decode-legal

Privacy Policy

Effective date: 1 May 2026 Last updated: 1 May 2026

---

The short version

Decode is built so we know as little about you as possible.

• No account, no email, no name. The app uses an anonymous identifier so we can remember which subscription tier you’ve paid for. We can’t tie that identifier back to you.
• Your documents stay on your device by default. Free-tier analysis runs entirely on-device with Apple Foundation Models. Nothing is sent over the network.
• Paid tiers may use cloud analysis — when they do, your document is processed through five on-device redaction passes first (regex categories, NSDataDetector, NLTagger, sensitivity scanner, on-device LLM verifier). You see the redacted text and approve it before anything leaves your device.
• We don’t sell, share, or analyze your data for advertising. No analytics SDKs, no tracking, no ad networks.
• You can delete everything by deleting the app. All locally stored analyses go with it.

The rest of this page is the long version, written so you can verify those claims.

---

1. Who we are

Decode is operated by Mohan Agoramoorthy (“we”, “us”, “Decode”). Contact: mrrmfamily2022@gmail.com

This policy describes how Decode handles information when you use the iOS app distributed through the Apple App Store.

2. What information we collect

2.1 An anonymous user identifier

When you first launch Decode, the app signs you in anonymously to our authentication provider (Supabase). This produces a random UUID — a string like f47ac10b-58cc-4372-a567-0e02b2c3d479. We use this identifier solely to remember which subscription tier you have access to.

The identifier is not linked to:

• Your name, email, or phone number
• Your Apple ID (we never receive it)
• Your device serial number, advertising ID, or IP address
• Any other identifier we could use to recognize you across services

2.2 Subscription entitlement

If you purchase a Decode subscription, Apple notifies our server (a Cloudflare Worker) of the purchase. We store one row associating your anonymous identifier with:

• Your purchased tier (Private / Pro / Power)
• The expiration date of the subscription
• Apple’s original transaction identifier (used to detect refunds and renewals)

We do not receive your payment details, billing address, or any personal information from Apple.

2.3 Documents you analyze

When you ask Decode to analyze a document, the app reads the file content on your device.

• Free-tier and on-device analysis: the document never leaves your device. We never receive it.
• Cloud analysis (paid tiers): before any text is sent over the network, Decode runs five layers of on-device redaction (see Section 4). The redacted text is then sent to Anthropic’s Claude API through our Cloudflare Worker. The original, unredacted document is never transmitted.

2.4 Usage counters (for spend caps)

To enforce monthly spending caps and protect against abuse, our Cloudflare Worker keeps two counters:

• Total tokens spent across all users this month
• Tokens spent by your anonymous identifier this month

These counters reset monthly and contain no document content.

2.5 What we do NOT collect

We want to be specific about what we do not collect:

• Your name, email address, phone number, or postal address
• Your Apple ID, iCloud identifier, or game centre identifier
• Your device’s advertising identifier (IDFA) or vendor identifier (IDFV)
• Your IP address (Cloudflare logs short-term operational data — see Section 5)
• Your contacts, calendar, photo library, location, or microphone
• Crash reports beyond what Apple collects through TestFlight or the App Store (you can disable that in iOS Settings)
• Any analytics, behavioral telemetry, or attribution data

Decode does not contain any third-party analytics, advertising, attribution, or tracking SDKs.

3. How we use the information

We use the information described above only for:

Information	Used for
Anonymous user identifier	Looking up your subscription tier when you open the app
Subscription entitlement	Unlocking paid features for you on this device
Apple’s purchase notifications	Updating your entitlement when you renew, cancel, or are refunded
Redacted document text	Sending to Anthropic for analysis (paid cloud-route only, with your consent)
Usage counters	Enforcing your tier’s monthly cap and the platform-wide spend cap

We do not use any of this information for advertising, profiling, or sale to third parties.

4. How your documents are protected before any cloud processing

When a paid-tier user opts in to cloud analysis, Decode runs five on-device passes before any text leaves the device:

1. Regex redactor — replaces ~22 categories of personally identifying information with placeholder tokens (names, emails, phone numbers, addresses, government IDs including US SSN/EIN, India Aadhaar/PAN/Voter ID, UK NI/NHS, Canada SIN, Australia TFN/Medicare, EU VAT, Singapore NRIC, account numbers, credit card numbers, and more).
2. Apple NSDataDetector — catches contact information our regex may have missed.
3. Apple NLTagger — replaces personal names, places, and organizations.
4. Sensitivity scanner — flags anything else that looks like an identifier (long digit sequences, mixed-character IDs, IBAN, SWIFT codes, secrets, anything labeled “Confidential”).
5. On-device LLM verifier (Apple Intelligence devices only) — a final semantic pass that catches contextual personal information regex cannot.

You then see a review screen showing exactly what will be sent. You can hide additional items or cancel before any network request is made.

