Privacy Policy

A. Information you provide to us：Account creation: When you create an account, join Workspace or use Services, we may collect your name, email, password, team or corporate role, avatar, language preference, region, login method and account security settings.

Profile and workspace settings: You may provide job title, team name, company size, workspace name, member list, permission configuration, branding settings, default theme, templates, export preferences, and notification preferences.

Your communication with us: When you request product information, subscribe to newsletters, contact sales, submit customer service or technical support requests, feedback questions, upload diagnostic materials or communicate with us, we will process your email, phone number, mailing address, message body, attachments, screenshots, logs and other information you choose to provide.

Payment information: When you purchase a subscription, add-on capacity, or enterprise services, we may receive your billing address, transaction history, plans, invoices, tax information, and payment status. Sensitive payment data such as full payment card numbers and bank accounts are processed on our behalf by third-party payment service providers, and we do not store full payment card information directly within Deckwise Services.

Surveys, user interviews and feedback: If you participate in questionnaires, interviews, usability tests, beta programs or feedback activities, we will process your contact information, responses, recordings or records, product usage background and your unsolicited opinions.

Interactive and Public Features: If we provide communities, public templates, blog comments, event pages, chats, social media pages, or other interactive features, content you submit in public areas may be viewed, saved, or used by other users or third parties.

Sweepstakes, events and conferences: If you register to participate in online or offline events, conferences, seminars, competitions, sweepstakes or promotional activities, we will process registration information, event preferences, check-in records, interactive content and follow-up communication information.

Recruitment Applications: If you apply for a position with Deckwise or TINY CIRCLE LTD, we process resumes, portfolios, cover letters, contact information, interview transcripts, assessment feedback, reference information and other information required by the recruitment process.

B. Deckwise Creations, Projects, and AI Agent Information：Inputs and Instructions: Include your input of creative goals, prompt words, editing instructions, audience, tone, brand requirements, language, structural requirements, number of pages, reference style, and generation preferences.

Upload and connect materials: including PDF, documents, tables, images, web pages, screenshots, meeting notes, audio and video transcriptions, existing PPT, sales materials, research materials, product materials and other context used to generate the deck.

Project content: including Workspace, project, deck, page, card, text, chart, theme, color, template, media material, annotation, comment, version history, collaboration record and exported file.

AI Intermediate results: To fulfill a request, Deckwise may process outlines, page drafts, search queries, citation fragments, file parsing results, layout suggestions, quality assessments, model outputs, tool invocation results, and error recovery information.

Feedback and quality signals: including your acceptance, withdrawal, retry, rewrite, rating, copy, export, sharing, deletion, manual modification and other interactive signals used to judge whether the AI function is useful.

File and export metadata: includes file name, size, type, number of pages, creation time, import source, parsing status, export format, export time, failure reason, and technical information used to troubleshoot import and export problems.

C. Information collected automatically：Device and network information: such as IP address, browser type, operating system, device model, language setting, time zone, mobile operator, device or cookie identifier, advertising identifier, approximate location and Internet service provider.

Access and source information: such as pages before and after access, referral links, advertising or activity sources, page views, clicks, scrolls, dwell time, function entrances and interaction paths.

Product usage information: such as login, create project, upload file, generate outline, generate page, edit, export, share, comment, invite members, call AI tool, retry and failure status.

Performance, security, and diagnostic information: such as latency, crashes, error stacks, request IDs, session state, logs, anomalous behavior, security events, and anti-abuse signals.

Cookies and Similar Technologies: We and third parties that provide functionality, analytics, ad measurement, or security services on our behalf may use cookies, pixels, web beacons, local storage, and similar technologies to record visit and interaction information.

D. Information from other sources：Third-Party Login and Identity Providers: If you access Deckwise through Google, Microsoft, enterprise SSO, or other login methods, we may receive your name, email, avatar, identifier, organizational domain name, and certification status.

Contacts and invitations: If you enable the contact or directory function, we may receive contact names, email addresses, organizational directories or auto-complete information required for sending invitations, collaboration, permission verification and member lookup.

Calendar, meeting, and email integrations: If you authorize a connection to a calendar, meeting, email, or similar service, we may process event titles, participants, times, meeting links, attachments, email or message fragments, reply status, and content used to generate meeting decks or follow-up materials.

Cloud storage and file connectors: If you connect to a third-party storage or document service, we may process file IDs, file names, permissions, download links, versions, content fragments, and sync status to turn the material into context that Deckwise can use.

Google API Data: If you authorize Deckwise to use Google API, we will only process related Google user data to the extent necessary to provide the functionality you requested, such as logins, file imports, contact autocomplete, calendar events, meeting materials, or message snippets. We will not use Google Workspace API user data to train generic AI or machine learning models, and will comply with the Google API Services User Data Policy and Limited Use requirements to the extent applicable.

Organization, administrator and enterprise systems: If you register using an organizational email, join an enterprise Workspace, or have an account opened by an organization, we may obtain member, permission, department, package, compliance and accounting information from the organization, administrator, HRIS, CRM, identity management, data warehouse or security tools.

Business Data and Publicly Available Sources: Where permitted by applicable law, we may obtain company, job, industry, region and contact information from business data providers, public websites, event partners or marketing channels for B2B sales, customer support and marketing communications.

E. Workspace, AI and connection content：Applicable scope and version: This policy applies to Deckwise’s Website, Services, AI Features, API, mobile or desktop applications, marketing pages, customer support, events, recruitment and related services directly operated by us. This policy does not apply to Non-Deckwise Services that are independently operated by third parties, and does not replace internal privacy notices, employment policies, data processing agreements or Workspace governing rules that may exist between enterprise customers and you. If we provide links to historical versions of this policy, regional supplements, subprocessor pages, DPA or Cookie Notice in the future, these documents will form part of the relevant privacy statement together with this policy. Effective date: May 26, 2026 If there is a conflict between this policy and a specific enterprise agreement, DPA, or an in-product privacy setting, the more specific document or setting will control to the extent applicable.

Customer Data, Enterprise Workspace and Collaboration: If you use Deckwise through an organization, team, or enterprise Workspace, that organization may be the data controller or business customer of related Workspace content and member information. We generally process information on behalf of that organization in these circumstances, and specific rights, permissions, and retention rules will be governed by that organization's settings and our agreement with that organization. When you join a Workspace owned by another person or organization, your name, email, avatar, membership status, activity history, Workspace name, Workspace ID, project content, comments, and collaboration status may be visible to collaborators or administrators based on permission settings. Organization administrators may be able to view or manage member lists, account status, permissions, domains, plans, billing, audit logs, integrations, data retention, exports, content access, and security settings. If a customer uses Deckwise to process its own data that contains personal information about you, we will generally process it in accordance with that customer's instructions and contract; the privacy practices for such processing are governed primarily by the agreement between the customer and us, and not solely by this Policy. If you wish to exercise your rights related to content controlled by an organization, you should generally contact that organization or the Workspace administrator. We will assist customers in handling relevant requests in accordance with customer agreements and applicable laws. We maintain class descriptions of subprocessors or service providers so that customers understand which infrastructure, AI, file parsing, payments, customer service, analytics or security services may process data on our behalf.

AI, Models and User Content: Because Services contains AI Features, User Content may be processed to complete the functionality you requested, such as data understanding, context retrieval, outline generation, page generation, content rewriting, citation tracing, and quality checking. We may send content fragments, context, prompt words, output results and technical metadata required to complete the request to AI model, cloud infrastructure, file parsing, retrieval, evaluation or export service providers that process data on our behalf. We will require these service providers to handle relevant information in accordance with contractual, confidentiality and security obligations. How the AI function handles content: To generate the deck, AI Features may read the materials, files, pages, conversations, editing commands, version history, and accessibility context in your current project. To reduce hallucinations and improve traceability, Deckwise may perform file segmentation, indexing, retrieval, rearrangement, citation extraction, evidence selection, and production quality assessment. To perform operations, AI Agent may call tools such as parsing files, searching for items, generating pages, modifying text, updating structures, exporting files, or inspecting results. Models and service providers: We may use third-party or self-hosted models, inference services, vector retrieval, file parsing, OCR, image processing, export rendering, and evaluation services to provide AI Features. We will only send these providers the content fragments, prompts, context, output, logs and technical metadata necessary to complete the request, and their processing will be governed by contracts, access controls and security measures. Processing locations, retention periods, and security mechanisms may differ between models or services; enterprise customers may obtain more specific controls and instructions through contracts or product settings. Training, evaluation and user control: We will not sell your User Content. Deckwise will not use private Workspace content to train generic AI or machine learning models unless expressly permitted by you, your Workspace administrator, or the applicable agreement. We may use de-identified, aggregated, or data that cannot reasonably be linked to you or a specific Workspace to evaluate and improve product quality, safety, performance, prompts, retrieval, and reliability. You should ensure you have the right to upload, process or share third party material and avoid submitting sensitive, regulated or highly confidential content that should not be processed by Deckwise. You can delete projects, files or accounts; deleted content will be processed according to data retention rules, and backups, logs, security or compliance records may be retained for a limited period.

