Privacy Policy

VDECK may collect account information such as name, email address, password hash, organization name, role, invite status, and session information.

VDECK stores operational content submitted by users, including Change Records, validation checklist items, approvals, rollback readiness details, status history, activity events, templates, uploaded evidence files, and related metadata.

If billing is enabled, VDECK may store Stripe customer, subscription, plan, and billing status identifiers. VDECK does not store full payment card numbers.

VDECK may collect usage and log data such as request IDs, timestamps, IP-derived request context, browser or API activity, error logs, and security-relevant events.

If configured, VDECK may collect error tracking events and limited product analytics events. Analytics are intended to use identifiers, roles, billing plan, status, risk level, broad usage buckets, and source page names rather than sensitive evidence content.

We use information to provide the service, authenticate users, isolate organizations, process billing, send transactional emails, support password reset and invite flows, improve reliability, investigate errors, protect the service, and respond to support requests.

VDECK may use Stripe for billing, an email or SMTP provider for transactional messages, and a hosting provider to run the application and database. VDECK may also use Sentry for error tracking if configured.

Analytics or error tracking may be added if configured by the operator. If added, those tools should be configured in a way that is consistent with this policy and the data needs of the service.

VDECK analytics should not collect change titles, descriptions, affected system names, evidence filenames, uploaded file contents, approval comments, checklist text, rollback notes, passwords, reset tokens, invite tokens, session cookies, Stripe secrets, or SMTP credentials.

VDECK uses session cookies to keep users logged in and to authenticate browser requests. These cookies are used for security and product functionality, not advertising.

Customer records and uploaded evidence are retained while the organization account is active or as needed to provide the service, handle support, meet operational backup windows, or satisfy legitimate business needs.

Backups may retain deleted data for a limited period until backup rotation removes it.

To request account or organization deletion, contact support. Some information may be retained where necessary for billing records, security logs, dispute handling, backup rotation, or legal obligations.

VDECK uses organization isolation, authenticated evidence access, role-aware permissions, password hashing, session cookies, expiring invite and password reset tokens, and operational backups. No system can be guaranteed perfectly secure.