Your health data is sensitive. We treat it with the care it deserves. This policy explains what we collect, why, and what rights you have.
1. What we collect
- Email address — when you join our waitlist, create an account, or purchase a plan
- Lab report content — the text you paste or upload, processed only to generate your decode
- Payment metadata — order ID, plan type, amount (we never see card numbers; the payment processor handles those)
- Basic usage data — page visits and timing, used in aggregate to improve the product
2. How we use your data
- To generate your decode result
- To send you transactional emails (purchase confirmations, decode-ready notifications)
- To send product updates if you opted in (you can unsubscribe any time)
- To improve Decoda in aggregate (we never look at individual user data for product analytics)
3. What we don't do
- We don't train AI on your data. Your lab reports are not used to fine-tune our model or any third-party model
- We don't sell your data. Ever. Not to brokers, advertisers, insurers, or anyone
- We don't store identifiable health data longer than needed. See retention below
4. Third parties we use
To run Decoda we share data with:
- DeepSeek (AI provider) — receives the lab report text to generate the decode. Their data policies govern this processing
- Paddle / Gumroad (payment processor) — receives payment data only
- Vercel (hosting) — temporarily handles requests in transit
- Resend or similar (email) — sends transactional and marketing emails
We do not share your data with any party not listed here.
5. PII protection
Before sending lab reports to our AI provider, we instruct the model to ignore and not echo back any patient name, date of birth, MRN, or other personal identifiers found in the report. The decode output is stripped of identifiers.
6. Data retention
- Lab report content: deleted from our systems within 90 days
- Decode results: kept while you have an active account; deleted within 90 days after account closure
- Email and account info: kept until you ask us to delete
- Payment records: kept as required by tax law (typically 5-7 years)
7. Your rights
You can request, free of charge:
- A copy of all data we hold about you
- Correction of inaccurate data
- Deletion of your account and associated data
- Export of your decode history
- Opt-out of marketing emails
Email hello@decoda.life with your request. We respond within 7 days and act within 30.
8. EU users (GDPR)
If you're in the European Economic Area, you have additional rights under GDPR including the right to data portability and the right to lodge a complaint with your local supervisory authority. Our legal basis for processing is your consent (which you can withdraw any time) and contract performance (to provide the Service you purchased).
9. California users (CCPA)
California residents have the right to know what data we collect, request deletion, and not be discriminated against for exercising those rights. We do not sell personal information.
10. Children
Decoda is not intended for children under 18. We do not knowingly collect data from minors. If you believe a minor has signed up, email us and we'll delete the account.
11. International data transfers
Decoda is operated from China. Your data may be processed in regions where our service providers operate (including the United States and Asia-Pacific). We use providers that maintain industry-standard security and compliance.
12. Security
We use HTTPS for all connections, encrypted storage for sensitive data, and access controls limiting who can view user data internally. No system is 100% secure — if a breach affects you, we'll notify you within 72 hours.
13. Cookies
We use only essential cookies and local storage to remember your session and free-decode usage. We do not use advertising or tracking cookies.
14. Changes to this policy
We'll post updates to this page. Material changes will be communicated by email at least 14 days before taking effect.
15. Contact us
Email hello@decoda.life with any questions, requests, or concerns about your data.