Privacy Policy

This Privacy Policy explains how OpenDecision ("we," "us," or "our") collects, uses, shares, and protects information in connection with our websites, the Scout AI assistant, decision space functionality, and related services (the "Services"). This Policy is incorporated into our Terms of Service.

1. Information We Collect

a. Account Information

When you create an account, we collect your email address and, if you sign in with a third-party provider (Google, Microsoft, Apple), your name and profile image from that provider. We do not receive your password from OAuth providers.

b. Your Content

We collect the content you create or submit to the Services, including decision profiles, criteria and weights, Scout AI conversation messages, notes, uploaded files, and feedback. You retain ownership of Your Content as described in our Terms.

c. Automatically Collected Information

When you use the Services, we automatically collect certain technical information, including:

• IP address, browser type, operating system, and device identifiers
• Pages viewed, links clicked, and features used
• Timestamps of requests and sessions
• Referrer URLs, including whether you arrived from an AI answer engine (Perplexity, ChatGPT, Gemini, Claude, Bing Copilot)
• Anonymous session identifiers for users who have not signed in

d. Cookies and Similar Technologies

We use cookies and similar technologies for session management, authentication, and product analytics. Key cookies include:

• od_ai_source — tracks which AI answer engine referred you, used for conversion analytics
• Session cookies set by Supabase to keep you signed in
• Analytics cookies set by PostHog to measure product usage

You can control cookies through your browser settings. Disabling required cookies may prevent you from using parts of the Services.

2. How We Use Information

We use the information we collect to:

• Provide, maintain, and improve the Services
• Authenticate you and keep your account secure
• Generate AI-powered decision matches and responses through Scout AI (see Section 4 below)
• Send transactional messages (sign-in codes, account notifications)
• Analyze usage patterns to improve product quality and relevance
• Detect, prevent, and respond to fraud, abuse, and security issues
• Comply with legal obligations and enforce our Terms

We do not sell your personal information. We do not use Your Content to train our own foundation AI models.

3. How We Share Information

We share information only with service providers ("subprocessors") who help us operate the Services, and only for the purposes listed. Each subprocessor is contractually bound to protect your data. Our current subprocessors are:

We may also disclose information (i) with your consent, (ii) to comply with valid legal process or government requests, (iii) to protect the rights, property, or safety of OpenDecision, our users, or the public, or (iv) in connection with a merger, acquisition, or sale of assets, with notice to you where practical.

4. AI Processing Disclosure

OpenDecision's Scout AI assistant and research features use third-party large language models, currently Google Gemini. When you interact with Scout AI, your messages, decision criteria, and related inputs are transmitted to Google for inference. Google acts as a subprocessor and is subject to Google's AI Gemini API terms which prohibit use of paid-API data for training Google's foundation models.

AI-generated responses may contain errors, biases, or omissions. You should independently verify information used to make material business decisions. We do not use Your Content to train our own models.

5. International Data Transfers

Our infrastructure and subprocessors are primarily located in the United States. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States. For users in the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses approved by the European Commission as the lawful basis for these transfers.

6. Data Retention

• Active accounts: we retain Your Content for as long as your account is active
• Anonymous sessions: automatically deleted 90 days after last activity
• Deleted accounts: Your Content is permanently deleted within 30 days of deletion request, except as required by law
• Backups: encrypted backups are retained for up to 35 days for disaster recovery
• Analytics: aggregated, de-identified analytics data may be retained indefinitely
• Transactional records: retained as required for tax, accounting, and legal compliance (typically 7 years)

7. Your Rights

Regardless of your jurisdiction, you have the right to:

• Access the personal information we hold about you
• Correct inaccurate information
• Request deletion of your account and Your Content
• Object to or restrict certain processing
• Request a portable copy of Your Content in a common format
• Withdraw consent where processing is based on consent

To exercise these rights, email matt@opendecision.com. We will respond within the time required by applicable law (typically 30 days).

8. Security

We use industry-standard security measures to protect your information, including TLS encryption in transit, encryption at rest for stored data, role-based access controls, audit logs, and regular security reviews. No system is perfectly secure; you are responsible for protecting your account credentials and we recommend using a strong, unique password or an OAuth provider with multi-factor authentication enabled.

9. Children

The Services are not intended for anyone under 18. We do not knowingly collect personal information from children. If we discover that we have collected information from a child, we will delete it promptly.

10. Changes to This Policy

We may update this Policy from time to time. Material changes will be communicated by email or in-product notice at least 14 days before taking effect. The "Effective Date" at the top of this page indicates when the most recent changes were made.

11. Jurisdiction-Specific Rights

a. European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) or equivalent laws, including the right to lodge a complaint with your local supervisory authority. The legal bases we rely on are:

• Contract: processing necessary to provide the Services to you
• Legitimate interest: product improvement, security, and fraud prevention
• Consent: for marketing communications or non-essential cookies, where required
• Legal obligation: to comply with applicable laws

b. California Residents

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA/CPRA), including the right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell personal information. To exercise your rights, contact us using the information in Section 12.

c. Other US State Residents

Residents of Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia have similar rights under their state privacy laws, including the right to access, correct, delete, and opt out of targeted advertising. We do not engage in targeted advertising or the sale of personal information as defined by these laws. To exercise your rights, contact us using the information in Section 12.

d. Canada, Australia, and Other Jurisdictions

Users in Canada, Australia, and other jurisdictions have rights under their applicable privacy laws (PIPEDA, Privacy Act 1988, and others). Contact us to exercise them.

12. Contact Us

Questions about this Privacy Policy or your personal information? Email matt@opendecision.com.