Privacy policy

DECID:R is owned and operated by Decidr Ltd (company no. 17221542, registered in England & Wales) under licence from Jemma Davis, who retains all intellectual property in DECID:R (scenario library, decision-support framework, runbooks and brand). Culture Gem Ltd and Inclusive Change Ltd are equal authorised distributors of the Service. DECID:R is owned and operated by Decidr Ltd (company no. 17221542). Culture Gem Ltd and Inclusive Change Ltd are equal authorised distributors of the Service under licence. All intellectual property in DECID:R is retained by Jemma Davis. Decidr Ltd is the data controller for the personal data collected through this service.

The data we collect depends on how you use the platform:

• Participants joining via a join code: by default, joining a live exercise is anonymous — we don't ask for your name or email. The facilitator may ask you to identify yourself verbally for their own debrief notes, but the platform itself stores no identifying information about anonymous participants.
• Participants who choose to save progress: if you opt in to save an exercise to your own account, you sign in with email and password (or Google) and we store the same account data as for facilitators (see below), plus the saved exercise state.
• Exercise activity: decisions made, decision stage interactions, time taken, confidence ratings, branch path taken, and outcome metrics (impact, cost, reputation). Linked to the participant's account if signed in, otherwise to the anonymous session only.
• Saved progress: if you sign in to resume a session, we store your current node, decisions to date, and join code locally and on the server so you can rejoin after a refresh, disconnection or device change.
• Account holders (clients, facilitators, partners, customer admins, platform admins): email address, display name, optional avatar image, hashed password or Google sign-in identifier, requested role, approval status, and the timestamp at which your account was approved or onboarded.
• Organisation profile (optional, set during onboarding or in Settings): organisation name, sector / industry, team size band, and the chosen risk-scoring framework (e.g. NIST, ISO 27005, FAIR). Used to tailor scenarios, scoring language, and benchmark comparisons. You can change or clear these at any time.
• Branding assets (optional): an uploaded organisation logo and an accent colour, used to co-brand reports and the in-app experience for your team. Logos are stored in a public file bucket so they can be embedded in shared reports — do not upload anything confidential. You can remove your logo at any time from Settings → Branding.
• Learning objectives & confidence ratings: the goals you set for your team (e.g. "improve ransomware response"), the baseline and current self-assessed confidence scores against each goal, and a time-series of confidence updates with optional notes. Linked to your account and visible to your linked partner (if any) so they can support your progress.
• Facilitator sessions: session metadata (scenario, join code, start/end time, participant count) and any post-session reports or debrief notes the facilitator generates or exports.
• Partner & customer relationships: partner-customer links, partner invites you have sent or accepted, invite redemptions, and which partner-authored scenarios are visible to your account.
• Billing data (paid customers only): organisation name, billing contact, billing address, VAT number, PO reference, subscription tier, invoices and invoice line items. We bill by invoice only — payable by bank transfer within 30 days. We do not collect or store card details.
• Search & usage logs: scenario search queries and selections, retained in pseudonymised form to improve content.
• Technical logs: standard server logs (IP address, user agent, request path, timestamp) generated by our hosting provider for security and abuse prevention. Not linked to user accounts and rotated automatically.

We use personal data for the following purposes:

• To run facilitator-led exercises and let participants resume sessions
• To generate post-exercise reports, runbooks, and debrief materials for facilitators
• To manage accounts, role-based access, and partner/customer workspaces
• To process subscriptions and issue invoices to paying customers
• To send service emails (invites, approval notifications, password resets)
• To analyse aggregated, anonymised trends and improve exercise content
• To detect and prevent abuse, and to meet our legal obligations

We do not use participant decisions or exercise content to train third-party AI models.

We rely on the following lawful bases under UK GDPR:

• Legitimate interests — running and improving the exercise platform, and securing it against abuse.
• Contract performance — managing accounts, partner agreements, and processing subscriptions and invoices.
• Legal obligation — retaining billing records for tax and accounting purposes.
• Consent — for any non-essential cookies or optional communications (currently none in use).

