Legal

Privacy Policy

Effective date: to be inserted on publication

Draft — this page is a structural scaffold. Each section needs final language from counsel before publication.

1. Who we are

Deckosaurus is a product of Round Rect. Reach us at hello@deckosaurus.com.

INSERT: legal entity details, postal address, DPO if required

2. What runs locally

The macOS app is a native binary; your code never leaves your machine unless you explicitly enable a hosted agent. Vendor API keys are stored in ~/Library/Application Support/Deckosaurus/secrets.json with file mode 0600 — not in iCloud, not on our servers, not in Keychain.

INSERT: confirm path + permissions language is accurate for current build

3. Telemetry

Telemetry is opt-in. If you opt in, the app emits anonymised feature-usage events (no source code, no prompts, no file contents, no API keys) via the local telemetry outbox to a Round Rect endpoint. You can revoke consent in Preferences at any time.

INSERT: list of event types, retention period, opt-out mechanics

4. Web analytics

The marketing site uses Plausible Analytics — cookieless, no fingerprinting, no cross-site tracking. We see aggregate page-views and referrers; we cannot see you specifically. No analytics SDK runs inside the macOS app.

INSERT: Plausible hosting location, data retention

5. Payment processing

Subscriptions are processed by Stripe, Inc. Stripe receives your name, email, billing address, and card details; we receive a customer id, subscription state, and the email address you used at checkout. We never see your card.

INSERT: Stripe privacy policy URL; data-residency note

6. Third-party AI providers

When you enable a hosted agent we relay your prompts and selected context (files you @-mention, terminal output you paste, etc.) to the vendor's API: Anthropic for Claude, OpenAI for Codex, Google for Antigravity. Each vendor's privacy policy governs that data on their side. The on-device oMLX agent talks to nobody.

INSERT: links to each vendor's policy + data-handling characteristics

7. Cookies & local storage

The marketing site sets no cookies; the macOS app stores all state locally under ~/Library/Application Support/Deckosaurus/.

INSERT: list of local files written by the app

8. Your rights

Under GDPR/CCPA you can request access, deletion, or export of any personal data we hold; we'll respond within 30 days.

INSERT: full rights enumeration, response SLA, EU representative if required

9. Security

Marketing site is HTTPS-only with HSTS; subscription payments are PCI-scope on Stripe; license keys are UUID v4 and rotated on request.

INSERT: security posture statement, incident-disclosure SLA

10. Changes to this policy

We'll post material changes here and notify active subscribers by email at least 14 days before they take effect.

INSERT: change-notice mechanics