5. Sub-processors

Decode uses the following service providers (“sub-processors”) to operate the app:

Sub-processor	Purpose	Data they receive
Apple Inc.	App distribution, subscription processing, push notifications, on-device AI (Foundation Models, NLTagger, NSDataDetector)	Subject to Apple’s Privacy Policy
Supabase Inc.	Anonymous authentication and entitlement storage	Your anonymous user identifier and subscription tier. Privacy Policy
Cloudflare, Inc.	API gateway (the Worker that proxies analysis requests and receives Apple’s purchase webhooks)	Your anonymous user identifier, the redacted document text during a request, and short-term operational logs (IP, user-agent — Cloudflare standard). Privacy Policy
Anthropic, PBC	Cloud document analysis (paid tiers only, with consent)	The redacted document text. Anthropic’s API does not train on inputs by default; inputs are retained briefly for safety review. Anthropic API Privacy Policy

We do not share data with any other party.

6. Data retention

Data	Where it lives	How long
Decoded analyses (results)	On your device, in Apple SwiftData	Until you delete the app or remove an analysis
Anonymous user identifier	Supabase, on your device	Until you delete the app and request entitlement deletion
Subscription entitlement row	Supabase	Until you request deletion (see Section 7)
Spend counters	Cloudflare KV	Reset monthly
Redacted document during a cloud request	Anthropic API	Per Anthropic’s standard policy (no training; ~30 days for trust & safety review)
Original / unredacted document	Never transmitted	n/a
Cloudflare operational logs	Cloudflare	Cloudflare’s standard retention (typically days)

When you delete the app from your iPhone, all locally stored analyses and the local copy of your anonymous identifier are removed by iOS. The entitlement row in Supabase remains until you request deletion.

7. Your rights and how to exercise them

Depending on where you live, you have rights over the limited data we hold:

• Right to access — ask what we have associated with your anonymous identifier.
• Right to deletion — ask us to delete your entitlement row.
• Right to object / restrict processing — for any data we hold.
• Right to data portability — export of the entitlement row in a common format.
• Right to lodge a complaint — with your local data protection authority (e.g. ICO in the UK, CNIL in France, the Information Commissioner of India).

The simplest way: delete the app

Because Decode never knows who you are, the easiest way to remove all data we hold about you is to delete the app from your iPhone.

Doing so:

• Removes every analysis stored on your device.
• Removes the local copy of your anonymous identifier — this is the only thing that links your iPhone to your Supabase entitlement row.

After that, the entitlement row sitting in Supabase is orphaned: it still exists, but no device can ever sign in as that identifier again. It contains no information that could identify you (just a UUID, a tier, and Apple’s anonymous transaction ID).

For most people, this is enough.

If you want the entitlement row purged too

Email mrrmfamily2022@gmail.com with the subject “Decode — Delete my data”. Include either:

• The approximate date you purchased your Decode subscription, or
• The original Apple transaction identifier (Settings → Apple ID → Subscriptions → Decode → see the receipt history)

That’s enough for us to find the row. We don’t keep your email after the request is handled. We respond within 30 days.

Californian residents (CCPA / CPRA)

We do not sell or share personal information as those terms are defined under California law. We do not knowingly collect personal information from anyone for a commercial purpose other than to operate the app you’ve installed.

European Economic Area, UK, and Switzerland (GDPR / UK GDPR)

The legal basis for processing the limited data described above is:

• Contract (Article 6(1)(b)) — for the entitlement row that lets us deliver the subscription you purchased.
• Legitimate interest (Article 6(1)(f)) — for the spend counters that protect the service from abuse.
• Consent (Article 6(1)(a)) — for cloud analysis of your documents (you opt in via the in-app cloud disclosure sheet).

International transfers: Supabase, Cloudflare, and Anthropic operate globally and may process data in the United States. Where applicable, transfers rely on Standard Contractual Clauses or equivalent safeguards published by each sub-processor.

8. Children

Decode is rated 17+ in the App Store and is not directed to children under 13 (or under 16 in the EU/UK). We do not knowingly collect information from children. If you believe a child has used Decode, contact us and we will delete any associated entitlement.

9. Security

• All network requests use TLS (HTTPS).
• The Apple webhook endpoint validates the bundle identifier in every notification.
• The Cloudflare Worker uses Supabase’s service-role key (server-side only, never shipped in the app).
• Your Cloudflare Worker subdomain is non-guessable.

We do not store passwords or payment credentials. Authentication with Supabase is anonymous.

10. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of this page will reflect any change. Material changes will be highlighted in the app the next time you open it.

11. Contact

For any privacy question or to exercise your rights:

Email: mrrmfamily2022@gmail.com Subject line: “Decode — Privacy”

---

Decode is an independent app and is not affiliated with Apple Inc., Anthropic, Supabase, or Cloudflare.