or object to specific processing (GDPR Articles 18, 21). Revoking AI consent (Settings → Privacy) restricts AI-based processing; for narrower restrictions, contact us.
- Withdraw consent at any time (GDPR Article 7). Consent withdrawal does not affect prior lawful processing.
- Lodge a complaint with a supervisory authority (GDPR Article 77). Singapore residents may contact the Personal Data Protection Commission (PDPC); EU residents may contact their national data protection authority.
For California residents, equivalent CCPA rights (know, delete, correct, opt-out of sale/sharing — though we do neither, opt-out of profiling, non-discrimination) are honored. We do not sell or share your data in the CCPA-defined sense and have no behavioral advertising to opt out of.
Rights requests are processed within 30 days of receipt. Email privacy@decades.app.
10. Children
Decades is intended for users 16 years of age or older. We do not knowingly collect personal data from anyone under 16. The 16+ floor is set to (a) honor the GDPR Article 8 threshold for children's consent across all EU member states; and (b) avoid the COPPA voiceprint extension issues for users 13–17 in the United States. If you believe a child under 16 has created a Decades account, please contact privacy@decades.app and we will delete the account and associated data.
11. Changes to this policy
When this policy is updated, we will:
- Revise the Last revised date at the top.
- For material changes (vendor additions or removals, new categories of data collected, changes to retention, changes to user rights), notify active users via in-app notification at least 30 days before the change takes effect, where feasible.
- Disclose the change in our next quarterly transparency report.
- Maintain a public revision history at
docs/transparency-report-2026-q2.md.
We will not make material changes retroactively without your consent.
12. Contact
Reach us at privacy@decades.app for any privacy-related question: rights requests, concerns, compliance inquiries, or to authorize support access to your account.
For everything else, the general support address is on the Decades website.
13. License of this document
This privacy policy is published under the Creative Commons Attribution-ShareAlike 4.0 license (CC-BY-SA 4.0). You are free to copy, adapt, and redistribute this text for your own product or organization, provided you (a) credit Decades as the source, and (b) license your derivative work under the same CC-BY-SA license. This is intentional: privacy policies should be easier for indie developers to write, and shared improvements should propagate. If you adapt this policy, we'd love to hear about it.