Life cycle of data, files and results generated by AI: The core experience of Deckwise is converting data into editable decks. Therefore, User Content typically goes through the stages of import, parse, index, retrieve, generate, edit, collaborate, export, archive, and delete. The type of information processed and retained at each stage may differ. Import and parse: When you upload or connect to PDF, documents, tables, web pages, images, PPT, meeting minutes, or other materials, we read the file content, file name, type, size, page count, permissions, source, and parsing status. To make materials available to AI Agent, Deckwise may perform text extraction, OCR, image understanding, table recognition, page segmentation, structured transformation, language recognition, and metadata generation. If file parsing fails, we may log the reason for the failure, error type, file type, request ID, and limited diagnostic information to help repair the import link. Indexing, retrieval and referencing: In order for the Agent to find relevant evidence in the project, we may divide the data into fragments and generate retrieval indexes, vector representations, keyword indexes, citation locations, and source mappings. When you ask to generate or modify a deck, the Agent may retrieve the item context based on your request and provide the relevant fragments as prompt word context to the model. Citations, footnotes, source links, or traceability notes may be generated based on file names, page numbers, paragraphs, table positions, web page URLs, upload times, and intra-project source IDs. Generate, edit and export: The generation process may produce outlines, page drafts, layout suggestions, titles, body text, diagram structures, speaker notes, style suggestions, inspection results, and model debugging metadata. When you continue editing or ask the Agent to modify, we use the current deck, related history, your editing instructions, manual modifications, selected pages, or selected text as context. When exporting to PDF, PPTX, image, web, or other formats, we may process rendering parameters, fonts, themes, media assets, page sizes, export status, and failure logs. Delete and archive: When you delete a file, project, or account, Deckwise will delete or deactivate the content from the active system, but backups, logs, export caches, compliance records, or security records may continue to exist for a limited retention period. If the content belongs to the organization Workspace, deletion, retention, export, and recovery may be restricted by administrator settings, contract, legal preservation, or enterprise data retention policies. If content has been copied, exported, shared or downloaded by other users with permission, we may not be able to delete copies independently held by those users or third parties.

Third-party integrations, connectors, and API data: Deckwise may allow you to connect Non-Deckwise Services to bring external materials, files, calendars, contacts, mail, CRM, meetings, cloud storage, or enterprise systems into the AI Agent deck workflow. Third-party services will usually display authorization scopes before connecting; you should confirm that you have the authority to grant these permissions. Identity, Directory and Contacts: Identity providers may provide us with names, email addresses, avatars, organizational domain names, user IDs, groups, roles, authentication status, and security policies to support login, SSO, member management, and permission control. Contact or directory data might be used to invite collaborators, autocomplete recipients, display organization members, verify sharing permissions, or provide context for project collaboration. We do not use contact or directory data for purposes unrelated to the functionality you requested, nor do we use this data to train the generic AI model. File, storage and knowledge base connectors: A cloud storage or document connector might provide the file name, path, file ID, download link, permissions, version, modification time, owner, content fragment, and sync status. If you ask the Agent to generate a deck based on connection data, we may read the file contents, generate an index, extract references, and send the necessary fragments to the AI model or file parsing service. If third-party file permissions change, Deckwise may need to resynchronize or stop accessing related files; historical build results and exported content may still exist according to retention rules. Calendar, meeting, email and communication data: If you authorize a calendar or meeting integration, we may process event titles, times, participants, meeting links, agendas, attachments, meeting minutes, transcripts, and reply status to generate meeting decks, summaries, or follow-up materials. If you authorize an email or messaging integration, we will only process the email, message, contact, thread, attachment, or fragment to the extent necessary to provide the functionality you requested, such as turning customer feedback into presentation materials. For Google API data, we comply with applicable Limited Use requirements and will not use Google Workspace API user data to train generic AI or machine learning models. API, webhook and customer-built integration: If you or your organization uses Deckwise API, webhooks, or automated tools, we may process API keys, tokens, request logs, IPs, payloads, failure status, rate limits, and debugging information. You should properly protect the API key, token, webhook secret, and integration credentials and make them available only to authorized systems and personnel. Data submitted to Deckwise by customer-built integrations will be processed in accordance with this policy, the customer agreement, and the integration configuration; customers remain responsible for privacy notices, legal basis, and permissions management in their own systems.

AI deck data flow example in workflow: Data processing in Deckwise typically occurs around specific authoring tasks. The following examples illustrate how information flows within the product; actual data flow will vary based on your inputs, file types, permissions, plans, model configurations, and administrator settings. from PDF to deck: After you upload PDF, Deckwise may read file metadata, extract text, recognize images and tables, generate segments, establish reference locations, and store relevant segments into the project context. When you ask to generate an outline, AI Agent may retrieve relevant paragraphs, summarize topics, generate a chapter structure, mark sources, and save a draft. When you generate slides, the system may send an outline, relevant evidence, brand preferences, themes, and page constraints to the model and rendering service to generate editable pages. From meeting notes to sales deck: If you import meeting notes or transcripts, Deckwise may identify participants, topics, action items, customer pain points, objections, and key quotes. The Agent may combine this information with existing product information, customer background, or CRM fragments to generate customer-facing structures and page drafts. If the content contains customer personal information or trade secrets, you should confirm your rights to use the material and select appropriate sharing and export permissions. Continuous editing and version iteration: When you ask to "make page 3 more convincing" or "update the entire deck based on this new data," the Agent may read the current page, related historical versions, the latest uploaded data, and your editing goals. The system may compare content before and after modifications, record the results of operations, save versions, generate undoable changes, and use failure or success signals for quality improvement. If you manually edit the AI output, subsequent Agents may treat your manual edits as a higher priority context to reduce the risk of overriding your selections.

Organize hosting accounts, domain names and account transfers: If you use an organizational email to register or join an organization Workspace, your account may be associated with that organization's domain name, administrators, identity systems, or contractual relationships. Organizational managed accounts and personal accounts may have different controls, visibility, and data processing. Domain name and organization association: When you register using a company or school email, we may determine whether the account belongs to an organization based on the email domain name, SSO, administrator invitation or corporate contract. Organization administrators may verify domain names, claim Workspace, invite members, require SSO, configure security policies, or merge accounts related to the organization. If you use an organizational email but do not want your account to be associated with the organization, you can change the email, export personal content, leave the organization Workspace, or contact the administrator within the scope of the product. Administrator controls and user notifications: Administrator controls may include resetting member access, disabling accounts, transferring project ownership, restricting sharing, viewing audit logs, exporting data, or setting retention policies. We may notify users of the fact that their accounts are managed by an organization through in-product prompts, emails, administrator instructions, or help documents, but the specific prompts depend on product capabilities and enterprise configurations. If there is a dispute between an organization and a member over content attribution, deletion, access, or export, we will generally handle it in accordance with the contract, administrator settings, and applicable law. Account transfer and resignation: If a member leaves the organization, organization administrators may retain, transfer, delete, or restrict their Workspace content to protect business continuity and compliance requirements. Members may still be able to maintain personal accounts or non-organizational Workspace, but this depends on the account email, product settings, organizational policies, and applicable agreements. In scenarios such as resignation, domain name change, company merger and acquisition, or team migration, account and content migration may require collaborative processing by administrators, users, and the Deckwise support team.

