Privacy Policy

1. Who this Policy applies to

The Service is used by businesses and their authorized users. In most cases:

• You are our customer if you have an account and a billing or design-partner relationship with us. With respect to the content you create and the data you bring into the Service, you generally act as the controller and we act as a processor on your behalf.
• You may be an end participant — for example, a person interviewed through the Voice of Customer (“VoC”) calling features. In that case, our customer typically determines why and how your information is collected, and you should also review that customer's own privacy notice.

This Policy describes our own practices across both roles. Where we process data on a customer's behalf, our handling is also governed by our agreement with that customer.

2. Information we collect

Account and identity data. Name, email address, organization, authentication identifiers, and (for paid accounts) billing-related information. Payment card details, if any, are handled by our payment processor and not stored by us.

Workspace content. The information you create and store in DecisionGraph — including products, initiatives, features, work items, specifications, decisions, and the relationships between them (“Graph Content”). This is your data; we hold it to operate the Service for you.

Voice of Customer (VoC) data. When you use the calling, messaging, and transcription features, we and our service providers may process: inbound and outbound telephone audio, call recordings, real-time and stored transcripts, generated or synthesized speech, SMS/text message content, phone numbers, and call metadata (time, duration, direction). See Section 6 (Call recording and consent).

Integration data. If you connect third-party services (for example, Google Workspace, GitHub, or other tools via the Model Context Protocol), we access and process data from those services only as needed to provide the features you enable, and according to the scopes you authorize. You can revoke these connections at any time.

AI processing inputs and outputs. To provide features such as decomposition, drafting, and analysis, relevant content may be sent to our AI provider for processing and returned to you. See Section 5.

Usage and technical data. Log data, device and browser information, IP address, and product interaction events used to operate, secure, and improve the Service.

3. How we use information

We use information to:

• Provide, maintain, and secure the Service and your account;
• Process and transcribe calls and messages you initiate through the VoC features;
• Generate AI-assisted outputs you request;
• Operate integrations you connect;
• Process payments and manage the customer relationship;
• Detect, prevent, and investigate fraud, abuse, and security incidents;
• Comply with legal obligations; and
• Improve the Service.

We do not sell your personal information. We do not use your Graph Content, VoC data, or integration data to train our own generalized models, and we instruct our AI provider not to use it to train their models (see Section 5).

4. Legal bases (where applicable)

Where the GDPR or similar laws apply, we process personal data on the bases of: performance of a contract, your consent (for example, call recording where required), our legitimate interests in operating and securing the Service, and compliance with legal obligations.

5. AI processing

DecisionGraph uses AI models provided by Anthropic to power features you invoke. When you use these features, the relevant inputs (which may include Graph Content or VoC transcripts) are transmitted to Anthropic's API for processing and the results are returned to you. We use commercial API access under terms that do not permit your inputs or outputs to be used to train the provider's models. We do not retain this data with the provider beyond what is necessary to return your result, subject to the provider's standard processing.

6. Call recording and consent

The VoC features can record telephone calls and create transcripts. Recording laws vary by jurisdiction, and some jurisdictions require the consent of all parties to a call. Because calls may cross state and national borders, the strictest applicable law may govern.

Our practices and your responsibilities:

• When you (our customer) use the VoC features to conduct calls or interviews, you are responsible for providing any legally required notice and obtaining any legally required consent from the individuals you call or who call you.
• The Service provides mechanisms to support disclosure (for example, an audible notice at the start of a call). You are responsible for configuring and using these appropriately for the jurisdictions involved.
• We process recordings, transcripts, and related audio as a processor on your behalf and retain them according to Section 9 and your account settings.

7. Subprocessors and service providers

We use the following third-party providers to deliver the Service. Each processes data only as needed to perform its function:

We may update this list as the Service evolves. Material changes to subprocessors handling customer data will be reflected here.

8. How we share information

We share information only:

• With the subprocessors listed above, under contractual confidentiality and data-protection terms;
• With the customer organization on whose behalf we hold end-participant data;
• When required by law, legal process, or to protect rights, safety, and the integrity of the Service; and
• In connection with a merger, acquisition, or sale of assets, subject to this Policy.

9. Data retention

We retain account and Graph Content for as long as your account is active and as needed to provide the Service. VoC recordings and transcripts are retained according to your account configuration and our agreement with you. On termination, we delete or return your data within a reasonable period, except where retention is required by law. You may request deletion as described in Section 11.

10. Security

We use technical and organizational measures appropriate to the nature of the data, including access controls, encryption in transit, and infrastructure hardening. No system is perfectly secure, and we cannot guarantee absolute security.

11. Your rights and choices

Depending on your location, you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object to certain processing. To exercise these rights, contact us at privacy@decisiongraph.io. Where we process data on behalf of a customer, we will refer your request to that customer or act on their instructions.

You can disconnect integrations at any time through your account settings.

12. International data transfers

We are based in the United States and our providers may process data in the United States and other countries. Where required, we rely on appropriate safeguards for cross-border transfers.

13. Children

The Service is not directed to individuals under 18, and we do not knowingly collect their personal information.

14. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a revised “Last updated” date and, for material changes, provide additional notice where appropriate.

15. Contact

FlowLogic LLC
Beaverton, Oregon, USA
Email: privacy@decisiongraph.io