DeckSmith Privacy Policy
Last updated 10 May 2026
This policy explains how DeckSmith handles personal data when you use our service. We are the controller of personal data processed through the Service for the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.
1. Who we are
DeckSmith is operated by Manav Thapar, an individual carrying on business as a sole trader under the trading name “DeckSmith” (Unseen Advisory Ltd in formation), with a service address at [insert service address]. Manav Thapar is the data controller for the purposes of the UK GDPR and is registered with the Information Commissioner's Office under registration number [insert].
We have notified our users that we intend to incorporate Unseen Advisory Ltd in England & Wales. On incorporation, the controller of your personal data will transfer to that company on the same terms set out in this policy. We will notify you by email of the transfer, the company's registered name and number, and any updated ICO registration.
For any data protection question, contact hello@mydecksmith.com.
2. Scope
DeckSmith is a business-to-business service. It is not directed at, or intended for use by, children under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
3. What we collect
We collect:
- Account data: your email address, password hash, signup date, device information (user-agent string and IP address) used for session security.
- Brand intake data: the information you enter into the intake form, including your brand details, products, commercial information, and any contact details you choose to provide.
- Generated deck content: the Output the Service produces from your intake.
- Billing data: payment events received from Stripe. We do not see or store your full card number.
- Server diagnostic data: server-side records of which pages were requested, deck generation events, and error events, used for diagnostics, security, and service health (see clause 9 on cookies).
4. Why we use it and our lawful basis
We process personal data for the following purposes, on the following lawful bases under Article 6 UK GDPR:
| Purpose | Lawful basis |
|---|---|
| Creating and operating your Account; generating your Decks | Performance of a contract (Article 6(1)(b)) |
| Processing payments | Performance of a contract (Article 6(1)(b)) |
| Sending transactional emails (deck-ready notifications, payment confirmations) | Performance of a contract (Article 6(1)(b)) |
| Authenticating users and protecting against fraud and abuse | Legitimate interests (Article 6(1)(f)) in operating the Service securely |
| Investigating bugs and monitoring service health | Legitimate interests (Article 6(1)(f)) in maintaining a reliable service |
| Complying with legal and regulatory obligations (including tax records) | Legal obligation (Article 6(1)(c)) |
Where we rely on legitimate interests, we have completed a Legitimate Interests Assessment. You may request a summary by emailing hello@mydecksmith.com.
We do not use your intake data, and our subprocessors are contractually prohibited from using your intake data, to train any artificial intelligence model.
5. Who we share it with
We use the following processors, who handle data on our behalf under contractual data protection obligations compliant with Article 28 UK GDPR:
| Provider | Role | Location |
|---|---|---|
| Supabase | Database, file storage, authentication | EU West (London) |
| Vercel | Hosting | EU regions where available |
| Anthropic | Claude AI for text generation | United States |
| Gemini and image generation models | Global | |
| Resend | Transactional email delivery | EU and US |
| Sentry | Error monitoring (PII stripped before transmission) | EU and US |
In addition, we use Stripe to process payments. Stripe acts as an independent controller in respect of certain processing activities, including its own fraud prevention and regulatory compliance. For details of Stripe's processing, see https://stripe.com/privacy.
We do not sell or rent personal data. We do not share personal data with advertisers.
6. International transfers
Our primary database and file storage are located in the European Union. AI processing takes place on servers operated by Anthropic (United States) and Google (global).
Where personal data is transferred outside the United Kingdom and the European Economic Area, we rely on one or more of the following safeguards under Article 46 UK GDPR:
- (a) for transfers to providers participating in the UK Extension to the EU-US Data Privacy Framework, the adequacy decision in respect of that framework;
- (b) for other transfers, the UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK Addendum.
We have completed a Transfer Risk Assessment for each material transfer. You may request further information about the transfer mechanism applicable to a particular subprocessor by emailing hello@mydecksmith.com.
7. How long we keep it
| Data category | Retention |
|---|---|
| Account and Deck data | Until you delete your Account; purged within 30 days of deletion |
| Billing records | 7 years (HMRC requirement) |
| Support correspondence | 3 years |
| Server logs and diagnostic data | 90 days |
8. Your rights under UK GDPR
You have the following rights, subject to applicable conditions and exceptions:
- to be informed about how we process your personal data (which this policy does);
- to request access to your personal data;
- to request rectification of personal data that is inaccurate or incomplete;
- to request erasure of your personal data;
- to request restriction of processing;
- to object to processing carried out on the basis of legitimate interests;
- to data portability where applicable; and
- to withdraw consent at any time, where we rely on consent (we currently do not).
To exercise any right, email hello@mydecksmith.com. We will respond within one calendar month of receipt of your request, which we may extend by up to two further months where the request is complex or where we have received a number of requests, in which case we will tell you within the first month.
You also have the right to complain to the Information Commissioner's Office (https://ico.org.uk/, telephone 0303 123 1113) if you are not satisfied with how we have handled your personal data. We would, however, be grateful for the opportunity to address your concerns first.
9. Cookies and analytics
We use only strictly necessary cookies for authentication (keeping you signed in across pages) and security. These do not require your consent under regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).
The diagnostic data described in clause 3 is collected server-side from request logs and is used solely for service health, security, and bug investigation. It is not used for marketing analytics, profiling, or behavioural tracking.
If we introduce non-essential cookies or analytics in the future, we will publish a cookie banner allowing you to give or withhold consent before any such cookie is set.
10. Data security
We hold personal data on infrastructure operated by Supabase (EU West) and Vercel, both with industry-standard security controls. Passwords are hashed and never stored in plain text. Access to production systems is restricted to authorised personnel and logged.
11. Personal data breaches
Where a personal data breach occurs that is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, in accordance with Article 33 UK GDPR. Where the breach is likely to result in a high risk to those rights and freedoms, we will also notify affected individuals without undue delay, in accordance with Article 34 UK GDPR.
12. Automated decision-making
We do not carry out any automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you. The Service uses AI to generate creative content based on the data you provide; it does not make decisions about your eligibility, pricing, or access on an automated basis.
13. Changes to this policy
We will notify you by email of any material change to this policy, including the transfer of controllership to Unseen Advisory Ltd on incorporation. The version of the policy in force at the date you accepted the Terms of Service continues to apply until we notify you of an update.
14. Contact
For any data protection question, including to exercise any of your rights under clause 8, email hello@mydecksmith.com.
Controller: Manav Thapar, sole trader trading as DeckSmith (Unseen Advisory Ltd in formation). Service address: [insert]. ICO registration number [insert]. Disclosed in accordance with section 1202 of the Companies Act 2006 and Article 13 UK GDPR.