F. Sensitive Information, Public Content and Activities：Sensitive information and high-risk content: Deckwise is an AI Agent application for authoring and collaboration and is not a system designed for handling highly sensitive, regulated, or high-risk decisions. You should not upload or process data that is not suitable for this service unless your organization has entered into an appropriate agreement with us and configured appropriate controls. Sensitive information we may process: You may proactively submit health, financial, identification, trade secrets, undisclosed transactions, legal materials, children's information, or other sensitive content in documents, prompts, meeting minutes, recruiting materials, support requests, or corporate materials. If the content is used to generate a deck, Deckwise may parse, retrieve, generate, edit, export, or save the content to the extent necessary to provide the functionality. We will not use or disclose sensitive personal information for opt-out purposes; processing will be limited to the provision of services, security, fraud prevention, compliance or functionality expressly requested by you. Content not suitable for submission: Strictly regulated health records, full payment card data, government identification documents, large-scale children's data, illegal content, or confidential information that should not be turned over to third-party AI services should not be submitted unless you have clear permission and appropriate protections. You should not use Deckwise to generate, process or transmit content that is unlawful, infringing, fraudulent, malicious, discriminatory, harassing or violates the privacy of others. If we discover high-risk or illegal content, we may restrict processing, delete the content, suspend accounts, notify administrators, or take other actions permitted by law. Customer and Administrator Responsibilities: Organizational customers should configure permissions, retention, sharing, exports, integrations and user training based on their industry, region, risk and compliance requirements. Users should confirm that they have the necessary rights to upload materials, use third-party content, invite collaborators, and generate/share decks. If you are unsure whether a certain type of material is suitable for uploading, please first check with your organization administrator or contact us at [email protected].

Careers, Events, Community and Public Content: In addition to the product itself, Deckwise may also interact with individuals through recruiting, events, communities, public templates, customer stories, blogs, social media, and user research. These scenarios typically handle information that is different from the Workspace content. Recruitment and candidate data: We may process resumes, portfolios, LinkedIn or personal websites, contact details, job search preferences, interview transcripts, test assignments, assessment feedback, salary expectations and recommendation information. This information is used to evaluate qualifications, schedule interviews, communicate offers, complete background or compliance checks, improve the hiring process and maintain hiring records. If you are hired, some job postings may be transferred to employee or contractor records; if you are not hired, we may retain them for a limited time based on recruitment and legal requirements. Events, conferences and user research: When you participate in an event, seminar, interview, user study or beta program, we may process registration information, company, job title, interests, feedback, recordings, transcriptions, questionnaires and reward information. If the event is hosted by a third-party platform or partner, the third party may also process your information in accordance with its privacy policy. User research materials may be used for product decisions, design improvements, AI quality assessment, and training internal teams; we share research findings in de-identified or aggregated form when possible. Public content and customer stories: If you submit public templates, comments, testimonials, cases, social media content, or customer stories, the content may be publicly displayed, searched, cited, or saved by others. We typically obtain appropriate consent or contractual authorization before publishing identifiable client stories, avatars, company names, quotes or cases. Public content is inappropriate for content that contains confidential information, sensitive personal information, unauthorized third-party content, or information that is not intended for long-term dissemination.

Workspace Collaboration and Organizational Management：When you join, create, or collaborate on Workspace, we use basic account information, Workspace name, Workspace ID, membership, permissions, and content to display collaboration status and enable sharing.

If you use an organizational mailbox or enterprise Workspace, your organization may be able to manage your membership, access permissions, Workspace resources, compliance settings, accounting status, and some content.

If you do not want the account related to the organization's mailbox to be managed or associated with the organization, you can change the mailbox within the scope allowed by the product, leave Workspace, or contact the administrator for processing.

Marketing, consent and aggregate information：Where permitted by applicable law or with your consent, we may use contact information, company information, product interests and Website events to provide you with Deckwise products, events, content or promotions.

We may use the information for other purposes specified when you provide personal information, or with your consent.

We may use aggregated or de-identified information that does not reasonably identify you, a device or a specific Workspace for research, internal analysis, statistics, product improvement, market analysis and other lawful purposes.

Basis for processing, consent and automated processing：Grounds for processing and legitimate interests: If you are located in the European Economic Area, the United Kingdom, Switzerland, or other regions that require a description of the basis for processing, we will rely on different legal basis to process Personal Information depending on the specific scenario. Some processing may be based on more than one basis at the same time, for example relying on contract to provide services, security logs relying on legitimate interests and legal obligations, and marketing communications may rely on consent or legitimate interests. We do not use "legitimate interests" as a ground for unrestricted processing of information. When relying on legitimate interests, we consider the purposes of the processing, necessity, potential impact on individuals, user expectations, alternatives and available control options. contract performance: Create and maintain accounts, Workspace, projects, decks, subscriptions, import and export, collaboration and AI Features. Process payments, invoices, purchase orders, packages, trials, upgrades, downgrades, refunds, customer support and account recovery. Deliver agreed upon management, security, permissions, auditing, support, capacity, integration or deployment capabilities to enterprise customers. Legitimate interests: Maintain the security, stability, and reliability of Website and Services, including detecting abuse, investigating anomalous behavior, preventing fraud, preventing unauthorized access, and troubleshooting system failures. Improve Deckwise's product experience, performance, AI build quality, search performance, file parsing capabilities, editor reliability, and customer support processes. Conduct B2B sales, customer success, product education, public website analysis, non-sensitive business communications and relevant service recommendations to existing customers. Consent, legal obligations and vital interests: Where consent is required, we may request consent before sending certain marketing communications, using certain optional cookies, accessing device permissions, or connecting certain third-party integrations. We may process information for compliance with legal, tax, accounting, sanctions, consumer protection, data protection, employment, audit or regulatory obligations. In rare circumstances, we may process or disclose relevant information if it is necessary to protect someone's life, physical safety or vital rights and interests.

Consent, preferences and opt-out records: To respect user choice and demonstrate compliance, we may need to record your consent, preferences, opt-out requests and associated timestamps. These records themselves are personal information, but they are important to enforce your choices. Cookies and marketing preferences: When you accept, reject or adjust cookies, we may record the preference category, device, browser, time, region and version consent. When you unsubscribe from marketing emails, we may retain your email address and opt-out status to avoid continuing to send you marketing emails. If you change devices, browsers, clear cookies, or use a different account, you may need to reset some preferences. Privacy and opt-out requests: When you submit an access, deletion, correction, restriction, opt-out of sale/sharing, GPC, or appeal request, we may record the request content, processing status, verification method, response results, and timestamp. Retaining these records helps demonstrate that we have processed requests, avoid duplicate requests, enforce opt-out choices and satisfy legal obligations. If you request that records of these requests be deleted, we may still retain limited information for compliance, dispute resolution, or security needs. Organization and Admin Preferences: Enterprise administrators may set AI, sharing, export, retention, integration, notification, and security preferences at the Workspace level. These settings may override or limit certain choices of individual users, especially Customer Data controlled by an organization. Administrator preference changes may be logged in audit logs for compliance and security review.

Automated processing, model output and manual review: Deckwise's AI Features automatically processes input data and generates suggestions, drafts, pages, summaries, structures, and edits. AI output may be inaccurate, incomplete, or unsuitable for your specific use and should be reviewed by the user before use, export, or distribution. AI Nature of output: The model output is a probabilistic result generated based on the content you provide, project context, system prompt words, search results, and model capabilities. AI may misinterpret material, omit context, produce inaccurate quotations, generate inappropriate expressions, or preserve errors in the original material. Deckwise may provide quality checks, citations, previews, edit history, or manual controllable processes, but these features are not a substitute for your review and judgment. Automated decision-making: AI Features of Deckwise is intended primarily for authoring, editing, and productivity assistance and is not intended for automated decision-making that has legal or similarly significant impact on individuals. If an enterprise customer uses Deckwise output for recruitment, credit, education, medical, legal, insurance, employment, or other high-impact scenarios, the customer is responsible for ensuring that appropriate manual review, legal basis, and risk control are in place. If you believe that an automated process has materially impacted you, you can contact us or your Workspace administrator to request clarification or a human review. Manual access and review: Our authorized personnel may have limited access to content or metadata to the extent necessary to provide support, security, troubleshooting, compliance, quality assessment, or enterprise customer requests. We limit human access using access controls, least privileges, logging, training, and internal policies. Enterprise customers can require more stringent support access processes, approvals, or logging through contracts or product settings.

