Inkdeck

Privacy policy

Last updated · 15 May 2026

This policy explains how THE AGILE MONKEYS S.L.(“we”, “our”, “Inkdeck”) collects, uses, shares, and protects personal data when you use the Inkdeck service at inkdeck.ai. It is written to comply with Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018.

1. Data controller

The data controller is THE AGILE MONKEYS S.L. (Spanish Tax ID B76229087), with registered office at Calle Canalejas 80 5ºC, CP 35003, Las Palmas de Gran Canaria, Las Palmas, Spain. You can reach us at info@theagilemonkeys.com for any privacy-related question, including exercising your rights described below.

2. What we collect

We collect and process the following categories of data:

  • Account data. When you sign up, we store your email address and (optionally) your display name. If you sign in with Google, we also receive the profile name you have configured in your Google account.
  • Authentication credentials. Password-based authentication is handled by Supabase Auth on our behalf; we never see or store your password in clear text. Google sign-ins do not produce a password for us at all.
  • Content you submit.The source text you paste, the deck titles, the branding fields (“presented by” line, optional logo SVG), and any natural-language instructions you provide when regenerating a slide.
  • Content we generate from your inputs. Structured slide outlines (titles, main ideas, elements, annotations), compiled prompts, and the rendered slide images and PDFs.
  • Usage metadata. Timestamps of deck creations and slide regenerations (used to enforce the per-account quotas described in our terms), plus an append-only moderation audit log of automated content-safety checks.
  • Technical data. IP address (used short-term for rate limiting and abuse prevention), HTTP request logs generated by our hosting provider, and the session cookie required to keep you signed in.

3. How we use it

We process the data above for the following purposes:

  • Operating the service. Authenticating you, generating the slide outlines and images you ask for, persisting your decks so you can come back to them, and assembling exports (PDF).
  • Service integrity. Enforcing rate limits, per-account quotas, and running automated content-safety moderation on inputs that reach the AI models. This is the only purpose for which we retain the moderation audit log.
  • Communication. Sending you transactional emails directly related to your account (sign-up confirmation, password reset). We do not send marketing email at this time.
  • Legal compliance. Responding to lawful requests from authorities and complying with our obligations under Spanish and EU law.

We do not use your content to train any AI model — not ours and not any third party’s. See the section on subprocessors below for the contractual arrangements that back this.

4. Legal bases

Under the GDPR, we process personal data on the following bases:

  • Performance of a contract (Art. 6.1.b) — for everything you ask the service to do for you: signing in, generating decks, regenerating slides, exporting PDFs.
  • Legitimate interest (Art. 6.1.f) — for rate limiting, abuse prevention, fraud detection, and the moderation audit log. The interest is the continued integrity of the service for all users; the impact on you is minimal and aligned with what a reasonable user would expect.
  • Legal obligation (Art. 6.1.c) — where retention or disclosure is required by Spanish or EU law.

5. Subprocessors

We do not sell personal data. We share data only with the service providers we use to operate Inkdeck, and only to the extent necessary for them to perform the service. Each is bound by a Data Processing Agreement.

  • Vercel Inc. — application hosting, request routing, and serverless functions. Data processed: technical and request metadata. EU/US.
  • Supabase (via the Vercel Marketplace) — managed PostgreSQL, authentication, and object storage. Data processed: account data, all stored content, session tokens. Primary region: Frankfurt (EU).
  • OpenAI, L.L.C. — language model for converting source text into slide outlines, and the gpt-image-2image generator. Data processed: source text, slide content, compiled prompts, and the rendered images returned to us. Under OpenAI’s API Data Processing Addendum, API inputs and outputs are not used to train OpenAI models and are retained for up to 30 days for the sole purpose of abuse and misuse monitoring. United States.
  • Upstash, Inc. — Redis-compatible store used for rate-limit counters keyed by your user ID and IP address. Counters expire automatically within hours.
  • Google LLC— only invoked when you choose “Continue with Google” at sign-in. Google handles the OAuth flow on our behalf and returns your profile name and email to us.

6. International transfers

Some subprocessors (OpenAI in particular) are located in the United States. For such transfers we rely on the EU Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework. The DPAs we have signed with each subprocessor incorporate these safeguards.

7. Retention

  • Account, decks, slides, generated images. Kept while your account is active. Deleted when you delete your account, with a short operational grace period for backup rotation.
  • Moderation audit log. Kept for up to 12 months from the date of the record, after which entries are pruned.
  • Rate-limit counters in Upstash. Ephemeral — expire automatically within at most 30 days, typically within hours.
  • Hosting logs. Retained by Vercel per their default policy (currently 24 hours for runtime logs, 30 days for build logs).

8. Your rights

Under the GDPR, you have the following rights at no cost to you:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your account and associated data, subject to lawful retention requirements.
  • Restriction — ask us to limit how we process your data while a dispute is resolved.
  • Portability — receive your data in a structured, machine-readable format. The per-deck JSON export is one such mechanism.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting prior lawful processing.
  • Complain to a supervisory authority — in Spain, the Agencia Española de Protección de Datos (aepd.es).

To exercise any of these rights, email info@theagilemonkeys.com. We will respond within one month, or sooner where feasible.

9. Security

We apply industry-standard technical and organisational measures: passwords are hashed by Supabase Auth, data is encrypted in transit (TLS) and at rest, the OpenAI API key and Supabase service-role key never leave our server environment, the storage bucket containing rendered images is private and accessed only via short-lived signed URLs, and database access is restricted to our application identity. No system is perfectly secure; if you become aware of a vulnerability please report it to info@theagilemonkeys.com.

10. Children’s privacy

Inkdeck is not directed at children under 16 and we do not knowingly collect data from them. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Changes to this policy

We may update this policy from time to time. The “last updated” date at the top of this page reflects the most recent revision. Material changes will be highlighted on the service before they take effect.

12. Contact

Questions, requests, or complaints: info@theagilemonkeys.com.