InstantDeckAI
№ Privacy Policy
№ Privacy Policy

Your data, handled with care.

This Policy explains what personal data Vendax Systems LLC collects through Instant Deck AI, why we collect it, who we share it with, how long we keep it, and the rights you have under the GDPR, UK GDPR, and CCPA/CPRA.

01

Who we are.

Vendax Systems LLC, doing business as Vendax Systems Labs, operates Instant Deck AI (the “Service”) at www.instantdeckai.com. We are the data controller for personal data collected through the Service. Our address is 28 Geary St STE 650, Suite #500, San Francisco, California 94108, United States. For privacy questions, write to support@vendaxsystemlabs.com.

This Privacy Policy explains what data we collect, why, how long we keep it, who we share it with, and the choices and rights you have. It applies globally; specific rights for users in the European Economic Area, the United Kingdom, and California are summarized in section 9.

02

Data we collect.

Information you give us.

  • Account data — name, email, profile photo, and authentication metadata when you sign in (Google sign-in or magic link).
  • Content — the text, images, files, and decks you upload, generate, or edit on the Service.
  • Billing data — when you subscribe, our payment processor (Stripe) collects card and billing-address details. We store only a customer id, last-4 of card, and invoice metadata; we never see or store full card numbers.
  • Support correspondence — messages, attachments, and metadata you send when contacting us.

Information collected automatically.

  • Usage data — pages viewed, features used, time spent, decks generated, errors encountered.
  • Device & log data — IP address, browser type, operating system, referring URL, timestamps, language.
  • Cookies & similar technologies — see section 7.

Information from third parties.

  • Authentication providers — when you sign in with Google, we receive your name, email, and profile photo.
  • Payment processor — Stripe shares billing status and subscription metadata back to us via secure webhooks.
03

How we use data.

We use personal data only for the purposes below, each tied to a legal basis under the GDPR / UK GDPR (in parentheses):

  • operate, maintain, and secure the Service (contract performance);
  • authenticate accounts and prevent fraud (legitimate interests);
  • process payments and send invoices (contract performance, legal obligation);
  • send service announcements, billing notifications, and security alerts (contract performance, legitimate interests);
  • send marketing about new features (consent; you can opt out at any time);
  • improve product quality through aggregated analytics and AI-output sampling (legitimate interests);
  • respond to support requests and legal claims (contract performance, legal obligation);
  • comply with applicable law and respond to lawful requests (legal obligation).
04

How we handle your content with AI.

When you use AI features, the prompts, source material, and brand context you provide are sent to our AI processors (currently Google Generative AI, including Gemini and Imagen) so they can produce a draft. We do not use Your Content to train our own models or third-party models. Our AI processor commitments prohibit using customer prompts and outputs to train their foundation models for the API tiers we use.

Generated outputs are stored alongside your account so you can keep editing. You can delete a deck (and its generated outputs) at any time from the editor or by writing to support@vendaxsystemlabs.com.

05

Sharing & disclosures.

We share personal data only with:

  • Service providers acting as processors on our behalf — Google Cloud / Firebase (hosting, authentication, database), Stripe (payments), Google Generative AI (drafting), Resend (transactional email), Vercel (delivery). They are bound by written agreements that mirror the obligations we owe to you.
  • Authorities when required by valid legal process, or to protect rights, property, or safety.
  • Successors in the event of a merger, acquisition, or asset sale, subject to a contractual obligation to protect your data on terms no less protective than this Policy.

We do not sell personal data, and we do not share personal data for cross-context behavioral advertising as defined under California law.

06

International transfers.

We are based in the United States. If you are in the European Economic Area, the United Kingdom, or another region with data-export rules, we rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum where applicable) with our processors, and apply supplementary technical measures (encryption in transit and at rest) to safeguard your data.

07

Cookies & similar technologies.

We use the following categories:

  • Strictly necessary — authentication tokens, CSRF protection, payment-session id. Required; cannot be disabled.
  • Functional — language preference, theme, recently opened decks.
  • Analytics — aggregated usage signals (page views, feature adoption). We do not use third-party advertising trackers.

You can clear or block cookies through your browser. Doing so may break the Service.

08

Data retention.

We keep personal data only as long as we have a clear reason to:

  • Account data — for the life of your account, then deleted within 30 days of account closure unless we must keep it (for example, billing records under tax law).
  • Content — until you delete it from the editor or close your account.
  • Billing records — retained for at least 7 years to satisfy tax and accounting laws.
  • Logs & analytics — typically 90 days, then aggregated or deleted.
09

Your rights & choices.

Everywhere.

You can access, correct, or delete your account and content from your profile. You can opt out of marketing email via the unsubscribe link in any message.

European Economic Area & United Kingdom.

Under the GDPR / UK GDPR you have the right to: access, rectify, erase, restrict or object to processing, port your data, and withdraw consent. You can exercise these rights by writing to support@vendaxsystemlabs.com; we will respond within 30 days. You also have the right to lodge a complaint with your local data-protection authority.

California (CCPA / CPRA).

California residents have the right to know, delete, correct, opt out of “sale” or “sharing” (we do neither), limit the use of sensitive personal information, and not be retaliated against for exercising these rights. To exercise them, email support@vendaxsystemlabs.comwith subject line “CCPA Request”. We will verify your identity using your account email and respond within 45 days.

Other regions.

If you reside in a jurisdiction whose privacy law (for example, Canada PIPEDA, Brazil LGPD, India DPDP Act) grants additional rights, we will honor them on request.

10

Security.

We protect personal data with industry-standard administrative, technical, and physical safeguards: TLS in transit, encryption at rest, role-based access controls, audit logging, and vendor due-diligence. No system is 100% secure; if we discover a breach affecting your data we will notify you and the appropriate authorities within the timelines required by law.

11

Children.

The Service is not directed to children under 13 (or 16 in the EEA). We do not knowingly collect data from children. If you believe a child has provided personal data, write to support@vendaxsystemlabs.com and we will delete it.

12

Changes to this policy.

We may update this Policy from time to time. Material changes will be announced by email or in-product notice at least 30 days before they take effect. The “Effective” date at the top of this page always reflects the latest version.

13

Contact us.

For privacy questions, requests, or complaints contact our privacy team:

Vendax Systems LLC (d/b/a Vendax Systems Labs)
28 Geary St STE 650, Suite #500
San Francisco, California 94108
United States
support@vendaxsystemlabs.com

We are committed to data minimization, purpose limitation, and transparency. Last updated April 29, 2026.