Product Improvement, Aggregation Analysis, and AI Governance：Supplementary description of information categories, purposes and sources: To make this policy easier to enforce and review, this section further explains the relationship between common information categories, sources, uses and disclosure objects. The actual processing depends on how you use Deckwise, your region, Workspace settings, enterprise protocols, and enabled integrations. Account, Identity and Contact Information: Sources may include your direct registration, third-party logins, corporate SSO, administrator invitations, sales communications, event registrations, or customer support processes. Uses include creating accounts, verifying identities, sending security notifications, enabling logins, managing members, processing requests, providing billing, and maintaining customer relationships. Disclosures may include authentication, email, customer service, CRM, payments, cloud infrastructure, security and enterprise identity management service providers. Product content, documentation, and AI context: Sources may include materials you upload, connector-synced content, collaborator edits, AI generated results, exported files, comments, and project activity. Uses include data understanding, contextual retrieval, deck generation, page editing, citation tracing, collaboration, version management, export, support and security review. Disclosures may include hosting, storage, file parsing, OCR, search, AI models, export rendering, logging, security, and customer-specified integrators. Usage, logs and device information: Sources may include browsers, mobile devices, servers, API, cookies, pixels, performance monitoring, security tools, and product events. Uses include service availability, performance optimization, error troubleshooting, fraud detection, abuse prevention, security auditing, capacity planning, product analytics, and marketing attribution. Disclosures may include cloud infrastructure, analytics, logging, monitoring, ad measurement, security, anti-fraud, customer service and enterprise audit service providers. Payment, Contract and Commercial Information: Sources may include you, organization administrators, procurement contacts, payment processors, accounting systems, sales processes, contract documents, and invoice communications. Uses include subscription management, payment processing, invoicing, tax, renewals, refunds, procurement support, revenue recognition, anti-fraud, and contract fulfillment. Disclosures may include payment processing, finance, accounting, tax, contract management, CRM, anti-fraud, cloud infrastructure and customer support providers.

De-identification, aggregated data and product analysis: We may use de-identified or aggregated information to understand product performance and improve services. De-identified information refers to information that cannot be reasonably associated with an individual, device, account or specific Workspace; aggregate information refers to the statistical results of multiple users or Workspace. Usage scenarios: We may collect statistics on the generation success rate, import failure types, common file formats, page editing paths, export formats, function usage frequency, performance indicators, and support issue categories. These statistics help us decide which issues to prioritize, which AI workflows to improve, which templates to optimize, which latency to reduce, or which security controls to tighten. Market and business analytics may use aggregated data to understand user types, industry needs, conversion trends, geographic distribution, and product adoption. protective measures: We take reasonable steps to reduce the risk of de-identified information being re-identified, such as removing direct identifiers, aggregating small samples, restricting access and avoiding disclosure of sensitive combinations. We do not attempt to re-identify de-identified information except for testing the effectiveness of de-identification, security, compliance or other purposes permitted by law. If some information can still reasonably be linked to an individual or Workspace, we will continue to treat it as Personal Information or Customer Data. Relation to AI Quality Improvement: AI Quality improvements may use summary metrics, error categories, non-sensitive sample labels, human evaluation results, and de-identified failure modes. We do not use private Workspace content to train generic AI models unless explicitly allowed by you, the administrator, or the agreement. Enterprise customers can obtain more specific AI data usage limits through agreement or product settings.

AI Supplier Governance and Model Data Control: The AI capabilities of Deckwise may be accomplished by multiple model, parsing, retrieval, and evaluation components. We select appropriate processing links based on task type, quality, cost, latency, security, region, enterprise configuration, and vendor capabilities. Supplier selection and evaluation: When selecting AI or a data processing provider, we consider security controls, contractual commitments, data retention, training usage limits, availability zones, access controls, reliability, and incident response capabilities. Different models or services may be used for different tasks, such as text generation, structured parsing, vector retrieval, image understanding, OCR, audio and video transcription, layout evaluation, or export rendering. If a vendor is not suitable for specific enterprise or region requirements, enterprise customers can learn about available limitations and alternatives through contract, product setup, or support processes. The range of content transferred to the model: We will try to only send the context required to complete the request, such as the user's current command, relevant file fragments, page content, project metadata, search results, and necessary system prompts. We generally do not send the entire Workspace for a single build request unless the task itself requires extensive context and the user or administrator has allowed it. Model responses, errors, latencies, token statistics, tool call results, and quality signals may be logged for billing, troubleshooting, quality assessment, and reliability improvement. Enterprise and team controls: Enterprise customers may need to restrict model areas, disable certain AI features, configure data retention, require stronger support for access approvals, or restrict external connectors. These controls may depend on product proposals, contracts, technical feasibility and corresponding supplier capabilities. We will try our best to make AI data boundaries into clear, explainable, and auditable product and contract capabilities, rather than relying only on abstract promises.

New features, betas and product changes: Deckwise is still rapidly iterating, and new AI Agent capabilities, mobile features, desktop features, connectors, enterprise controls, collaboration modes, or export formats may be added in the future. New features may involve new data types or processing methods. Betas and experimental features: Beta, experimental, or preview features may not be as stable as official features and may require processing of additional logs, feedback, model output, error samples, or usage signals. If an experimental feature involves significantly different data processing, we will explain it within the product, update the policy, or provide supplemental terms through a contract. Enterprise administrators may be able to enable, disable, or limit certain experimental features. New AI capability: Future AI capabilities may include more complex agentic search, multi-document reasoning, multi-modal input, real-time collaboration, automatic typesetting, speech input, branding system generation, or third-party workflow automation. These capabilities may require handling more context, more tool calls, more detailed quality signals, or new third-party service providers. We will continue to adhere to the principles of data minimization, permission boundaries, customer control, and not selling private Workspace content. Policy updates: If product changes cause this policy to need to be updated, we will revise the last updated date and provide notice when required by applicable law. If changes have a significant impact on corporate customers' data processing, subprocessors, cross-border transfers or security controls, we will notify the relevant contacts in accordance with our contractual and legal obligations. Continued use of the updated Services may constitute your acceptance of the updated policy, unless applicable law requires another form of consent.

service providers and subprocessors：We may disclose information to service providers who process information on our behalf, including cloud infrastructure, databases, storage, search, AI models, file parsing, OCR, export rendering, logging, monitoring, analytics, email, customer service, payment, financial, security, anti-fraud and authentication services.

These service providers may only process information in accordance with our instructions, contractual and security requirements, unless otherwise required by law.

Business partners, affiliates and third parties authorized by you：When you request or authorize an integration, connector, partner feature or joint service, we provide the relevant third party with the information necessary to complete that request.

If Deckwise works with affiliated entities, business partners or channel partners to provide services, events or customer support, we may share information to the extent necessary.

Advertising and analytics partners：We do not use your information to serve ads for third-party products within Services.

On the Public Site, we may disclose online identifiers, device information, IP addresses and network activity information to advertising, attribution or analytics partners to promote Deckwise, measure marketing effectiveness, or optimize the Public Site experience.

Workspace, Organization and Collaboration Disclosures：When you submit information in a Workspace, project, deck, or comment that is accessible to other users, that information may be displayed to the same Workspace, connected Workspace, or users with permission.

Your name, email, avatar, membership status, invitation status, activities and some information may be displayed to users who invite you or collaborate with you.

Organization administrators may access or manage user profiles, permissions, content, membership status, usage records, and security settings within their Workspace to verify authorizations, fulfill contracts, and manage enterprise services.

If you provide information about friends or colleagues through invitation, forwarding, sharing or collaboration functions, you should ensure that you have obtained their consent or have other legal basis.

Legal, Security and Corporate Transactions：We may disclose information if we believe in good faith that access, preservation or disclosure of the information is necessary or appropriate to comply with the law, law enforcement, national security requests, court orders, subpoenas or similar process.

We may disclose information to protect the rights, property, and safety of you, Deckwise, TINY CIRCLE LTD, other users, or the public, enforce policies or contracts, collect amounts owed, and investigate or address suspected violations of law, fraud, abuse, or security incidents.

In the event of a merger, acquisition, financing close, reorganization, bankruptcy, receivership, sale of assets or transfer of services, information may be transferred as part of the transaction to the extent permitted by law and contract.

