Privacy Policy

Name: Renma Matsumura (Sole Proprietor)

Address: Yamato Building 6F, 7-14-5 Roppongi, Minato-ku, Tokyo, Japan

Contact: [email protected]

DeckReady ("the Service") respects your privacy and is committed to protecting your personal information in accordance with Japan's Act on the Protection of Personal Information (APPI) and the EU General Data Protection Regulation (GDPR).

2.1 Account Information — Through Google OAuth, we collect your name, email address, and profile picture.
Legal basis: Performance of contract (GDPR Art. 6(1)(b))

2.2 Usage Data — We record preset names, LUFS values, processing duration, and track counts for quota management and service improvement.
Legal basis: Contract performance and legitimate interest (GDPR Art. 6(1)(b)(f))

2.3 Payment Information — Credit card information is managed by Stripe, Inc. We never store or access your card numbers. Stripe shares only subscription status and customer ID with us.
Legal basis: Contract performance (GDPR Art. 6(1)(b))

2.4 Audio Files (Privacy by Design) — All audio processing occurs entirely within your browser using the Web Audio API / OfflineAudioContext. Audio files are never transmitted to, stored on, or accessed by our servers. This architecture implements the Privacy by Design principle under GDPR Article 25.

2.5 Cookies — We use cookies for Google AdSense advertising and Google Analytics.
Legal basis: Consent (GDPR Art. 6(1)(a)). Cookies are activated only after consent is obtained.

• Service operation (account management, processing quota)
• Billing management (subscription processing)
• Usage analytics (feature improvement, preset usage trends)
• Ad delivery optimization (Google AdSense, Free tier only)
• Customer support

We share information with the following services. All data storage locations are in the United States.

• Google LLC (US) — Authentication (OAuth), advertising (AdSense), analytics. EU transfers under EU-US Data Privacy Framework.
• Stripe, Inc. (US) — Payment processing. PCI DSS Level 1 compliant. EU-US Data Privacy Framework participant.
• Vercel Inc. (US) — Web application hosting.
• Neon, Inc. (US) — PostgreSQL database (account and usage data storage).

Japan has an EU adequacy decision for data transfers from the EU/EEA.

We use the following cookies:

• Essential cookies — Session management, authentication (no consent required)
• Analytics cookies (Google Analytics) — Usage analysis (activated after consent)
• Advertising cookies (Google AdSense) — Personalized ads (activated after consent)

For EEA/UK/Switzerland users, we obtain opt-in consent before activating analytics and advertising cookies. Consent can be withdrawn as easily as it was given. If you decline cookies, ads will be non-personalized. We support Google Consent Mode v2.

Account data: Deleted within 30 days of deletion request.

Usage records: May be retained in anonymized form after account deletion.

Payment records: Retained per Stripe's policy (minimum 7 years for legal obligations).

Cookie consent records: Retained for 12 months as proof of consent.

Under Japan's APPI: Right to disclosure, correction, suspension of use, and deletion of retained personal data.

Under GDPR (EEA/UK residents): Right of access, rectification, erasure (right to be forgotten), restriction of processing, data portability, objection, and withdrawal of consent. We do not engage in automated decision-making or profiling (AdSense targeting is Google's processing). You also have the right to lodge a complaint with a supervisory authority.

How to exercise your rights: Email [email protected] from your registered email address for identity verification. We will respond within 30 days. No fees are charged.

Technical: HTTPS/TLS encryption, database access controls, parameterized queries via Prisma (SQL injection prevention).

Organizational: Minimum access privileges, regular security reviews.

Incident response:In case of a data breach, we will report to Japan's Personal Information Protection Commission (preliminary report: promptly / full report: within 30 days) and notify affected users. Under GDPR, we will notify the supervisory authority within 72 hours.

The Service is not intended for users under 16. If we become aware that a user under 16 has created an account, we will promptly delete the account and associated data.

This policy may be updated as needed. Significant changes will be notified via email or in-service notification at least 30 days in advance.

Contact: [email protected]