Aviso de privacidad para PrivyDeck Personal Shield
PrivyDeck Personal Shield por Vassbrekke AS
Who we are
PrivyDeckoperates the PrivyDeck personal privacy dashboard ("PrivyDeck," "we," "us"). This policy explains how we handle personal data when you use our website and hosted service.
Privacy contact: privacy@privydeck.com
What PrivyDeck does
PrivyDeck helps you block trackers, monitor your privacy posture, store encrypted documents, and send data-subject requests to third-party companies. We are designed to collect as little as possible.
Categories of personal data we process
Account data: email address, display name, profile image (from your sign-in provider), account creation date, subscription tier
Billing data: Stripe customer ID and subscription status (payment card details are handled entirely by Stripe)
Device data: names, types, platform, protection status, agent version, last-seen timestamps
Network telemetry: aggregated Pi-hole blocker statistics and VPN connection status when you connect a home agent
Tracker alerts: blocked domain names, hit counts, categories, and optional AI-generated suggestions
Vault metadata: titles, categories, file sizes, encryption salts/IVs — not plaintext contents
Vault ciphertext: encrypted files you upload (decrypted only in your browser with your passphrase)
Privacy score history: numeric scores and component breakdowns
DSAR letters: company names, contact emails, template choices, and generated letter text you create
Preferences: blocklist toggles, lockdown mode, extension sync metadata, in-app notifications
Technical data: CSRF token cookie, session authentication cookie, IP address in server logs (hosting provider)
What we do not collect
Your vault passphrase — never transmitted to our servers
Plaintext vault document contents — encrypted client-side before upload
Your full browsing history — only aggregated tracker statistics when protection is active
Advertising profiles or cross-site tracking — we do not run third-party analytics or ad pixels
Purposes and legal bases (GDPR / UK GDPR)
Where GDPR or UK GDPR applies, we rely on the following legal bases:
Contract (Art. 6(1)(b)): providing your account, sync, vault storage, and subscription features
Legitimate interests (Art. 6(1)(f)): security (CSRF, rate limits), fraud prevention, service improvement, and optional AI tracker coaching when enabled
Consent (Art. 6(1)(a)): optional AI suggestions — you can disable these in Settings → Privacy preferences
Legal obligation (Art. 6(1)(c)): tax, accounting, and lawful requests from authorities
California (CCPA / CPRA) notice at collection
Categories collected: identifiers (email, name), internet/network activity (tracker domain statistics), commercial information (subscription status), and optionally sensitive personal information if you store medical, financial, or legal documents in your encrypted vault.
Sources: you directly and your connected devices. Business purposes: provide the service, security, billing, and customer support. Retention: see Retention section below.
We do not sell or share personal information for cross-context behavioral advertising. Do Not Sell or Share My Personal Information. We honor Global Privacy Control (GPC). Consumer rights (access, delete, correct, portability, limit sensitive PI): Your Privacy Rights.
Non-discrimination: we will not discriminate against you for exercising CCPA/CPRA rights. See non-discrimination notice.
United States state privacy laws
If you reside in Virginia (VCDPA), Colorado (CPA), or Connecticut (CTDPA), you have rights to access, delete, correct, and opt out of the sale of personal data and targeted advertising. We do not sell personal data or use it for targeted advertising.
Exercise rights via Your Privacy Rights or Do Not Sell or Share. We apply the same non-discrimination standard to all US state privacy requests.
Other regional frameworks
Regardless of where you live, we apply the same core rights. Details and how to exercise them: Your Privacy Rights.