Service providers, subprocessors and enterprise profiles：Cookie Notice, Subprocessors, DPA and Security Information: Certain privacy information may be updated as products, browser rules, vendors, enterprise features, and regional laws change. In order to allow users and corporate customers to obtain more accurate information, we may maintain some details on separate pages, contract attachments, in-product settings or customer information packages, rather than just writing them in this policy. These materials may include Cookie Notices, subprocessor lists, data processing agreements, standard contractual clauses, security white papers, penetration test summaries, compliance questionnaires, enterprise administrator instructions, AI vendor instructions, and regional supplementary terms. Together with this policy, they describe how Deckwise processes information. Cookie Notice and Preference Center: The Cookie Notice will provide more specific information on the categories of cookies, pixels, local storage, SDKs, analytics tools, ad measurement tools and security technologies we use. The preference center or in-product settings may allow you to enable, disable or adjust certain non-essential cookies, marketing communications, product notifications and optional analytics. Some cookies are necessary for login, security, fraud prevention, load balancing, language settings, billing, and core product functionality; disabling these technologies may cause Services to not function properly. Subprocessors and service provider list: The Subprocessor manifest describes the service categories that represent Deckwise processing information, such as cloud infrastructure, AI models, file parsing, OCR, vector retrieval, database, payments, customer service, email, analytics, security, and error monitoring. We may add, replace, or remove subprocessors to improve reliability, reduce latency, support new regions, meet enterprise requirements, or replace vendors that are no longer suitable. To the extent required by the enterprise agreement, we will provide subprocessor change notifications, objection procedures or reasonable alternative arrangements; if there is no separate agreement, the notification method may be web page updates, product notifications or email notifications. DPA, SCC and corporate review information: Enterprise customers may request applicable data processing agreements, standard contractual clauses, cross-border transfer attachments, security materials and vendor review materials through sales, support or administrator channels. DPA may further describe the controller and processor roles, purposes of processing, data categories, retention periods, subprocessor management, audit assistance, data subject requests, security measures and deletion assistance. In the event of a conflict between DPA, Enterprise Master Agreements, or Procurement Documents and this Policy, to the extent applicable Enterprise Services and Customer Data, the more specific contract documents will generally control. AI Supplier and model information: Because core functionality of Deckwise relies on AI Agent, we may provide additional instructions regarding model vendors, inference areas, data retention, training usage, logging, evaluation, and security controls. Different customers, packages, regions, or features may use different models or processing links; some enterprise settings may allow model selection, turn off specific features, restrict data regions, or require more stringent supplier approvals. If a model, connector, or experimental feature has additional limitations, we'll try to provide more specific instructions in the product interface, help documentation, contract, or administrator settings. Information updates and access methods: We may provide these supplemental materials to you through the Trust Center, Help Center, Administrator Console, status page, email, contract attachment, or Customer Success team. Different materials may be updated at different frequencies depending on vendor changes, product releases, regional laws and changes in enterprise functionality. Some enterprise security data may contain sensitive architecture, supplier, audit or risk information, so we may require you to go through the enterprise account, procurement process, confidentiality agreement or reasonable identity verification before accessing it. If an in-product setting, administrator console, or enterprise contract provides more specific controls than this policy, such as disabling a type of connector, restricting member exports, selecting a data region, or configuring SSO, that setting determines the actual behavior of that feature in your Workspace. Historical versions, screenshots, sales materials or third-party reprints may not reflect current processing methods. When judging Deckwise's current privacy practices, this policy, current product settings, applicable DPA, enterprise agreements, and the latest information published directly by us shall prevail.

Subprocessors and service provider details: We rely on service providers to operate modern AI applications. The specific names, locations, and capabilities of service providers may vary as products and infrastructure change; if we publish a subprocessor page or enterprise security profile, that page will provide more specific information. Infrastructure and storage: Cloud hosting, database, object storage, CDN, caching, queuing, search, and backup services may process accounts, Workspace, files, projects, logs, and exported data. These services are used to keep Deckwise available, scalable, recoverable, and support cross-region access, file uploads, rendering, and AI workflows. Enterprise customers can learn about applicable infrastructure zones, backups, and access controls through DPA, order form, or security profile. AI, parsing and export services: The AI model, inference, vector retrieval, OCR, file parsing, image processing, audio and video transcription, document conversion, and export rendering services may handle the User Content required to complete the request. We try to send the minimum context necessary to complete the task, such as relevant snippets, project data, current page, editing instructions, or export parameters. For enterprise customers, model providers, retention periods, training usage limits, and data regions may be further agreed upon through the agreement or product settings. Business operation services: Customer service, CRM, email, notifications, contracts, payments, accounting, recruiting, analytics, incident management, and security tools may process contact information, business information, support records, recruiting profiles, or incident data. These services help us respond to requests, manage customer relationships, process billing, recruit our team, send notifications, investigate issues, and maintain security. We conduct reasonable vetting of key suppliers and contractually limit the purpose and scope of their use of information.

Enterprise DPA, security information and review requests: Enterprise customers often need to review privacy, security, compliance and AI data boundaries before purchasing or going live. Deckwise may provide additional information through DPA, safety instructions, questionnaires, contract attachments, or customer support channels. DPA and contract attachments: DPA may describe processor obligations, subprocessors, cross-border transfers, security measures, audit assistance, deletion or return, incident notifications and customer instructions. Enterprise orders or attachments may contain data areas, support access, AI usage restrictions, retention periods, service levels, or additional security commitments. To the extent that DPA is inconsistent with this policy, data processing for business customers will generally be governed by DPA and the more specific terms in the Order Form. Security and compliance review: Customers may ask us to fill out security questionnaires, provide architectural descriptions, subprocessor classes, encryption descriptions, access controls, backups, logs, incident response and vendor management information. We may not publicly disclose internal details that increase security risks, but we will provide sufficient information within reason to help customers complete the review. Certain advanced security features may only be available under certain enterprise plans, regions, or contracts. Customer assistance request: Enterprise customers may ask us to assist with data subject requests, security incidents, compliance audits, data exports, deletions, migrations or regulatory inquiries. We will provide reasonable assistance consistent with the customer agreement, applicable law, technical feasibility and the scope of the request. We may deny or limit disclosure if the request involves other customers, other users, trade secrets, security risks, or legal restrictions.

Data minimization, access restrictions and internal controls: We will try to limit access to Personal Information, Customer Data and User Content to those people, systems and service providers who have business needs, technical needs, support needs or legal needs. Since Deckwise is an AI Agent application, some functionality must handle the content itself, but this does not mean that all employees or systems have free access to the entire content. Minimization principle: When designing features, we prioritize whether we can handle only the fragments, metadata, retrieval results, or summary signals needed to complete the task, rather than handling the full Workspace. In AI requests, we try to limit the context size and select only the materials, pages, editing instructions, and reference fragments that are relevant to the user's task. During support and troubleshooting, we prioritize error status, logs, request IDs, metadata, and reproduction steps; we only request or review specific content when necessary. Access restrictions: Internal access is typically restricted by roles, responsibilities, system permissions, approvals, logs, and security policies. Customer service, engineering, security, product or data teams may access different types of information in different scopes; for example, customer service may see work orders and account information, engineering may view logs, and the security team may investigate abnormal access. For enterprise customers, support access, content access, log retention, and security reviews may be subject to contract, administrator settings, or separate approval processes. Internal policies and training: We will require personnel who handle user data to comply with confidentiality, security and privacy requirements and receive relevant training to the appropriate extent. We will promote the implementation of data protection requirements through internal documentation, rights management, code review, supplier review and incident review. If we find that internal access, vendor processing, or product design does not meet expectations, we assess the risk and take action such as remediation, restricted access, improved processes, or notifications.

Supplier review, audit assistance and record keeping: Deckwise relies on multiple vendors and internal systems to provide services. To enable clients to assess risks, we maintain records of suppliers, purposes of processing, security controls and audit assistance to the extent reasonable. Supplier review: For key suppliers, we may evaluate their security controls, data processing roles, service locations, access controls, retention policies, incident notifications, subprocessor usage and contractual commitments. Vendor risk may vary depending on the type of data processed, whether it is exposed to User Content, whether it provides the AI model, whether it is processed across borders, and whether it supports corporate controls. When a critical subprocessor is added or replaced, we will provide notifications or updated instructions consistent with applicable contractual, DPA, or legal obligations. Audit and client assistance: Enterprise customers may request security descriptions, compliance information, subprocessor categories, data flow descriptions, DPA, standard contract clauses, or security questionnaire responses. We will assist clients to complete audits, risk assessments, privacy impact assessments, data subject requests and regulatory inquiries to the extent reasonable. We may provide alternative materials or limit the scope of disclosure if the request may affect the security of other customers, reveal trade secrets, exceed the scope of the contract, or impose an unreasonable burden. record keeping: We may maintain records of data processing, vendor reviews, access approvals, incident responses, privacy requests, DPA, contracts, deletions, exports, and customer communications. These records help us demonstrate compliance, respond to customer and regulatory issues, improve safety controls, and restore the facts in disputes or incidents. Record keeping itself is subject to retention periods, access controls and security requirements, and information that is no longer required is not retained indefinitely.