We do not sell personal data or share it for marketing purposes. We share data only with:

• Your facilitator and their partner organisation, who can view the session data needed to debrief you, under a written agreement with us.
• Your customer-organisation admin, who can view sessions run within their workspace.
• Cloud infrastructure (hosting, database, authentication, file storage): our managed backend provider, acting as a data processor under a Data Processing Agreement. Data is stored in EU/UK regions where available.
• Accounting & tax records — invoice records are stored within our finance system and shared with our accountants for statutory bookkeeping and tax filings. We do not use a third-party payment processor.
• Google — only when you choose "Continue with Google" to sign in. Google receives the sign-in request and returns your email and a persistent identifier; we receive no other Google account data.
• AI gateway — when a facilitator generates an AI-assisted debrief summary or runbook, the relevant exercise outputs are sent to a large-language-model provider via our gateway. Inputs are processed for that single response only and are not used to train third-party models.
• Trusted delivery partners — DECID:R works with a network of trusted specialist partners who deliver certain services on our behalf or alongside us. Where a service you enquire about is delivered by one of our partners, we may share your contact details and enquiry information with the relevant partner so they can deliver that service. We only share what is necessary, all partners are contractually bound to protect your data and use it only for the agreed purpose, and we never sell or share your data for third-party marketing. The legal bases are Art. 6(1)(b) UK GDPR (performance of a contract or pre-contractual steps) and Art. 6(1)(f) UK GDPR (legitimate interests in delivering the services you have requested). You can request a copy of the relevant contractual safeguards by emailing the address listed below.
• Authorities, where required by law.

International transfers (e.g. Google, AI gateway) rely on the UK International Data Transfer Addendum and EU Standard Contractual Clauses.

• Live session & saved-progress data: deleted automatically 30 days after the session ends, unless the facilitator explicitly archives it.
• Archived session reports: retained for up to 12 months, then anonymised or deleted.
• Account data: retained while the account is active, and for up to 6 months after closure to handle disputes.
• Billing records & invoices: retained for 6 years to meet UK tax law.
• Search & usage logs: pseudonymised after 90 days.

We use the following, all strictly necessary:

• Authentication cookies: to keep facilitators, partners, and admins signed in.
• Session cookies: to keep participants linked to a live exercise after a refresh.
• Local storage: theme choice, accessibility settings, cookie-consent acknowledgement, and the participant's saved progress for the current exercise.

We do not use analytics cookies, advertising cookies, or any third-party tracking. The cookie banner offers "Essential only" and "Accept all" buttons; both have the same technical effect today because no non-essential storage is loaded. Your choice is recorded so we can honour it if optional cookies are ever introduced.

We'll update this page when our data practices change — for example, adding a new processor, changing retention periods, or introducing optional cookies. Material changes will be flagged to account holders by email and surfaced in-app on next sign-in. The "Last updated" date at the top of this page always reflects the current version.

Access to session and account data is protected by row-level security policies, role-based access control, and encrypted connections (HTTPS). Passwords are hashed and never stored in plain text. Facilitator and partner accounts require approval before they can access live sessions.

The platform is intended for use by professionals in workplace training contexts. It is not directed at children under 16, and we do not knowingly collect personal data from them.

Under UK GDPR, you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected;
• have data erased ("right to be forgotten") where applicable;
• restrict or object to processing based on legitimate interests;
• data portability for data you provided under contract or consent;
• withdraw consent at any time, where processing is based on consent (this does not affect lawfulness of prior processing);
• not be subject to solely automated decisions with legal or similarly significant effects (we do not make any).

We aim to respond to verified requests within one month, as required by UK GDPR. If you are not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office at ico.org.uk or 0303 123 1113.

If you have questions about this privacy policy or wish to exercise your data rights, please contact feedback@decidr.live.