Brazil (LGPD): lawful bases above; contact our privacy team; lodge complaints with the ANPD
Canada (PIPEDA): privacy contact acts as privacy officer; access, challenge accuracy, withdraw consent; complaints to OPC if unresolved
South Africa (POPIA): lawful processing; contact us to exercise rights
Japan (APPI): purposes specified here; disclosure, correction, suspension, deletion on request; cross-border safeguards with subprocessors
South Korea (PIPA): access, correction, deletion, suspend processing; withdraw consent for optional AI features
Singapore / Thailand PDPA: limited collection for stated purposes; access and correction on request
Australia (Privacy Act / APPs): open handling; access and correction; complaints to OAIC after contacting us
European Union / UK (GDPR) & Switzerland (FADP): legal bases, retention, subprocessors, and complaint rights as described above
European Union (ePrivacy): strictly necessary cookies only; see Cookie Policy; no advertising trackers on PrivyDeck
Third-party payment processing (Stripe)
When you subscribe or manage billing, Stripe loads on checkout and the billing portal. PrivBeacon and similar audits may detect Stripe as a "payment tracker" — this is expected: Stripe processes payments and may set cookies for fraud prevention and checkout functionality. We do not use Stripe for advertising. Stripe's privacy policy governs their processing: stripe.com/privacy. See also our Cookie Policy.
Subprocessors and recipients
We share data only with service providers who help us run PrivyDeck:
Stripe — payment processing (billing data)
Sign-in providers you choose — Google, GitHub, Apple, or email magic links (authentication)
Optional AI provider (e.g. OpenAI) — blocked domain name and hit count only, when AI coaching is enabled and you have not opted out
Hosting infrastructure — server logs and stored database (e.g. Fly.io or your self-hosted server)
We do not sell personal data to data brokers. DSAR letters you generate are sent by you to third parties — not by us.
International transfers
If you access PrivyDeck from outside the country where our servers run, your data may be transferred internationally. Where required, we rely on Standard Contractual Clauses or equivalent safeguards with subprocessors. Self-hosted deployments keep data on your own infrastructure.
Retention
Account data: until you delete your account, plus up to 30 days for backup purge
Score history and alerts: until deleted or account erasure
Vault ciphertext: until you delete items or your account
Server logs: typically 30–90 days (hosting provider dependent)
Stripe records: as required for tax and accounting (typically 7 years)
Cookies and similar technologies
We use strictly necessary cookies only (session, CSRF). We do not use advertising or analytics cookies. Details: Cookie Policy.
Automated processing and AI
When enabled, we may send blocked domain names and hit counts to an AI API to generate short tracker-blocking suggestions. This is not used for profiling or automated decisions with legal effect. Disable AI coaching anytime in Settings → Privacy preferences.
Your privacy rights
Full instructions for access, deletion, correction, portability, opt-out, and regional rights: Your Privacy Rights. Summary for signed-in users:
Access & portability: Settings → Privacy data export (JSON bundle including vault ciphertext)
Erasure: Settings → Delete account (permanent; type DELETE to confirm)
Rectification: update your profile via your sign-in provider, or contact us
Restrict / object: disable AI coaching; cancel subscription; contact us for other requests
Withdraw consent: disable optional AI features; delete account to stop all processing
Opt out of sale/sharing: we do not sell — see Do Not Sell page; GPC honored
Email privacy@privydeck.com for requests you cannot complete in Settings. We respond within 30 days (GDPR) or 45 days (CCPA, extendable once). We may verify your identity before fulfilling sensitive requests.
Children
PrivyDeck is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us data, contact privacy@privydeck.com and we will delete it.
Security
Vault files are encrypted in your browser before upload. Agent and extension tokens are stored as hashes. We use CSRF protection, content security policy, and rate-limited exports. No system is perfectly secure — use a strong vault passphrase and keep devices updated.
Data breaches
If a breach likely affects your rights, we will notify you and relevant authorities as required by applicable law (e.g. GDPR Art. 33–34, state breach laws).
Changes to this policy
We may update this policy. Material changes will be reflected in the "Last updated" date. Continued use after changes constitutes acceptance where permitted by law.
Contact
Privacy: privacy@privydeck.com
General support: support@privydeck.com
Help center: /help