Organization, billing, sharing and legal disclosures：Corporate governance, security audits and organizational controls: Enterprise Workspace typically requires greater management and governance than personal accounts. Deckwise may provide administrative controls to organization administrators so they can configure security, permissions, membership, accounting, compliance, retention, and support processes. Information visible and controllable by administrators: Administrators may see member names, emails, avatars, roles, groups, login status, invitation status, recent activities, Workspace usage, packages, accounting and security settings. Depending on product capabilities and enterprise agreements, administrators may be able to manage project permissions, member access, sharing settings, export permissions, integration authorization, data retention, domain verification, and audit logs. Administrators may access Workspace content and activity records within their purview if the organization requires compliance reviews, data exports, legal preservation, or security investigations. Audit, compliance and security logs: To help organizations manage risk, Deckwise may log logins, member invitations, permission changes, file imports, exports, shares, deletions, integration connections, API calls, and administrator actions. Audit logs may contain user ID, email, IP, device, timestamp, object ID, event type, operation results, and error information. Log retention periods may be determined by product plans, enterprise contracts, administrator settings, or legal obligations. Enterprise data requests and migrations: An organization may request an export of Workspace content, member lists, audit logs, accounting records, or support records for migration, backup, compliance, or internal governance needs. When an organization terminates services or migrates to other systems, data deletion, retention, export, and access closure are performed based on contracts, administrator settings, legal obligations, and backup cycles. If an individual user has a dispute over rights or ownership of an item of data with an organization, we may require the parties to resolve it through the organization's administrator, contract, or applicable law.

Payments, billing, purchases and business records: Deckwise may be available in free, trial, paid, team or enterprise plans. Payments and business records are handled differently depending on whether you are an individual user, a team administrator, a corporate purchasing contact, an accounting contact, or an end user. Individual and team subscriptions: We may process packages, seat counts, billing cycles, invoices, transaction IDs, payment status, tax information, billing addresses, offers, refunds and renewal information. Full bank card numbers, bank account numbers or sensitive payment credentials are typically stored and processed by payment processors; we may receive payment status, last four digits of the card, brand, expiration status or risk signals. If a payment fails, is disputed or fraud is suspected, we may share necessary information with payment processors, banks, anti-fraud services or customer service tools. Corporate Procurement and Contracts: Corporate customers may provide us with purchasing contacts, accounting contacts, legal contacts, security contacts, orders, purchase orders, DPA, invoice requirements, tax ID numbers, and contract communication records. We may use this information to process quotations, negotiations, approvals, contract signings, renewals, service activation, payments, audits, security questionnaires and customer success support. Commercial contracts, purchasing records and invoices may be retained for longer periods of time for accounting, tax, audit, dispute resolution and legal obligations. Trials, promotions and benefits: If you participate in a trial, offer, credit, credit or promotion, we may process eligibility, source channel, usage credit, expiration time and conversion status. If in the future we offer programs that exchange personal information for financial benefits, we will provide a description of the legal requirements, an estimate of value, how to opt out, and applicable terms before participating. We will not unlawfully discriminate against you because you exercise your privacy rights in accordance with the law, but certain requests may affect our ability to provide you with features or offers that rely on relevant information.

Sharing, public linking and collaboration permissions: Deckwise is a collaborative authoring tool. You can invite members, share decks, export files, copy content, or post links. Sharing functionality changes who can access the content, so use it with caution. Shared within Workspace: When you invite members or put projects into shared Workspace, members with permissions may view, comment, edit, export, copy or continue to use AI to modify related content. Member permissions, teams, roles, project ownership, and sharing settings may be managed by administrators or project owners. If you add personal information, customer data, or sensitive content to a shared project, other members with permissions may see and process the content. Linking, exporting and external sharing: If you create a public link, external share link, or export file, the recipient may download, save, forward, screenshot, copy, or upload to other services. We have no control over how content you share or export is used by external recipients, and we cannot guarantee that third parties will delete their copies. If link permissions are set incorrectly, links are forwarded, or exported files are uploaded to other platforms, the content may exceed the control of the original Workspace. Cancel sharing and permission changes: You or an administrator can revoke links, modify permissions, remove members, or delete items within the scope of product support. Permission changes usually affect subsequent access, but may not necessarily recycle content that has been downloaded, exported, copied, screenshotted, or synced to a third-party service. Organizations should establish internal sharing practices, particularly for decks involving customer data, financial data, trade secrets, undisclosed strategies, or personal information.

Enforcement, Legal Requests and Protective Disclosures: We may receive legal requests from courts, regulatory agencies, law enforcement agencies, government departments, dispute parties or other third parties. We will determine whether to disclose information based on applicable law, request validity, user rights, customer contracts, and security risk assessments. Legal request assessment: We may review the request for appropriate jurisdiction, form, scope, execution, legal basis and necessity. If the request is too broad, lacks basis, or does not comply with applicable procedures, we may request a narrowing, supplementary material, or objection. We may notify affected users or business customers when permitted by law and without jeopardizing the investigation, safety, or rights of others. Information that may be disclosed: Disclosures may include account information, accounting records, login logs, IP, device information, Workspace metadata, project content, files, export records, audit logs, or support communications. We will try to limit disclosures to those required by request and legal requirements. If the information is controlled by a corporate customer, we may forward the request to the customer or notify the customer for processing in accordance with the customer agreement, unless prohibited by law. Emergency and Protective Disclosures: Information may be disclosed to the extent permitted by law if we believe in good faith that disclosure is necessary or appropriate to prevent death, serious personal injury, a critical security incident, fraud, abuse or illegal activity. We may also disclose information to protect the rights, property and safety of Deckwise, TINY CIRCLE LTD, users, customers, employees, partners or the public. These scenarios are typically documented and reviewed to maintain accountability boundaries and compliance.

Notice to Administrators, Users and Customers: Different types of notifications are sent to different objects. Recipients and opt-out methods are not the same for service notices, privacy notices, security notices, billing notices, policy updates, product updates, and marketing notices. User notification: Ordinary users may receive notifications such as account security, login, invitations, project collaboration, comments, export completion, product changes, policy updates, or support replies. Certain notifications are necessary to provide the service, such as security alerts, account recovery, billing, transactions, or major policy changes, and generally cannot be canceled entirely. You can manage some notifications in product settings, email links, device settings, or browser settings. Administrator and enterprise contact notifications: Organization Administrators, Accounting Contacts, Security Contacts, Legal Contacts, or Procurement Contacts may receive notifications related to Workspace, billing, renewals, security, DPA, subprocessors, service changes, or incidents. If a notification relates to corporate contractual, compliance or security obligations, we may prioritize notification to the designated corporate contact rather than to each end user. Enterprise customers should keep administrator and contract contact information accurate to avoid missing important notifications. Notification method: Notifications may be sent via email, in-product messages, the admin console, status pages, public pages, contract contacts, or customer support channels. If the notification has legal effects, we will choose the appropriate method in accordance with applicable law and contractual obligations. If you do not receive certain notifications, it may be due to email settings, administrator configuration, account status, regional requirements, or notification preferences.

Regional and cross-border supplements：Supplementary instructions for regions: Privacy laws in different regions may use different terminology and rights frameworks. This section is provided to provide general region supplemental instructions; if we publish a region-specific supplemental policy, that supplemental policy will prevail. European Economic Area, UK and Switzerland: You may have rights of access, rectification, erasure, restriction of processing, objection to processing, data portability, withdrawal of consent and complaint to a supervisory authority. If we rely on legitimate interests to process information, you can object where applicable; we will assess your request against the legal requirements. Cross-border transfers may rely on standard contractual clauses, UK IDTA, adequacy decisions, DPA, supplier contracts and security measures. US state privacy laws: Certain state laws may provide rights of access, deletion, correction, portability, opt-out of sale or sharing, opt-out of targeted advertising, restrictions on use of sensitive information, and appeal rights. Public website advertising and analytics activities may involve the sale, sharing, or processing of online identifiers and network activity information for targeted advertising; private Workspace content will not be sold. We will recognize and respond to legitimate browser exit signals in compliance with applicable law, such as Global Privacy Control. Other areas: Users in Canada, Brazil, Japan, Singapore, Australia and other regions may have similar rights of access, correction, deletion, withdrawal of consent, complaint or restriction of processing. If specific rights are available in your area, you can contact us at [email protected]. We will process requests in accordance with applicable law. If your account is controlled by an organization, we may need to forward the request to or assist that organization in processing it.

general choice：You can access and update some account profiles, avatars, languages, notifications, workspaces, and collaboration settings.

If you allow us to process certain information based on consent, you may withdraw your consent to the extent permitted by applicable law; after withdrawal, we may still process information required to provide services, security, compliance or contract based on other lawful bases.

You can delete projects, files, decks, export files, integration licenses, or accounts; deletion may be subject to Workspace administrator settings, backup, security, accounting, compliance, and contractual obligations.

Mail, mobile and notifications：You can opt out of marketing emails by following the unsubscribe link at the bottom of marketing emails or by contacting us.

