Privacy Policy
Last updated: March 18, 2026
1. Data Controller
Strategic Decision AI S.L. (hereinafter "we", "us" or "the Company") is the data controller for personal data collected through the strategicdecision.ai platform.
Contact: info@strategicdecision.ai
2. Data We Collect
- Account data: name, email address, and password (stored as a bcrypt hash).
- Company data: company name, sector, size, logo and brand colours voluntarily provided by the user.
- Uploaded documents: files uploaded to enrich the context of your projects.
- Usage data: projects created, reports generated, Aris chat history and configuration preferences.
- Payment data: processed entirely by our payment provider (Stripe). We do not store card details.
- Technical data: IP address, browser type, operating system and access logs, for security and diagnostic purposes.
3. Purpose and Legal Basis
| Purpose | Legal basis |
|---|---|
| Service provision (report generation, chat) | Performance of a contract (Art. 6(1)(b) GDPR) |
| Account management and authentication | Performance of a contract (Art. 6(1)(b) GDPR) |
| Service communications and support | Legitimate interests (Art. 6(1)(f) GDPR) |
| Product improvement and usage analytics (anonymised) | Legitimate interests (Art. 6(1)(f) GDPR) |
| Marketing communications | Consent (Art. 6(1)(a) GDPR) |
4. AI Models and Your Data
Strategic Decision uses advanced third-party AI models to generate strategic reports. The data you provide (company context, documents, intake answers) is transmitted to those models solely to produce your report.
Your data is never used to train any AI model — neither ours nor those of third parties.
5. Data Sharing
We do not sell or transfer your personal data to third parties. We only share it with:
- Infrastructure providers: Railway (backend hosting), Vercel (frontend hosting), Supabase / PostgreSQL (database), under data processing agreements.
- AI provider: OpenAI or equivalent, under a data processing agreement that prohibits use of data for training.
- Payment platform: Stripe, operating under its own privacy policy.
- Legal obligations: when required by applicable law or court order.
6. Data Retention
We retain your data for as long as your account is active. If you cancel your account, we will delete or anonymise your personal data within 30 days, unless a longer retention period is required by law.
7. Your Rights
Under GDPR you have the right to:
- Access: request a copy of the data we hold about you.
- Rectification: correct inaccurate or incomplete data.
- Erasure: request deletion of your data ("right to be forgotten").
- Restriction: restrict processing in certain circumstances.
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interests.
To exercise any of these rights, write to us at info@strategicdecision.ai. We will respond within 30 days.
8. Security
We apply technical and organisational measures to protect your data: TLS encryption in transit, bcrypt-hashed passwords, short-lived JWT tokens, per-user data isolation and continuous access monitoring.
9. Cookies
We use only strictly necessary cookies for session management. We do not use third-party tracking or advertising cookies.
10. Changes to This Policy
We may update this policy from time to time. We will notify you by email at least 15 days before material changes take effect. The current version will always be available on this page.
11. Complaints
If you believe that our processing of your data infringes data protection law, you may lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es, or with the supervisory authority in your country of residence.