Skip to content
Dekade

Privacy

How we handle your data.

Plain English. Short version up top, the detail below. If anything here is unclear, email privacy@dekade.app and we’ll answer.

Last updated: 3 June 2026

The short version

  • We store only what we need to give you a result and a place on the waitlist.
  • Everything sits in EU data centres (Frankfurt for the app, Dublin for the database, the EU instance of every third-party processor).
  • You can delete or export every record we hold at any time, self-serve, from /account/erase or /account/export.
  • We do not sell your data. Ever. Not to anyone.
  • We don’t connect to your bank, your broker, or your tax authority. The wizard works from banded estimates you type yourself.

Who runs Dekade

Dekade is operated as a sole-trader project by the founder, based in Ireland. Contact: hello@dekade.app for general questions, privacy@dekade.app for data-protection matters. Once we incorporate (planned post-launch), this section will be updated with the company number and registered address.

What we collect — and why

Wizard answers

The wizard captures: age, country, currency, an income band, household and home situation, current savings / pension / investments / debt (banded or skip-able), and your milestone and lifestyle aspirations. We store this against an anonymous cookie ID (a random UUID, not tied to you) so you can return to it later.

Why: it’s the input to the calculation. We keep it so you can revisit the result and so we can improve the calculation method based on aggregate patterns (never individual rows).

Email address (waitlist)

Captured only when you submit the email form at the end of the wizard or on the homepage. We use it to send you a single launch announcement when v1 opens, and, if you tick the optional update box, occasional product updates.

Lawful basis: GDPR Article 6(1)(a) — your consent, given by submitting the form. You can withdraw it at any time by replying to any email, by clicking unsubscribe, or by deleting your data.

Email address (save and finish later)

If you click Save and finish later inside the wizard, we store your email against your in-progress draft so we can mail you a single-use resume link. We do not use this email for anything else — it’s separate from the waitlist signup.

Cookies and technical data

See the cookie policy for the full list. The short version: one strictly-necessary cookie that holds your anonymous wizard ID, one consent cookie that remembers your analytics choice, and (only if you opt in) one PostHog session cookie for product analytics.

Web-server logs at Vercel capture IP address, user agent, and request paths for up to 30 days. These are used for security and abuse detection only.

What we do NOT collect

  • No bank, broker, tax, or open-banking connections of any kind.
  • No tracking pixels in our emails.
  • No third-party advertising or retargeting cookies.
  • No special-category data (health, biometric, political, etc.).
  • No data about children — the service is for adults aged 18+. If you believe a minor has submitted data, email us and we’ll erase it on receipt.

Processors and where data lives

We use the following sub-processors, all configured for EU data residency.

ProcessorWhat it handlesRegion
VercelApplication hosting and edge requestsFrankfurt (fra1)
Supabase (Postgres)Wizard drafts, results, waitlist, DSR audit logDublin (eu-west-1)
ResendTransactional email (confirmations, resume links, DSR flows)EU instance
PostHogProduct analytics (opt-in only)EU instance (eu.posthog.com)
SentryError monitoringEU DSN (de.sentry.io)
CloudflareDNS for dekade.appGlobal edge network (no personal data stored at rest)

We sign Data Processing Agreements with every processor that handles personal data (Vercel, Supabase, Resend, PostHog, Sentry). Copies are available on request.

How long we keep things

  • Wizard drafts: 30 days from last activity, then automatically purged.
  • Wizard results: kept as long as your waitlist signup exists, so you can return to your result and share link. Deleted when you run Article 17 erasure or when you reply to remove yourself.
  • Waitlist signups: kept until you ask us to delete them or for a maximum of 24 months after launch if you never engage.
  • DSR audit log: kept indefinitely under Article 30 (record of processing). The PII columns are redacted to [erased] after the request completes.
  • Vercel access logs: 30 days, controlled by Vercel.
  • PostHog events: 12 months, capped by retention setting in PostHog.
  • Sentry events: 90 days.

Your rights under GDPR

You have a set of rights over the personal data we hold for you. Two are wired into this site as self-serve flows; the others you can exercise by emailing privacy@dekade.app — we respond within 30 days as the regulation requires.

Delete your data

Article 17. We email a confirmation link; once you click it we permanently delete every record tied to your email.

Start a deletion request →

Export your data

Article 20. Confirmation email then a single-use, 7-day download link with a JSON copy of every record we hold.

Start an export request →

Email-based rights

  • Article 15 — Access: a copy of every piece of personal data we hold for you (the export covers this; if you prefer a written summary, email us).
  • Article 16 — Rectification: ask us to correct anything that’s inaccurate.
  • Article 18 — Restriction: ask us to stop processing while a dispute is resolved.
  • Article 21 — Objection: object to a specific processing activity.

If you believe we’ve handled your data badly and we haven’t fixed it after you raised it, you have the right to complain to the Data Protection Commission of Ireland (our lead supervisory authority): dataprotection.ie. UK residents can complain to the Information Commissioner’s Office at ico.org.uk.

Export file format

The Article 20 export is a single JSON document, schema version 1. Top-level keys:

  • subject — the email address the export was made for.
  • waitlistSignups — each signup with opt-in flags, confirmation timestamps, and the nested wizardResults tied to it.
  • wizardDrafts — any in-progress wizard answers saved against your email via Save and finish later.
  • generatedAt + schemaVersion — export metadata.

Money fields are stored in minor units (cents/pence) to match the database format — e.g. €5,000 appears as 500000.

International transfers

All primary storage stays in the EU. Some processors are US-headquartered (Vercel, Resend, PostHog Inc., Sentry Inc.) but their EU instances keep personal data within the EU. Where any onward transfer is required for support purposes, it is covered by EU Standard Contractual Clauses and the relevant data-transfer impact assessment.

Security

HTTPS everywhere. Database connections pooled over TLS. Wizard cookies are httpOnly, sameSite=lax, and secure-flagged in production. Admin pages sit behind HTTP Basic Auth with constant-time credential comparison and a per-session secret. Resend confirmation tokens are 256-bit CSPRNG values and single-use. We don’t store passwords because there are no user accounts in v1.

Children

Dekade is for adults aged 18 and over. The wizard rejects ages outside 18-65. We do not knowingly collect data from children. If you’re a parent or guardian and believe a child has submitted data, email privacy@dekade.app and we’ll erase it on receipt.

Changes to this notice

We may revise this notice from time to time. Material changes — anything that changes what we collect, who processes it, or how long we keep it — will be announced by email to waitlist members and shown as a banner on the homepage for at least 14 days. The last-updated date at the top is the authoritative version indicator.