You may still receive non-marketing notifications about service, security, billing, transactional, compliance or policy changes.

You can manage push notifications, file access, camera, microphone, photos, precise or approximate location, and other permissions through your device or browser settings.

Cookies, Advertising and Browser Signals：You can manage your cookie preferences through the cookie settings in the footer of the website or through your browser settings; if you reject certain cookies, some functionality of Website or Services may be limited.

You can limit certain targeted advertising or cross-site tracking using industry opt-out mechanisms, browser settings, or device settings.

Like most online services, we generally do not respond to traditional Do Not Track signals; however, if your browser sends a Global Privacy Control or similar opt-out signal recognized by applicable law, we will handle it in accordance with applicable law.

If a Do Not Sell or Share My Info, Cookie Settings, or equivalent portal is available at the bottom of the page, you may use that portal to opt out of the processing of publicly available online identifiers that may be deemed by applicable law to sell, share, or target advertising.

Third party integration：You can revoke the connection authorization in Deckwise or the corresponding third-party service; after the revocation, the import, synchronization, auto-complete, invitation, generation or export functions that rely on the connection may no longer be available.

Third-party services may retain information they process. You should review the privacy policy and permissions settings of the third-party service.

Cookie, export and deletion choices：Cookies, automated collection technologies and cross-device signals: Deckwise uses cookies, pixels, local storage and similar technologies to keep the site and services running, remember preferences, measure performance, understand product usage and, when enabled, evaluate marketing campaign effectiveness. Automatic technology category: Strictly Necessary: used for login, session, security, abuse prevention, form submission, load balancing, consent management and basic service operation. Functionality: Used to remember language, region, cookie preferences, interface settings, workspace selections, recent projects, and product experience preferences. Performance and Analytics: Used to understand page performance, product funnel, error rate, build process, import and export performance, feature usage and reliability. Marketing: When permitted by applicable law and subject to your choices, for ad measurement, attribution, campaign conversions and public website growth analysis. Analytics, advertising and cross-device signals: We may use third-party analytics services to process Website or Services usage information; these services may set their own cookies or similar technologies, and their processing is subject to their own policies. On publicly available websites, we may allow advertising or attribution partners to place technology that promotes Deckwise, measures marketing campaigns, and displays information related to Deckwise to you. Technology partners on publicly available websites may attempt to correlate visits by the same user across different devices, browsers, or apps for purposes of measuring advertising, attribution, or experience continuity. We do not control whether industry opt-out pages, browser extensions or third-party preference tools continue to be available or adhered to by all companies; even if you opt out of targeted advertising, you may still see non-targeted Deckwise ads.

Data export, deletion, backup and account closure: Users often want to be able to take their content away and also want the content to actually leave the active system after deletion. Deckwise balances these requests against product capabilities, legal obligations, security requirements, enterprise governance, and technical constraints. Export and portability: You or an administrator can export decks, projects, files, PDF, PPTX, images, text, data, or other formats within the scope of product support. Exported content may contain other collaborators' names, comments, edits, quotes, or project data; you should ensure that the export and subsequent sharing complies with your organization's policies and applicable laws. We may log export requests, export formats, build status, download status, and error messages for support and security auditing purposes. Delete request: Deletion of an account, Workspace, project or file may not immediately delete all copies because backups, caches, logs, exported files, security records, accounting records or legal preservation may have separate retention periods. If the content belongs to the organization Workspace, the organization administrator's retention policies, legal preservation, contractual requirements, or compliance obligations may limit individual deletion requests. If content has been copied, exported, shared, screenshotted, downloaded or synced to Non-Deckwise Services by other users, we have no control over those copies. Account closure and service termination: After the account is closed, we may deactivate logins, stop processing new requests, and delete or archive related data according to retention rules. Non-payment, breach of terms, abuse, security risks, or legal requirements may result in account or Workspace suspension, restriction, or termination. After the service is terminated, enterprise customers may have an agreed-upon data export window; after the window ends, the data will be processed in accordance with the contract and retention policy.

How to submit and verify a request：Submit a privacy request: [email protected].

Submit a support request: [email protected].

To protect your account and Workspace, we may require you to prove your identity through account, email verification, administrator confirmation, or other reasonable means.

If applicable law allows you to submit a request through an authorized agent, we may require the agent to provide written authorization and may require you to directly confirm the identity or scope of authorization.

If your information is controlled by an organization Workspace, please contact the administrator of that organization first; we will assist in accordance with the agreement with the organization.

Request processing and processing roles：Privacy request handling process: We want users to be able to actually exercise their privacy rights, not just see abstract terms. Therefore, this section describes the common processes for request submission, verification, processing, denial, and appeals. Specific timeframes and requirements may vary based on applicable law. Submit a request: You may submit a request for access, rectification, deletion, export, restriction of processing, opt-out of sale/sharing, withdrawal of consent or appeal via [email protected]. The request should try to state your account email address, location Workspace, request type, region and the scope of information you wish to process. If the request involves Enterprise Workspace, we may ask you to contact the organization administrator or, to the extent permitted by the customer agreement, assist the administrator. Authentication and scope confirmation: We may verify identity through login account, email confirmation, administrator confirmation, request context, authorization file or other reasonable methods. If the request is too broad, does not identify an account, involves information about another person, or relates to data controlled by the organization, we may request additional information or limit the scope of processing. If an authorized agent submits a request on your behalf, we may require the agent to provide proof of authorization and may contact you directly to confirm authorization. Responses, rejections and appeals: We will respond to requests within the time limits required by applicable law; if the processing is complex or requires more time, we will notify you to the extent permitted by law. We may deny or partially fulfill a request due to inability to verify identity, legal obligations, contractual obligations, security risks, rights of others, organizational control or retention requirements. If appeal rights are available in your area, we explain how to appeal our decision.

​​Examples of Controllers, Processors and Scenarios: The same type of information may be processed by different subjects in different scenarios. In order to avoid misunderstandings caused by abstract concepts, this section uses common Deckwise scenarios to explain the relationship between the controller and the processor. Deckwise Common scenarios as the controller: When we process data for publicly available website visits, marketing communications, event registrations, sales leads, recruitment applications, billing, anti-fraud, security monitoring or customer support operations, TINY CIRCLE LTD generally determines the purposes and means of the processing. In these scenarios, you can submit a privacy request to us directly through [email protected]. Even if Deckwise acts as the controller, we may still use service providers to process information on our behalf, such as mail, CRM, payment, analytics and security services. Deckwise Common scenarios as a processor: When a business customer lets its employees, contractors or members create, upload, generate and manage content within an organization Workspace, that organization generally determines the purposes of Customer Data's processing. In such cases, Deckwise typically handles related Customer Data in accordance with the customer agreement, DPA, administrator settings, and customer instructions. If you are an end user of an organization Workspace, your requests regarding Workspace content may need to be processed by that organization's administrator or data controller. mixed scene: Some scenarios may contain both Deckwise-controlled data and customer-controlled data, such as a support request containing account information, diagnostic logs, and Workspace content fragments. We will try to distinguish the purposes of processing and process them in accordance with applicable laws, customer agreements and internal access controls. If an applicable relationship cannot be determined immediately, we may ask you to provide more information or work with the relevant organization administrator to process the request.

Retention period supplement：Further information on retention periods: This policy cannot list a fixed number of retention days for each type of data, as retention periods vary based on product configurations, contracts, regional laws, corporate policies, and technical systems. We will set reasonable periods based on the type of data and purposes of processing. Information that is usually retained longer: Accounting, invoicing, payment, tax, contract, purchasing and audit records may be retained for many years for legal, accounting and dispute resolution purposes. Security logs, anti-fraud records, abuse investigations, access records, and administrator action logs may be retained for a limited period of time to protect the service, investigate incidents, and meet enterprise needs. Customer support records, sales communications, and contract communications may be retained for ongoing service, historical inquiries, training, and dispute resolution. Information typically retained with account numbers or Workspace: Account data, Workspace members, projects, files, decks, comments, versions, and exported content are generally retained for the duration of the account or Workspace. If an administrator configures specific retention, archiving, or deletion policies, organization Workspace content may be processed according to organization policy. If you delete content, the content in the active system will enter the deletion process, but backups, caches, and logs may be cleaned on their own cycles. Restrictions after deletion: We may not be able to delete content that has been downloaded, exported, copied, shared, screenshotted, synced to a third-party system, or publicly posted by other users. We may need to retain limited information to prove that a request has been processed, to comply with laws, to protect security, to prevent fraud, or to enforce an agreement. De-identified or aggregated information may not be subject to a deletion request if it is no longer reasonably associated with you.

Support access, diagnostics and security events：Support, Diagnostics, Abuse Protection and Service Reliability: In order for Deckwise to run reliably on real projects, we need to work with limited support, diagnostics, and safety data. This data is typically used to troubleshoot problems, protect accounts, detect abuse, restore service, and improve reliability. Customer support and troubleshooting: When you contact support, we may view account information, Workspace metadata, related request IDs, error logs, import and export status, browser information, screenshots, screen recordings, or file snippets you actively provide. If troubleshooting AI generation or file parsing issues, we may need to view specific projects, pages, prompts, model outputs, tool calls, or failure samples; enterprise customers may restrict access through contracts or support processes. Support records may be retained in the customer service system for the purpose of following up on issues, training the support team, identifying repeat failures, improving the product, and meeting compliance requirements. Security and abuse protection: We may process IPs, devices, login attempts, unusual requests, rate limiting, payment risks, API calls, file upload patterns, and behavioral signals to detect spam, attacks, fraud, malicious automation, or policy violating usage. If we believe that an account, Workspace, API key, file or generation request may pose a security, legal, abuse or service stability risk, we may restrict, suspend, review or delete related access. We may share necessary information with security providers, anti-fraud providers, payment providers, escrow providers or law enforcement agencies to investigate and deal with significant risks. Service reliability and quality monitoring: We may count import success rate, generation time, model error rate, export failure rate, page crash, system load, queue status and recovery results. These indicators are often used in an aggregated or de-identified manner for engineering monitoring, capacity planning, cost control, incident review, and product quality improvement. During the incident, we may temporarily retain more detailed logs to locate the cause; after the incident, we will clean or downgrade the logs in accordance with the retention policy.

Security Incidents, Notifications and Responsibility Boundaries: Security incidents may come from system vulnerabilities, leakage of account credentials, third-party service failures, malicious attacks, misconfiguration or user sharing settings. We will take response measures based on the nature of the incident, scope of impact, legal requirements and contractual obligations. Incident detection and response: We may use monitoring, logging, security tools, access controls, anomaly detection, vulnerability management and vendor notifications to identify potential incidents. When an incident is discovered, we assess the scope of the impact, data involved, affected users, root cause, remediation and notification obligations. We may temporarily limit functionality, disable credentials, revoke tokens, require password resets, suspend integrations, or quarantine affected systems. Notification method: If notification is required by law or contract, we may notify affected users or organizations via email, in-product notifications, administrator notifications, public announcements, status pages, or direct communication. The content of the notification may include the description of the event, the type of information involved, the measures we took, the actions recommended to the user, and the contact channels. Security notifications for enterprise customers may be sent to security contacts specified in the contract, DPA, or administrator settings. User Responsibilities: Users and organizations should protect passwords, SSO, API keys, devices, exported files, shared links, and third-party integration credentials. If you suspect that your account has been compromised, your project has been shared incorrectly, or your API key has been compromised, you should revoke access and contact support as soon as possible. We have no control over what you or your organization share, download, export, copy, or make public outside of Deckwise.

Third Party Services, Related Documentation and User Responsibilities：Responsibility boundaries of Non-Deckwise Services: Deckwise may be used with third-party services, but third-party services are not controlled by us. When you connect, authorize or use third-party services, the third party may process information in accordance with its own terms and privacy policies. Third Party Terms and Privacy Policies: Third-party login, cloud storage, calendar, mail, conferencing, CRM, payment, analytics, advertising, model and file parsing services may have their own privacy policies, data retention and security measures. We recommend that you read the relevant third-party instructions before connecting, especially if you are importing customer data, internal documents, meeting minutes, or sensitive files. Deckwise is not responsible for the privacy practices of third-party independently controlled services, websites, models, plug-ins, browser extensions, or external workflows. access you grant: When you authorize Deckwise to access third-party materials, we will process the data in accordance with the scope of authorization and the functions you request. You can revoke authorization in Deckwise or a third-party service, but revocation does not necessarily delete content that has been imported, generated, exported, or saved in the Deckwise project. If a third party changes API, permissions, pricing, policies, or availability, related Deckwise integrated functionality may be affected. Third-party exports and external communications: If you upload a deck exported by Deckwise to a third-party platform, send it to external parties, or use it for public release, the subsequent processing is no longer controlled by Deckwise. If a third-party service performs analytics, training, advertising, or sharing based on a deck you upload, you should review that third-party policy. Enterprise customers should establish rules for external sharing and use of third-party tools to avoid bypassing Workspace permissions through exports or connectors.

How this policy fits in with other documents: The privacy policy is only part of the data protection instructions of Deckwise. Depending on your product, region, plan, or enterprise agreement, other documents may apply. Documents that may also apply: Cookie Notice: explains how we use cookies, pixels, local storage and similar technologies and how you can manage your preferences. Terms of Service or Customer Agreement: Describes the contractual terms, account responsibilities, content rights, restrictions, payment and termination rules for use of Services. Data Processing Agreement: Describes the data processing, security, subprocessors, cross-border transfer and assistance obligations when the enterprise customer serves as the controller and Deckwise serves as the processor. Subprocessor Page or Security Data: Describes the categories, locations, functions and security controls of service providers that process data on our behalf. In-product settings: including Workspace permissions, member management, integrated authorization, cookie settings, notification preferences, export, deletion and AI function control. File conflicts and updates: If there is a conflict between this policy and a more specific Enterprise Agreement, DPA, regional supplemental terms, or in-product settings, the more specific document or setting generally controls to the extent applicable. We may update these documents as product, legal, service provider, AI functionality, or company structure changes. If an update is material, we will provide notification in compliance with applicable legal and contractual obligations.

Data Accuracy, User Responsibility and Content Permissions: The AI output of Deckwise is highly dependent on the data, prompt words, context, and editing goals you provide. For results to be accurate, legal, and usable, users and organizations need to take responsibility for their input, permissions, and end use. Data accuracy: If the upload contains errors, out-of-date information, incomplete context, or unvalidated content, the AI generated results may inherit these issues. Users should review the generated content before publishing, sharing, financing, selling, teaching, legal, medical, financial or other important scenarios for use. You can improve results by updating information, changing prompt words, adding citations, editing pages, or reporting errors. Content Rights and Third-Party Rights: You should ensure that you have the right to upload, process, generate, adapt, export and share relevant information, including customer information, company documents, copyrighted content, images, trademarks, third-party reports and personal information. If you invite collaborators, share links, export files, or connect to third-party systems, you should ensure that these actions comply with organizational policies, contractual obligations, and applicable law. If someone believes that your content violates their rights or privacy, we may restrict access, remove the content, or contact the relevant party in accordance with the law, platform rules, or customer agreements. Content classification and minimization: We recommend that you only upload the information you need to complete your deck creation and avoid submitting irrelevant personal, sensitive, or highly confidential information. Organizations can reduce unnecessary data processing through internal classification rules, permission controls, templates, training and integration policies. If you need to work with sensitive or regulated content, you should first confirm that Deckwise your current protocols, contracts, and security controls are appropriate.

Language versions, accessibility, and interpretation boundaries：Language versions, accessibility and interpretation boundaries: We may provide this policy or related privacy statements in Chinese, English or other languages. The purpose of different language versions is to help users understand the data processing methods of Deckwise; if there are inconsistencies in different language versions, unless otherwise required by law or a specific agreement, the more specific contract, DPA, regional supplementary terms or the control version designated by us shall prevail. The headings, numbers and examples in this policy are for convenience of reading and should not limit or expand the meaning of the terms. The examples do not mean that we will necessarily process the corresponding information in all scenarios, nor does it mean that similar information that is not listed will not be processed. Accessibility and understandability: We try to explain complex data processing, AI workflows, Workspace administration, cookies, California rights, cross-border transfers and corporate controls in clear language. If you are unable to understand or access this Policy due to language, disability, technical limitations, or other reasons, you may contact us at [email protected] and we will provide reasonable assistance. Enterprise customers may also request information descriptions that are more suitable for internal security, legal, procurement or administrator review. Legal and product changes: Privacy laws, AI regulations, browser signals, ad technologies, model providers, and enterprise security requirements may change, so this policy may be updated over time. If a feature, region, or customer agreement requires more precise description, we may provide it through in-product tips, region supplements, DPA, security white papers, subprocessor pages, or contract attachments. This policy is not legal advice and does not replace you or your organization’s independent judgment regarding your own data, content, customer data, employee data, and compliance obligations.